Nitrokey 3 PIV initalization error

Hi there,
I’m currently experimenting with Nitrokeys 3 and PIV experimental firmwares

i’m trying to initialize my card with pivy-tool, but i’m facing the following error:

$ /opt/pivy/bin/pivy-tool setup
Generating standard keys…
keysssssssssssss
Using touch button confirmation for 9D key
Please touch YubiKey when it is flashing
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFzenvrq5TkCE2upaT1nIQeQVE9GzyLSOgCo0i/JywJOTJOzhRUgyFT2mve2kzJtsIUCsSEaKUuoZbm2JeQ3aCI= PIV_slot_9D@D6599C302E0D3959BCBBA17E68BDFC7B
Changing PIN and PUK…
Enter new PIV PIN (zzz):
Confirm new PIV PIN (zzzzz):
pivy-tool: error occurred while executing ‘setup’
Caused by cmd_change_pin: failed to set new PIN
in cmd_change_pin() at pivy-tool.c:1233
Caused by APDUError: Card replied with SW=6300 (WARNING_UNKNOWN) to INS_CHANGE_PIN(81)
in piv_change_pin() at piv.c:4077

it seems related to the pin change (that is failing with an unkown error)

$ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.39
UUID: hhjgdhfjkgh
Firmware version: v1.5.0-test.20230704
Init status: ok
Free blocks (int): 34
Free blocks (ext): 463
Variant: LPC55

$ /opt/pivy/bin/pivy-tool list
pivy-tool: warning: failed to read cardcap
Caused by InvalidDataError: PIV device ‘Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00’ returned invalid or unsupported payload
in piv_read_cardcap() at piv.c:1181
Caused by PIVTagError: Invalid tag 0x53 in PIV CARDCAP response
in piv_cardcap_decode() at piv.c:8907
card: eeeeee
device: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
chuid: ok
guid: xxxxxxxxxxxxxxx
fasc-n: 9999-0000-000000-0-0/federal:0000/employee:0000000000
expiry: 9999-12-31
yubico: implements YubicoPIV extensions (v6.6.6)
serial: 1234
applet: Nitrokey PIV
uri: GitHub - Nitrokey/piv-authenticator: PIV authenticator Trussed app.
auth: PIN*
algos: 3DES AES256 ECCP256 (null) (null) RSA2048
slots:
ID TYPE BITS CERTIFICATE

may it be related to the token reset?

Thank you and best regards
Alex

Hi Alex,

Sorry for the delayed response.
I am not able to reproduce the error you are encountering.

You mention it could be related to the token reset. How have you reset it?

Sosthène

I found the issue. It does not trigger when changing the PIN to 12345678 so that’s why it didn’t reproduce.

The issue is that changing the PUK code fails. This will be fixed in the next test release.

Thank you for the report.

Same issue here with the latest test firmware v1.6.0-test.20231218 on NK3C NFC.

I encountered the same error, but manged to solve it like this.

Nitrokey firmware version: v1.6.0-test.20231218
Pivy-tool version: 0.11.2
Pcsc-lite version: 2.0.1
Opensc version: 0.24.0
Platform: Fedora 39

1. Reset the PIV application to factory defaults, as described here.
2. Run pivy-tool init first. This is basically also what pivy-tool setup calls first.

Afterwards, a pivy-tool list didn’t report any errors.

Above steps 1 (factory reset) and 2 (init) work well. But pivy-tool still crashes on the PIN change step.

Changing PIN and PUK…
Enter new PIV PIN (0CA5AF18):
Confirm new PIV PIN (0CA5AF18):
pivy-tool: error occurred while executing ‘setup’
Caused by cmd_change_pin: failed to set new PIN
in cmd_change_pin() at pivy-tool.c:1233
Caused by APDUError: Card replied with SW=6300 (WARNING_UNKNOWN) to INS_CHANGE_PIN(81)
in piv_change_pin() at piv.c:4087

Nitrokey firmware version: v1.6.0-test.20231218
Pivy-tool version: 0.11.2
Pcsc-lite version: 2.0.0
Opensc version: 0.23.0
Platform: Ubuntu 23.10 (arm64 / RPi 5)

This has been confirmed by @sosthene-nitrokey:

While this issue has been fixed in the piv-authenticator repository, it was not merged when we released the firmware, and therefore is not included in the test firmware.

The PIV code is in flux and I also wait for the next test release (primarily for the support of retired slots 80 and up) to do some experiments with age.