Nitrokey Pro 2 : Can’t generate gpg keys (GPG 2.2.23)

Hi,
I just recieved my new nitrokey Pro 2 and I followed Instalation procces.

On my arch (5.9.10) with gpg (2.2.23) & libgcrypt (1.8.7) :
I installed ccid (1.4.33-1) then the nitrokey app (3.6-1), change user pin, admin pin everything was great until I tried to generate gpg keys via
gpg2 --card-edit > admin > generate

then I got fist time a prompt for my admin pin with this error after :

gpg: error checking the PIN: End of file
gpg: error setting forced signature PIN flag: Relais brisé (pipe)

after this If I try to generate again got no prompt and only :
gpg: error checking the PIN: End of file

I tried to factory-reset the device, on other computer (manjaro & win10) with or without nitrokey-app on console or with GNU Privacy Assistant.

Always errors.

Do you have any clue ?
Is my nitrokey device faulty ?

Hi!

This looks like the smart card was not being accessible anymore for some reason for the GnuPG. Could you tell what of the GnuPG version do you use on Windows 10 for the test?

  1. Could you take logs and attach as instructed in [solved] Nitrokey Pro - RHEL / CentOS 7 - Key generation failed: Card error
  2. Is it possible to upgrade to the latest GnuPG - 2.2.25? There were some problems with 2.2.24, which was improved over 2.2.23.

In Win10 it was 2.2.23 too.

here is the log as asked :

2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 <- GETATTR SERIALNO
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> S SERIALNO D2760001240103030005000099DB0000
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> OK
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 <- GETATTR KEY-FPR
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> OK
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 <- GETATTR CHV-STATUS
2020-11-25 13:03:08 scdaemon[998] DBG: send apdu: c=00 i=CA p1=00 p2=C4 lc=-1 le=256 em=0
2020-11-25 13:03:08 scdaemon[998] DBG:   PCSC_data: 00 CA 00 C4 00
2020-11-25 13:03:08 scdaemon[998] DBG:  response: sw=9000  datalen=7
2020-11-25 13:03:08 scdaemon[998] DBG:       dump:  00 40 40 40 03 00 03
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> S CHV-STATUS +0+64+64+64+3+0+3
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> OK
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 <- GETATTR DISP-NAME
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> S DISP-NAME
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> OK
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 <- GETATTR EXTCAP
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=1+bt=0+kdf=1
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> OK
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 <- GETATTR KEY-ATTR
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> S KEY-ATTR 1 1 rsa2048 32 1
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> S KEY-ATTR 2 1 rsa2048 32 1
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> S KEY-ATTR 3 1 rsa2048 32 1
2020-11-25 13:03:08 scdaemon[998] DBG: chan_7 -> OK
2020-11-25 13:03:09 scdaemon[998] DBG: enter: apdu_get_status: slot=0 hang=0
2020-11-25 13:03:09 scdaemon[998] DBG: pcsc_get_status_change:  present excl
2020-11-25 13:03:09 scdaemon[998] DBG: leave: apdu_get_status => sw=0x0 status=7
2020-11-25 13:03:09 scdaemon[998] DBG: enter: apdu_get_status: slot=0 hang=0
2020-11-25 13:03:09 scdaemon[998] DBG: pcsc_get_status_change:  present excl
2020-11-25 13:03:09 scdaemon[998] DBG: leave: apdu_get_status => sw=0x0 status=7
2020-11-25 13:03:10 scdaemon[998] DBG: enter: apdu_get_status: slot=0 hang=0
2020-11-25 13:03:10 scdaemon[998] DBG: pcsc_get_status_change:  present excl
2020-11-25 13:03:10 scdaemon[998] DBG: leave: apdu_get_status => sw=0x0 status=7
2020-11-25 13:03:10 scdaemon[998] DBG: enter: apdu_get_status: slot=0 hang=0
2020-11-25 13:03:10 scdaemon[998] DBG: pcsc_get_status_change:  present excl
2020-11-25 13:03:10 scdaemon[998] DBG: leave: apdu_get_status => sw=0x0 status=7
2020-11-25 13:03:10 scdaemon[998] DBG: chan_7 <- SETATTR CHV-STATUS-1 %01
2020-11-25 13:03:10 scdaemon[998] DBG: send apdu: c=00 i=CA p1=00 p2=C4 lc=-1 le=256 em=0
2020-11-25 13:03:10 scdaemon[998] DBG:   PCSC_data: 00 CA 00 C4 00
2020-11-25 13:03:10 scdaemon[998] DBG:  response: sw=9000  datalen=7
2020-11-25 13:03:10 scdaemon[998] DBG:       dump:  00 40 40 40 03 00 03
2020-11-25 13:03:10 scdaemon[998] 3 Admin PIN attempts remaining before card is permanently locked
2020-11-25 13:03:10 scdaemon[998] DBG: check_pcsc_pinpad: command=20, r=27265
2020-11-25 13:03:10 scdaemon[998] DBG: asking for PIN '|A|Veuillez entrer le code personnel d'administration%0A%0ANumber: 0005 000099DB%0AHolder: '
2020-11-25 13:03:10 scdaemon[998] DBG: chan_7 -> [ 49 4e 51 55 49 52 45 20 4e 45 45 44 50 49 4e 20 ...(94 byte(s) skipped) ]
2020-11-25 13:03:15 scdaemon[998] DBG: chan_7 <- [ 44 20 ******** 00 00 ...(76 byte(s) skipped) ]
2020-11-25 13:03:15 scdaemon[998] DBG: chan_7 <- END
2020-11-25 13:03:15 scdaemon[998] DBG: send apdu: c=00 i=20 p1=00 p2=83 lc=8 le=-1 em=0
2020-11-25 13:03:15 scdaemon[998] DBG:   PCSC_data: 00 20 00 83 08 35 38 32 32 38 33 31 33
2020-11-25 13:03:15 scdaemon[998] DBG:  response: sw=9000  datalen=0
2020-11-25 13:03:15 scdaemon[998] DBG:     dump:  
2020-11-25 13:03:15 scdaemon[998] DBG: send apdu: c=00 i=DA p1=00 p2=C4 lc=1 le=-1 em=0
2020-11-25 13:03:15 scdaemon[998] DBG:   PCSC_data: 00 DA 00 C4 01 01
2020-11-25 13:03:15 scdaemon[998] DBG:  response: sw=9000  datalen=0
2020-11-25 13:03:15 scdaemon[998] DBG:     dump:  
2020-11-25 13:03:15 scdaemon[998] DBG: chan_7 -> OK
2020-11-25 13:03:15 scdaemon[998] DBG: enter: apdu_get_status: slot=0 hang=0
2020-11-25 13:03:15 scdaemon[998] DBG: pcsc_get_status_change:  present excl
2020-11-25 13:03:15 scdaemon[998] DBG: leave: apdu_get_status => sw=0x0 status=7
2020-11-25 13:03:15 scdaemon[998] DBG: chan_7 <- CHECKPIN D2760001240103030005000099DB0000
2020-11-25 13:03:15 scdaemon[998] DBG: send apdu: c=00 i=20 p1=00 p2=81 lc=32648 le=-1 em=0
2020-11-25 13:03:15 scdaemon[998] échec de vérification CHV1 : Valeur incorrecte

Thank you for the logs, but unfortunately I cannot find anything useful here. I have made some tests on my system through Docker container and built GnuPG 2.2.23 from source and all seem to work.

Could you run the following and paste back the output?

pkcs11-tool -t --login

If tests would fail, please run them again like this:

env OPENSC_DEBUG=9 pkcs11-tool -t --login

and provide it here as well (as a file or paste).

Was unble to perform requested command, had to install
sudo pacman -S opensc

Then I got :

Using slot 0 with a present token (0x0)
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
Signatures: no private key found in this slot
Verify (currently only for RSA)
  No private key found for testing
Decryption (currently only for RSA)
No errors

Indeed this is an OpenSC command, sorry for not mentioning that.

It looks like it was able to communicate with the smart card for the PIN confirmation. We can try to generate the keys using OpenSC as well to confirm that smart card is working.
Please run the following command:

openpgp-tool --verify CHV3 --pin 12345678 --gen-key 1 --key-type rsa2048

With the PIN value replaced if needed with Admin PIN.

Edit: more at https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card

Look like it worked :
Using reader with a card: Nitrokey Nitrokey Pro (0000000000000000000099DB) 00 00
Fingerprint:
F706FC534A3AEEB206BA527340995EA4 FB1703DA

gpg2 --card-status
Reader ...........: Nitrokey Nitrokey Pro (0000000000000000000099DB) 00 00
Application ID ...: D2760001240103030005000099DB0000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 000099DB
Name of cardholder: [non positionné]
Language prefs ...: de
Salutation .......: 
URL of public key : [non positionné]
Login data .......: [non positionné]
Signature PIN ....: non forcé
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: F706 FC53 4A3A EEB2 06BA  5273 4099 5EA4 FB17 03DA
      created ....: 2020-11-25 17:20:55
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

I see. My guess is that it must be something with Arch packaging of GnuPG then. You have mentioned Manjaro too - do you have same problem there?

Yes exact same issue with manjaro

Hi!
It looks like GnuPG 2.2.23 is not working correctly - I reproduced the error on my Windows 10 setup. Updating to GnuPG 2.2.25 helped (Gpg4Win 3.1.14). Please try it and let me know.

Edit: in case GnuPG would not see the card due to OpenSC blocking the access on Windows, this command should help:

net stop scardsvr

Edit: other issue with this GnuPG release: How to reset NitroKey Start? (GPG 2.2.23).

2 Likes

Busy day today, i’ll be back at you by testing 2.2.5 tomorow.

1 Like

Hi, as expected key generation went flowlessly with Gpg4Win 3.1.14
The issue seems indeed linked with gnupg 2.2.23

1 Like