GPG card status question

Hello!
I have two questions about my NK3 gpg card status.
Here is the output

Reader ...........: 20A0:42B2:X:0
Application ID ...: 2G040GADI25028502802805285208
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Nitrokey
Serial number ....: 6CEB5B3E
Name of cardholder: Card state corrupted.
Language prefs ...: [nicht gesetzt]
Salutation .......: 
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

I have read this article - link.
Stating that the first and second counter should be sync.
On my Stick I get 3 0 3.
Is this a problem?

And the “Name of Cardholder” value is maybe not what it should be?

Best regards
T.L.

1 Like

Hi,

Stating that the first and second counter should be sync.

I am not sure what this documentation is talking about. The first number is the user PIN, the second is the pin unblock key (PUK), and the third one is for the admin pin.

Regardless of that, the key appears to be in a failsafe state because it detected that its state is inconsistent. Therefore the PIN retry counter displayed is wrong.

To correct the issue, we should try to find the reason of the issue.

What were the latest operations you did with the device prior to seeing this error message ?
Did you have keys stored on the device?
Which firmware version are you using ?
Have you used a test firmware version ?

Best regards,
Sosthène

I’ve got the same issues with my recently ordered Nitrokey 3A Mini.

gpg --card-edit --expert

Shows up with:
Name of cardholder: Card state corrupted.
I was trying to change the admin pin an set the key attributes to rsa4096.
Even factory-reset fails with ‘card command TERMINATE DF failed: Card error (0x6500)’
And sometimes the device shows up with the red LED after plugging in.

Hello @sosthene-nitrokey
Thanks for your answer!
I did not know what I’ve done last time. And no I did not store any keys yet.
I am using firmware 1.8.0 and pyntrokey 0.7.3
After doing a factory reset via the gpg-card command
the output was okay :slight_smile:
And I am able to change settings!

So for me the problem is solved.

@lapawa Maybe you try also the factory reset.

gpg --card-edit
admin
factory-reset

Best!
T.L.

1 Like

@lapawa Oh sorry I see that the factory-reset did not work for you :frowning:
Maybe @sosthene-nitrokey have a better idea!

Can you install opensc, kill GPG agent with gpg-connect-agent killagent /bye and try to run opensc_explorer and issue the series of the commands like below. I show the output I got on my Nitrokey 3 as an example.

> opensc-explorer
OpenSC Explorer version 0.26.0
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
OpenSC [3F00]> ls
FileID	Type  Size
[00FA]	  DF   142
 004F 	 wEF    16
 005E 	 wEF     0
[0065]	  DF     9
[006E]	  DF   267
[007A]	  DF     5
 00C4 	 wEF     7
 0101 	 wEF     0
 0102 	 wEF     0
 0103 	 wEF     0
 0104 	 wEF     0
 5F50 	 wEF     0
 5F52 	 wEF    10
 7F21 	 wEF     0
[A400]	  DF    37
 A401 	 wEF    44
[B600]	  DF    37
 B601 	 wEF    44
[B800]	  DF    37
 B801 	 wEF    44
OpenSC [3F00]> cd 006E
OpenSC [3F00/006E]> ls
FileID	Type  Size
 004F 	 wEF    16
 5F52 	 wEF    10
 7F66 	 wEF     8
 7F74 	 wEF     3
[0073]	  DF   216
OpenSC [3F00/006E]> cd 0073
OpenSC [3F00/006E/0073]> ls
FileID	Type  Size
 00C0 	 wEF    10
 00C1 	 wEF    10
 00C2 	 wEF    11
 00C3 	 wEF    10
 00C4 	 wEF     7
 00C5 	 wEF    60
 00C6 	 wEF    60
 00CD 	 wEF    12
 00DE 	 wEF     6
 00D6 	 wEF     2
 00D7 	 wEF     2
 00D8 	 wEF     2
OpenSC [3F00/006E/0073]> cat 00C4
00000000: 00 7F 7F 7F 00 00 03 .......

If the gpg native factory reset, you can try using the nitropy factory reset mechanism:

nitropy nk3 factory-reset-app opcard, which will reset the OpenPGP application using another internal mechanism.

It would be good to find the cause of the state corruption. Was your devices brand new?

Best,
Sosthène

1 Like

Finally I was able to execute the factory-reset and the gpg application is functional again.
This time I’ll create a offline backup of the generated keys.

1 Like

When generating a key directly on the Nitrokey, the backup option provided is incomplete. It doesn’t really include the full private key. To create a full backup, follow these instructions to generate the key outside the Nitrokey and then import it. This ensures you have a complete backup of your private key. Always test a backup to ensure it works as you expect it.

However you expose your private key on the device where you initialize the key and have to think about how to safeguard the backup (e.g. with a password manager).

1 Like

I recently had the same kind of experience with one of my spare NK3
(not used, no keys - firmware v1.6.0 - UUID D00E92769753CD5B9798E582F5BA6780)

Strange enough, performing a ‘nitropy nk3 test’ showed the NK3 was still valid.

Resolved the problem by performing a factory reset.