Had to reset after trying to enable pkcs11 now fido is broken

xundeenergie · December 1, 2023, 8:07am

I tried to use pkcs11 with my nitrokey 3C NFC.
So i wanted to create a new pkcs11-key. This broke my nitrokeys. Both.

And now i can not log in anymore in this forum with my old id… because the forum says, that the key (tried it with both of my nk3) is not registered with this site.

i was not able to generate a pkcs11 key, and now fido is already broken after that.

witth pivy-tool i can not change or reset the pin and puk

$ pivy-tool reset-pin
Enter PUK (51A72C19): 
Enter new PIV PIN (51A72C19): 
Confirm new PIV PIN (51A72C19): 
pivy-tool: error occurred while executing 'reset-pin'
  Caused by cmd_reset_pin: failed to set new PIN
    in cmd_reset_pin() at pivy-tool.c:1313
  Caused by APDUError: Card replied with SW=6300 (WARNING_UNKNOWN) to INS_RESET_PIN(80)
    in piv_reset_pin() at piv.c:4167

I tried a factory-reset, then it says “pin and puk have to be locked both. No change possible now”

Then i tried to reset-pin tried it with 123456 for puk
i get this

$ pivy-tool change-pin
Enter current PIV PIN (51A72C19): 
Enter new PIV PIN (51A72C19): 
Confirm new PIV PIN (51A72C19):

ok. I set the pin to “blafoo”

Trying to register this key on gitlab.com

“Add new device”… the browser asks me for the pin for the key. Put in blafoo and the browser says, the key is locked. I have to reset it, because i tried a wrong pin too often.

But i reset the pin already…

Ok. Try to do a factory-reset:

$ pivy-tool factory-reset
Resetting Yubikey 51A72C19 (Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00)
Serial #5437251
WARNING: this will completely reset the PIV applet on this Yubikey, erasing all keys and certificates!
Type 'YES' to continue: 
pivy-tool: error occurred while executing 'factory-reset'
  Caused by ResetConditionsError: Conditions for use of INS_RESET not met (all PINs and PUK must be blocked)
    in ykpiv_reset() at piv.c:4206
  Caused by APDUError: Card replied with SW=6985 (CONDITIONS_NOT_SATISFIED) to INS_RESET
    in ykpiv_reset() at piv.c:4206

next try:

$ pivy-tool change-pin
Enter current PIV PIN (51A72C19): 
Enter new PIV PIN (51A72C19): 
Confirm new PIV PIN (51A72C19):

Exitcode is 0:
current PIN i tipped blafoo (As set before)
New PIV PIN: 123456

next try on gitlab:
“Key is locked, tried to often the wrong pin”

Really… i’m on the way to do the elon. What a broken shit this nitrokey3 is!!!

I bought 2 of them 2 and a half year ago… because it was promised to use it with gpg (and NFC!!!) but on android with Openkeychain it does not work by usb and nfc is deactivated for gpg.
And i bought it to use it with pkcs1… i can not activate it. And i bought it for FIDO2 and webauthn… and now also this is broken.

Please take my keys and give me my money back.

sosthene-nitrokey · December 1, 2023, 11:05am

Hi,

What version of the firmware are you using ? It can be obtained with nitropy nk3 version.

Please note that the PIV functionality is not considered stable, It is therefore only available on the test firmware releases. If you do not have a test firmware release pivy-tool won’t work.

The PINs are also not shared across applications. The PIV pin is distinct from the OpenPGP PIN, which is again different from the FIDO2 PIN.

When you are doing pivy-tool change-pin, it only changes the PIN for the PIV application. When you then try to login into FIDO, the PIN fails because the FIDO application is still using the first PIN you configured.

To configure FIDO functionality, you can use the nitropy fido2 commands:

nitropy fido2 change-pin # Changing the PIN
nitropy fido2 reset # Resetting the FIDO application

Best Regards,
Sosthène

xundeenergie · December 1, 2023, 12:43pm

no. it does not work.

$ nitropy fido2 reset
Command line tool to interact with Nitrokey devices 0.4.36
Reset is only possible 10secs after plugging in the device.
Please (re-)plug in your Nitrokey FIDO2 now!
Warning: Your credentials will be lost!!! continue? [(y)es/(n)o]: Warning: Your credentials will be lost!!! continue? [(y)es/(n)o]: y
choosing: yes
Press key to confirm -- again, your credentials will be lost!!!
Critical error:
Reset failed (CTAP error: 0x30 - NOT_ALLOWED)
Did you confirm with a key-press 10secs after plugging in?
Please re-try...

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/user/2000/nitropy.log.m_5aicpu' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

xundeenergie · December 1, 2023, 12:46pm

$ nitropy fido2 status
Command line tool to interact with Nitrokey devices 0.4.36
Critical error:
An unhandled exception occurred
	Exception encountered: CtapError('CTAP error: 0x01 - INVALID_COMMAND')

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to support@nitrokey.com is also possible
- Please attach the log: '/tmp/user/2000/nitropy.log.tnva4a3r' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokey3/linux/firmware-update.html#troubleshooting

$ nitropy fido2 list
Command line tool to interact with Nitrokey devices 0.4.36
:: 'Nitrokey FIDO2' keys

daringer · December 1, 2023, 1:43pm

Hey @xundeenergie,

for nitropy fido2 reset please consider reading the output you pasted:

Reset failed (CTAP error: 0x30 - NOT_ALLOWED)
Did you confirm with a key-press 10secs after plugging in?
Please re-try...

This is a safety mechanism to avoid accidentally resetting FIDO2, so please run this command within 10seconds after plugging it in. Afterwards you should be able to set the PIN for FIDO2 by using nitropy fido2 set-pin.

Then nitropy fido2 status and nitropy fido2 list only work on legacy Nitrokey FIDO2 devices. This is admittedly not well documented, please try nitropy nk3 status and/or nitropy nk3 list. You can also use the generic nitropy list.

As a sidenote, if possible you might want to upgrade your pynitrokey version, this shouldn’t be an issue for what you are currently aiming for - just a hint.

best