Failed to write x509 cert to Nitrokey Start

Hello everyone!
I’m trying to write x509 cert to my Nitrokey Start.
But it’s failed.

gpg/card> writecert 3 < cert.cer
gpg: error writing certificate to card: General error

Neither PEM nor DER format, I’ve tried to do this with pkcs11-tool but it’s failed too.
I’m using gpg ver 2.2.6 and 2.1.11 on another computer and opensc ver 0.18

What am I doing wrong?

Storing certificates on Nitrokey Start is a bit different than with the other devices. You would need to use the separate Python scripts gnuk_put_binary.py or gnuk_put_binary_libusb.py.

Hi!

Please take a look to other branch, gnuk1.2-regnual-fix, since master corresponds to older version of GNUK. Here is the link for updated tools (there is no gnuk_put_binary.py there, only gnuk_put_binary_libusb.py).

I’ve cloned gnuk1.2-regnual-fix branch

./gnuk_put_binary_libusb.py -p ~/my_awesome.crt
Admin password: 
/home/tux/my_awesome.crt: 2301
Updating card holder certificate
Traceback (most recent call last):
  File "gnuk_put_binary_libusb.py", line 111, in <module>
    main(fileid, is_update, data, passwd)
  File "gnuk_put_binary_libusb.py", line 48, in main
    if gnuk.icc_get_status() == 2:
AttributeError: 'NoneType' object has no attribute 'icc_get_status'

and another one

/home/tux/my_awesome.crt: 1659
Updating card holder certificate
Device: 
Configuration: 1
Interface: 0
Traceback (most recent call last):
  File "./gnuk_put_binary_libusb.py", line 111, in <module>
    main(fileid, is_update, data, passwd)
  File "./gnuk_put_binary_libusb.py", line 54, in main
    gnuk.cmd_write_binary(fileid, data, is_update)
  File "/home/tux/Src/nitrokey-start-firmware/tool/gnuk_token.py", line 294, in cmd_write_binary
    raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))
ValueError: ('cmd_write_binary 1', '6581')

Could you tell me why?

As far as I remember, the first error (AttributeError: 'NoneType' object has no attribute 'icc_get_status') is a connection-related one - perhaps GnuPG scdaemon or pcscd were using the device at the moment and the tool could not lock it. Sorry the errors are not easily recognizable - I hope to fix that in the future.
Please run the following before using the tool:

gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

Regarding the second one, device returns 65 81 code, which according to OpenPGP v2.1 specification (p. 52) means Memory failure. What that would mean specifically, I will have to check in the source code. Maybe trying with another certificate would help (I see you have done so with two different ones already).

Could you tell, which firmware version do you use on your device?
I think usb_strings.py could reply to that question.

Edit: could you attach a test certificate, so I could reproduce the issue locally?

./usb_strings.py
Device: 
    Vendor: Nitrokey
   Product: Nitrokey Start
    Serial: FSIJ-1.2.6-67094445
  Revision: RTM.5-modified
    Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
       Sys: 3.0

I’ve killed scdaemon and pcscd but now see only that:

/home/tux/my_awesome.crt: 1659
Updating card holder certificate
Device: 
Configuration: 1
Interface: 0
Traceback (most recent call last):
  File "./gnuk_put_binary_libusb.py", line 111, in <module>
    main(fileid, is_update, data, passwd)
  File "./gnuk_put_binary_libusb.py", line 54, in main
    gnuk.cmd_write_binary(fileid, data, is_update)
  File "/home/tux/Src/nitrokey-start-firmware/tool/gnuk_token.py", line 294, in cmd_write_binary
    raise ValueError("cmd_write_binary 1", "%02x%02x" % (sw[0], sw[1]))
ValueError: ('cmd_write_binary 1', '6581')

Here is test self-signed cert in PEM format (but I’m trying to write DER ofc) https://pastebin.com/SUNnHTKW

I see you have the latest firmware for the Nitrokey Start.

Please run the killing commands after the device was inserted, since udev is executing the services, once it detects the device.

# -- device inserted
sudo killall scdaemon pcscd
gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye

One of the reasons is the certificate file is too big. I will test that later this week. Perhaps it was fixed in the latest GNUK - I plan to update the firmware and test this.

Could you upload the exact test file you are using?

Here is exact DER file which I’m trying to write https://www.dropbox.com/s/hu66rj6mzl0nj57/alekzoid%40gmail.com.cer?dl=0

1 Like

Thank you, I have downloaded it. I will let you know once I will test this.

Related to Unable to store signed certificate on nitrokey start

I’m curious if you’ll find out anything.

Hi @alekzoid ! Sorry for the delay.
I tried to import your certificate on latest GNUK, but with no effect. I have registered Start#10 to follow this further.