Nitrokey Start and "Error changing the PIN: Conditions of use not satisfied"

Django · August 11, 2020, 8:19am

I am currently writing a new BLOG article about Nitrokey Start and openSUSE leap 15.2. While doing so I found the following strange phenomenon while trying and testing:

I generate a new PGP key on Nitrokey Start and change the admin PIN and then the user PIN. Everything works fine and as expected.

BUT:

If I do a factory-reset on the Nitrokey Start stick and then try to change the PINs directly, the following happens:

$ gpg2 --change-pin
gpg: OpenPGP card no. D276000124010200FFFE432438190000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
PIN changed.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
Error changing the PIN: Conditions of use not satisfied

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

That means I can’t change the user PIN, because this is always acknowledged with the error message “Error changing the PIN: Conditions of use not satisfied”.

Is this an error of NitrokeyStart or rather of the libraries involved?

 $ gpg2 --version
gpg (GnuPG) 2.2.5
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/django/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Or how can this strange phenomenon be explained? Any idea, or hints?

szszszsz · August 11, 2020, 4:04pm

Hi @Django!

This is by implementation design - sorry for not being intuitive. See the following:

Note: It is indeed necessary to first import or create new keys and change the PINs afterwards. Otherwise changing User PIN will fail! Furthermore overriding keys results in PIN reset (default values), please keep this in mind!

It is possible as well to configure Nitrokey Start in the User-PIN only mode, if the actions order are different, which again might be confusing without documentation:

Change the Admin PIN (default: 12345678) and then the User PIN (default: 123456) to your own choices. The PIN must consist of at least 14 characters. Use ‘gpg --card-edit’ → ‘admin’ → ‘passwd’ to achieve this. (Please be careful to change admin PIN first and user PIN second! Otherwise the admin-less mode got activated, see this instructions for further information.)

Both excerpts taken from:

Nitrokey Documentation

Perhaps we should ask GnuPG maintainers to print device-related documentation on the PIN change. To consider.

cc: @jan

Django · August 11, 2020, 4:33pm

HI,

This is by implementation design - sorry for not being intuitive.

Logically, I would first change the PINs and then create a key. Just stumbled across it by accident while trying the S/MIME stuff.

Until now I had always created the key and then changed the admin PIN and then the user PIN.

Thanks for the explanation!