I have a Nitrokey 3A NFC, firmware version 1.6.0.
I’m using it for FIDO2 authentication, and ssh via a resident key, and also for the secrets app.
Recently I added a GPG key. shortly after that, the key stopped working for all use cases:
- the opcard GPG app doesn’t accept my pin anymore
- FIDO2 login on websites doesn’t work anymore (no resident key involved here)
ssh-add -K
says:
Provider "internal" returned failure -1
Unable to load resident keys: invalid format
nitropy nk3 secrets list
says:No credentials found
nitropy nk3 test
says:
Command line tool to interact with Nitrokey devices 0.4.42
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw1
Running tests for Nitrokey 3 at /dev/hidraw1
[1/5] uuid UUID query SUCCESS (redacted)
[2/5] version Firmware version query SUCCESS v1.6.0
[3/5] status Device status SUCCESS Status(init_status=<InitStatus: 0>, ifs_blocks=70, efs_blocks=465, var
iant=<Variant.LPC55: 1>)
[4/5] se050 SE050 SKIPPED
Please press the touch button on the device ...
[5/5] fido2 FIDO2 FAILURE 'x5c'
5 tests, 3 successful, 1 skipped, 1 failed
Summary: 1 device(s) tested, 0 successful, 1 failed
Critical error:
Test failed for 1 device(s)
Here’s the logfile:
451 DEBUG root print: Found 1 Nitrokey 3 device(s):
451 DEBUG root print: - Nitrokey 3 at /dev/hidraw1
451 DEBUG root print: Running tests for Nitrokey 3 at /dev/hidraw1
459 DEBUG root print: [1/5] uuid UUID query SUCCESS (redacted)
467 DEBUG root print: [2/5] version Firmware version query SUCCESS v1.6.0
475 INFO pynitrokey.cli.nk3.test Device status: Status(init_status=<InitStatus: 0>, ifs_blocks=70, efs_blocks=465, variant=<Variant.LPC
55: 1>)
475 DEBUG root print: [3/5] status Device status SUCCESS Status(init_status=<InitStatus: 0>, if
s_blocks=70, efs_blocks=465, variant=<Variant.LPC55: 1>)
475 DEBUG root print: [4/5] se050 SE050 SKIPPED
1572 DEBUG fido2.server Fido2Server initialized for RP: PublicKeyCredentialRpEntity(name='Example RP', id='example.com')
1572 DEBUG fido2.server Starting new registration, existing credentials:
1573 DEBUG root print: Please press the touch button on the device ...
1574 DEBUG fido2.client Register a new credential for RP ID: example.com
1602 DEBUG fido2.ctap2.base Calling CTAP2 make_credential
1787 DEBUG fido2.hid Got keepalive status: 02
2039 DEBUG fido2.hid Got keepalive status: 02
2287 DEBUG fido2.hid Got keepalive status: 02
2535 DEBUG fido2.hid Got keepalive status: 02
2787 DEBUG fido2.hid Got keepalive status: 02
3035 DEBUG fido2.hid Got keepalive status: 02
3283 DEBUG fido2.hid Got keepalive status: 02
3535 DEBUG fido2.hid Got keepalive status: 02
3783 DEBUG fido2.hid Got keepalive status: 02
4031 DEBUG fido2.hid Got keepalive status: 02
4283 DEBUG fido2.hid Got keepalive status: 02
4531 DEBUG fido2.hid Got keepalive status: 02
4779 DEBUG fido2.hid Got keepalive status: 02
5031 DEBUG fido2.hid Got keepalive status: 01
5260 ERROR pynitrokey.cli.nk3.test An exception occured during the execution of the test fido2:
Traceback (most recent call last):
File "/nix/store/n3m4gb1k7ryldxh4jvyagyllfr7djmzm-pynitrokey-0.4.42/lib/python3.11/site-packages/pynitrokey/cli/nk3/test.py", line 575, in r
un_tests
result = test_case.fn(ctx, device)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/n3m4gb1k7ryldxh4jvyagyllfr7djmzm-pynitrokey-0.4.42/lib/python3.11/site-packages/pynitrokey/cli/nk3/test.py", line 504, in t
est_fido2
cert = make_credential_result.attestation_object.att_stmt["x5c"]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^
KeyError: 'x5c'
I’ll try a reset of everything and see if the key then works again. I assume the data can’t be recovered.
EDIT 1:
nitropy fido2 reset
seems to have worked. I added a PIN via chromium and an ssh resident key, which then can be successfully added to my ssh-agent.