NitroKey 3 mini cannot unblock PGP User PIN

dangowrt · January 8, 2024, 8:15pm

I recently run into a problem with my NitroKey 3 mini:
It no longer accepted the User PIN used for the OpenPGP application. I tried with the correct PIN 3 times and ended up with the User PIN being blocked. So far, so strange.

PIN retry counter : 0 3 3

Now, trying to unblock the PIN I don’t succeed, despite being able to verify that the Admin PIN is correct (and no Reset Code being set).

It does ask me the Admin PIN, the LED on the nk3 briefly goes on and off after that, then it asks the to-be-set new User PIN, however:

gpg/card> passwd
gpg: OpenPGP card no. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2
Error unblocking the PIN: Card error

Does anyone have any idea what the cause could be?

Edit: Just in case you were wondering:

Changing the Admin PIN works just fine.
Trying to set a Reset Code using the Admin PIN fails just like the above with Card error.

sosthene-nitrokey · January 9, 2024, 8:31am

Hi,

I am trying to reproduce the error. Can you give me following additional information?

Firmware version and status, obtained via nitropy nk3 status. You can omit the UUID line.
Have you ever installed an alpha or test release? If you have installed the latest release, have you enabled the unstable SE050 feature?

Best,
Sosthène

dangowrt · January 9, 2024, 11:32am

I’ve never used testing or alpha firmware. When the problem occurred I had nk3 firmware v1.5.0 installed, I then updated to v1.6.0 in the hope that this could resolve the problem, but it didn’t. I didn’t enable SE050 feature (or at least I’m not aware of that and haven’t done anything to enable it).

Find all relevant version information below:

$ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.44
UUID:               XXXXXXXXXXXXXXXX0000000000000000
Firmware version:   v1.6.0
Init status:        ok
Free blocks (int):  235
Free blocks (ext):  471
Variant:            NRF52

$ pcscd --version
pcsc-lite version 2.0.1.
Copyright (C) 1999-2002 by David Corcoran <corcoran@musclecard.com>.
Copyright (C) 2001-2022 by Ludovic Rousseau <ludovic.rousseau@free.fr>.
Copyright (C) 2003-2004 by Damien Sauveron <sauveron@labri.fr>.
Report bugs to <pcsclite-muscle@lists.infradead.org>.
Enabled features: Linux x86_64-pc-linux-gnu libsystemd serial usb libudev polkit usbdropdir=/usr/lib/pcsc/drivers ipcdir=/run/pcscd filter configdir=/etc/reader.conf.d
MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16

$ gpg --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.3-unknown
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/daniel/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ /usr/lib/gnupg/scdaemon --version
scdaemon (GnuPG) 2.4.3
libgcrypt 1.10.3-unknown
libksba 1.6.5
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

ulrich · January 18, 2024, 6:36am

Hi there,
I broke my nitrokey3c nfc.

The output
pkcs15-tool --list-pin | grep left
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Tries left : 0
Tries left : 0
Tries left : 0

There is no way to reset PINs via pkcs15-init.

gpg --card-edit
gpg/card> unblock
gpg: Обнаружена карта OpenPGP номер ***
gpg: Код сброса (больше) не доступен

gpg/card> admin
Команды администрирования разрешены

gpg/card> passwd
gpg: Обнаружена карта OpenPGP номер *****

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Ваш выбор? 2
Error unblocking the PIN: Плохой пароль

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Ваш выбор? 4
Error setting the Reset Code: Плохой пароль

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

How to burn firmware?

mke · January 20, 2024, 5:44pm

I had the same strange behavior when I activate the KDF settings. Leaving them “OFF” everything works fine.

Model: NK3C NFC
Nitrokey firmware version: v1.6.0-test.20231218
Pivy-tool version: 0.11.2
Pcsc-lite version: 2.0.0
Opensc version: 0.23.0
Platform: Ubuntu 23.10 (arm64 / RPi 5)

ulrich · January 22, 2024, 7:49am

I solved the problem. In my freebsd version there is incomplete funtional of gpg tool. Switch to ubuntu then
gpg --card-edit
admin
factory-reset

Check pkcs11-tool --list-pin | grep -i left
All three tries reseted to 3.

saper · January 28, 2024, 3:16pm

This is strange, I am using FreeBSD with NK3 all the time. But good you got it sorted out! Пока!

ulrich · January 31, 2024, 5:53pm

Yep, time by time I have the following message on gpg --card-edit
gpg: selecting card failed: Operation not supported by device
gpg: OpenPGP card not available: Operation not supported by device

Then reinsert nk3 and retype gpg --card-edit and voila.