I’m attempting to use the OpenPGP Card X.509 certificate feature. Note, this is not PIV.
All opensc commands fail when I enter the user pin. I’m using the PIN set for OpenPGP. The retry counter gets decremented after each failure. For example:
$ pkcs11-tool --verbose --login --test
Using slot 0 with a present token (0x0)
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN: error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
opensc recognizes the Nitrokey.
$ pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey CCID/ICCD Interface 0
token label : OpenPGP card (User PIN)
token manufacturer : OpenPGP project
token model : PKCS#15 emulated
token flags : login required, token initialized, PIN initialized
hardware version : 3.4
firmware version : 3.4
serial num : 000fac9c2cc4
pin min/max : 6/127
Slot 1 (0x1): Nitrokey CCID/ICCD Interface 0
token label : OpenPGP card (User PIN (sig))
token manufacturer : OpenPGP project
token model : PKCS#15 emulated
token flags : login required, token initialized, PIN initialized
hardware version : 3.4
firmware version : 3.4
serial num : 000fac9c2cc4
pin min/max : 6/127
And the objects:
$ pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Public Key Object; EC_EDWARDS EC_POINT 255 bits
EC_POINT: 0420d5bf4e253e726b6400b7480b51d13e4ecfa5e54481711e16f5c975cd62861349
EC_PARAMS: 06032b6570 (OID 1.3.101.112)
label: Authentication key
ID: 03
Usage: verify
Access: none
Public Key Object; EC_MONTGOMERY EC_POINT 255 bits
EC_POINT: 0420c588953d4f9934c1b1c42dcf0170901b2b02176873e5e8403efa75bb82622a16
EC_PARAMS: 06032b656e (OID 1.3.101.110)
label: Encryption key
ID: 02
Usage: derive
Access: none
Profile object 2534669040
profile_id: CKP_PUBLIC_CERTIFICATES_TOKEN (4)
The Nitrokey 3 works properly with gpg. I have a password on all subkeys and touch required on the authentication key. I am using curve 25519 keys for all keys.
This is with a Nitrokey 3 with the latest production firmware (v1.7.2), not the test firmware so PIV is not available.