DIY Nitrokey 3A

robin-nitrokey · May 28, 2025, 7:38am

Great news! What is the output of nitropy nk3 list? If the device shows up there, you can try to replace the two solo2 app provision commands with:

nitropy nk3 provision fido2 --key $(TEST_FIDO_KEY) --cert $(TEST_FIDO_CERT)

jaboticaba · May 29, 2025, 12:52am

Hey @robin-nitrokey ,

Thank you very much for the super fast reply! When I run the nitropy nk3 list command:

Command line tool to interact with Nitrokey devices 0.8.1
:: 'NK3' keys
/dev/hidraw7: Nitrokey 3 BB3FC36165AEE3D80000000000000000

So that looks good I think.

I then ran the nitropy commands to load the keys and everything went which was also great!

A few follow-on questions for you:

When I run the nitropy test:

nitropy nk3 test --pin 123123
Command line tool to interact with Nitrokey devices 0.8.1
Found 1 NK3 device(s):
- Nitrokey 3 at /dev/hidraw7

Running tests for Nitrokey 3 at /dev/hidraw7

[1/5]   uuid            UUID query                      SUCCESS         BB3FC36165AEE3D80000000000000000
[2/5]   version         Firmware version query          SUCCESS         v1.8.2+git.a69d49d4.dirty
[3/5]   status          Device status                   SUCCESS         Status(init_status=<InitStatus: 0>, ifs_blocks=255, efs_blocks=478, variant=<Variant.NRF52: 2>)
Running SE050 test: |                                                                                                         
[4/5]   se050           SE050                           SUCCESS         SE050 firmware version: 3.1.1 - 1.11, (persistent: (29548,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
[5/5]   fido2           FIDO2                           FAILURE         Unexpected FIDO2 cert hash for version v1.8.2+git.a69d49d4.dirty: c7d87cac86b69059bbff5c43872a20892267518614dfc9822c7ee55ad89f0022

5 tests, 4 successful, 0 skipped, 1 failed

Summary: 1 device(s) tested, 0 successful, 1 failed

From what I saw, the FIDO2 failure is expected due to test keys - is there an instruction on how to create / implement new keys?

Also in the code, I’m seeing areas where #[cfg(feature = "se050")], it all looks greyed out with the tooltip code is inactive due to #[cfg] directives: feature = "se050" is disabled. Is there a spot in the config I need to enable the se050 element? It seems like the se050 is functional from the test, but is it being used in the firmware?

Thank you again!
Dan

robin-nitrokey · May 30, 2025, 7:44am

What is your goal? If you want the test to pass, you would need to modify pynitrokey/nitrokey-sdk-py to accept your certificate. But the failing test does not have any effect on the functionality of the device. You can still use it for real-world sites even with the test certificate and key.

The firmware is split into components and the runner that combines the components into the final firmware. The se050 feature is not enabled by default for the components to be more flexible, thus the warning in the editor. But the Nitrokey 3 runner always enables it, and you can also see in the nk3 test output that the secure element is active and working:

[4/5]   se050           SE050                           SUCCESS         SE050 firmware version: 3.1.1 - 1.11, (persistent: (29548,), transient_deselect: (607,), transient_reset: (592,))