Nitrokey3C Card Failure when `gpg keytocard`

tcanabrava · October 19, 2023, 6:22pm

When I try to import the pre-existing GPG keys to the card, this happens:

➜  ~ gpg --edit-key --expert tcanabrava@kde.org
gpg (GnuPG) 2.2.41; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/B10D17C4DDFC6DDE
     created: 2023-07-17  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/DA22FFE1B0A5BA0E
     created: 2023-07-17  expires: never       usage: E   
ssb  rsa3072/0496D634F124F14A
     created: 2023-10-19  expires: never       usage: A   
[ultimate] (1). Tomaz Canabrava <tcanabrava@archlinux.org>
[ultimate] (2)  Tomaz Canabrava <tcanabrava@kde.org>

gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Card error

My status is ok, and nitrokey mk3 test is also ok.

➜  ~ gpg --card-status                         
Reader ...........: 20A0:42B2:X:0
Application ID ...: D276000124010304000FC2E6E7A50000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: C2E6E7A5
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

The RSA of my key and of nitrokey are both set to 4096

The test status:

➜  ~ g                                         
➜  ~ nitropy nk3 test                          
Command line tool to interact with Nitrokey devices 0.4.39
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0

Running tests for Nitrokey 3 at /dev/hidraw0

[1/4]   uuid            UUID query                      SUCCESS         C2E6E7A51562BF54B2485CBC8D8E4496
[2/4]   version         Firmware version query          SUCCESS         v1.5.0
[3/4]   status          Device status                   SUCCESS         Status(init_status=<InitStatus: 0>, ifs_blocks=60, efs_blocks=478, variant=<Variant.LPC55: 1>)
Please press the touch button on the device ...
Please press the touch button on the device ...
[4/4]   fido2           FIDO2                           SUCCESS  

4 tests, 4 successful, 0 skipped, 0 failed

Summary: 1 device(s) tested, 1 successful, 0 failed

So I’m a bit puzzled how to continue. I have seen here that some people that had this problem was because the key had a different size, but, I’m out of ideas.

mepi0011 · October 20, 2023, 9:25am

I assume that your Nitrokey is not recognized properly.
I get for the reader a name not only a cryptic string, see my output of gpg --card-status:

Reader ...........: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 01 00

What Linux distribution do you use and how do you setup the card reader?

tcanabrava · October 20, 2023, 9:37am

I use arch linux (latest), and the setup was done following the information on Nitrokey Documentation

mepi0011 · October 20, 2023, 10:41am

I use the Arch Linux based Manjaro Linux and I have additional installed pcsc-lite and ccid.

You can also test to crate the file ~/.gnupg/scdaemon.conf with following content:

pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid

Maybe the GunPG article in the Arch Wiki get further help?

tcanabrava · October 20, 2023, 11:40am

everything that I have so far, I was able to move things to the card via opgpcard.
both are installed:

➜  yay -Ss pcsclite | grep Installed
extra/pcsclite 2.0.0-1 (100.1 KiB 301.1 KiB) (Installed)
➜ yay -Ss ccid | grep Installed
extra/ccid 1.5.2-1 (78.8 KiB 250.5 KiB) (Installed)

gpg --card-status tells that I have no card:


➜  kleopatra gpg -vvv --card-status
gpg: using character set 'utf-8'
gpg: enabled debug flags: memstat
gpg: enabled compatibility flags:
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/32768 bytes in 0 blocks

my config file for scdaemon is as follows:

cat ~/.gnupg/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid
pcsc-shared

but opgpcard status tells that I do indeed have cards.
Now I’m trying to use kleopatra or gpa, but both can’t see the cards.

mepi0011 · October 21, 2023, 6:52am

Good Morning,
are you running pcscd.service?

You can check it with sudo systemctl status pcscd.service.
The output shoud look like:

     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
     Active: active (running) since Sat 2023-10-21 08:38:38 CEST; 6min ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
   Main PID: 2811 (pcscd)
      Tasks: 10 (limit: 19066)
     Memory: 4.4M
        CPU: 90ms
     CGroup: /system.slice/pcscd.service
             └─2811 /usr/bin/pcscd --foreground --auto-exit

Okt 21 08:38:38 my-pc systemd[1]: Started PC/SC Smart Card Daemon.

You can start and enable the service with
systemctl enable pcscd.service && systemctl start pcscd.service

Do you set the udev according to the Nitrokey documentation?

tcanabrava · October 21, 2023, 3:01pm

I am running pcscd, the output of systemctl status pcscd is:

  ~ systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)
     Active: active (running) since Fri 2023-10-20 16:22:03 CEST; 24h ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
   Main PID: 2622 (pcscd)
      Tasks: 12 (limit: 18793)
     Memory: 4.4M
        CPU: 42.395s
     CGroup: /system.slice/pcscd.service
             └─2622 /usr/bin/pcscd --foreground --auto-exit

I have set the udev rules for nitrokey and put it on /etc/udev/rules.d/41-nitrokey.rules.

pcscd_scan finds the card:

  ~ pcsc_scan        
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Alcor Micro AU9540 00 00
1: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 01 00
 
Sat Oct 21 17:00:05 2023
 Reader 0: Alcor Micro AU9540 00 00
  Event number: 0
  Card state: Card removed, 
 Reader 1: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 01 00
  Event number: 0
  Card state: Card inserted, 
  ATR: 3B 8F 01 80 5D 4E 69 74 72 6F 6B 65 79 00 00 00 00 00 6A

bug gpg fails:

➜  ~ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

I see that I have two card readers, via pcsc_scan, maybe this is the problem with gpg?

tcanabrava · October 21, 2023, 3:14pm

I also see that opensc-tool gives me the correct information, but not gpg.

➜  ~ opensc-tool -l                      
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No              Alcor Micro AU9540 00 00
1    Yes             Nitrokey Nitrokey 3 [CCID/ICCD Interface] 01 00

➜  ~ gpg --version
gpg (GnuPG) 2.2.41
libgcrypt 1.10.2-unknown
Copyright (C) 2022 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/tcanabrava/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
➜  ~ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
➜  ~

ion · October 21, 2023, 5:30pm

Since we’re on the same distro (gpg version, udev rules via package and all) and I happen to have a not yet deployed nk3 on the same fw 1.5.0, I just did a test of a keytocard and it worked first try. To ensure my gpg config is vanilla I used a new user. I know this is of limited help. One point I note is your second ssb is on 3072 where I chose 4096 for all (not that it should matter, of course).
If I have an idea, I post again.

tcanabrava · October 21, 2023, 6:26pm

The first time I used gpg —card-status it worked but now not even that

mepi0011 · October 22, 2023, 5:26am

Hi @ion, It seems to work for you. In order to compare possible variations of the confirguration, can you please post the output of the following commands?
gpgconf --show-configs
gpgconf --list-components
gpgconf --check-config

tcanabrava · October 22, 2023, 11:11am

gpgconf --show-configs:

➜  ~ gpgconf --show-configs
### Dump of all standard config files
### GnuPG 2.2.41 (0000000)
### GNU/Linux
### Libgcrypt 1.10.2-unknown
### GpgRT 1.47-unknown
###

sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/run/user/1000/gnupg
dirmngr-socket:/run/user/1000/gnupg/S.dirmngr
agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser
agent-socket:/run/user/1000/gnupg/S.gpg-agent
homedir:/home/tcanabrava/.gnupg

###
### global config "/etc/gnupg/common.conf": not installed
###
###
### local config "/home/tcanabrava/.gnupg/common.conf": not installed
###

###
### global config "/etc/gnupg/gpg-agent.conf": not installed
###
###
### local config "/home/tcanabrava/.gnupg/gpg-agent.conf": not installed
###

###
### global config "/etc/gnupg/scdaemon.conf": not installed
###
###
### local config "/home/tcanabrava/.gnupg/scdaemon.conf"
###
--8<---------------cut here---------------start------------->8---
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 1 
disable-ccid
pcsc-shared
log-file /home/tcanabrava/scdaemon.log.txt

--8<---------------cut here---------------end--------------->8---

###
### global config "/etc/gnupg/dirmngr.conf": not installed
###
###
### local config "/home/tcanabrava/.gnupg/dirmngr.conf": not installed
###

###
### global config "/etc/gnupg/gpg.conf": not installed
###
###
### local config "/home/tcanabrava/.gnupg/gpg.conf": not installed
###

###
### global config "/etc/gnupg/gpgsm.conf": not installed
###
###
### local config "/home/tcanabrava/.gnupg/gpgsm.conf": not installed
###

List Components:

➜  ~ gpgconf --list-components
gpg:OpenPGP:/usr/bin/gpg
gpgsm:S/MIME:/usr/bin/gpgsm
gpg-agent:Private Keys:/usr/bin/gpg-agent
scdaemon:Smartcards:/usr/lib/gnupg/scdaemon
dirmngr:Network:/usr/bin/dirmngr
pinentry:Passphrase Entry:/usr/bin/pinentry

gpgconf --check-config

➜  ~ gpgconf --check-config
gpgconf: can not open global config file '/etc/gnupg/gpgconf.conf': No such file or directory

ion · October 22, 2023, 3:19pm

All identical; I just post the first for now.

$ gpgconf --show-configs
### Dump of all standard config files
### GnuPG 2.2.41 (0000000)
### GNU/Linux
### Libgcrypt 1.10.2-unknown
### GpgRT 1.47-unknown
###

sysconfdir:/etc/gnupg
bindir:/usr/bin
libexecdir:/usr/lib/gnupg
libdir:/usr/lib/gnupg
datadir:/usr/share/gnupg
localedir:/usr/share/locale
socketdir:/run/user/1001/gnupg
dirmngr-socket:/run/user/1001/gnupg/S.dirmngr
agent-ssh-socket:/run/user/1001/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/1001/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/1001/gnupg/S.gpg-agent.browser
agent-socket:/run/user/1001/gnupg/S.gpg-agent
homedir:/home/ion/.gnupg

and FWIW this is the card-status since after my test yesterday:

$ gpg --card-status
Reader ...........: 20A0:42B2:X:0
Application ID ...: D27....
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: 12345678
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: 436B 9BF3 B171 63A6 6BDA  DD3E 3971 7E5D 3D58 368B
      created ....: 2023-10-21 16:39:45
Encryption key....: [none]
Authentication key: [none]
General key info..: pub  rsa4096/39717E5D3D58368B 2023-10-21 ion test (test) <iontest@dev.null>
sec>  rsa4096/39717E5D3D58368B  created: 2023-10-21  expires: never     
                                card-no: 000F 555555
ssb   rsa4096/FFA10C0BCD5F829E  created: 2023-10-21  expires: never     
ssb   rsa4096/192094F5C21D4C5C  created: 2023-10-21  expires: never

edit: the rest of output for completeness:

$ gpgconf --list-components
gpg:OpenPGP:/usr/bin/gpg
gpgsm:S/MIME:/usr/bin/gpgsm
gpg-agent:Private Keys:/usr/bin/gpg-agent
scdaemon:Smartcards:/usr/lib/gnupg/scdaemon
dirmngr:Network:/usr/bin/dirmngr
pinentry:Passphrase Entry:/usr/bin/pinentry

$ gpgconf --check-config
gpgconf: can not open global config file '/etc/gnupg/gpgconf.conf': No such file or directory

Daniel_k · October 24, 2023, 12:50pm

Have you already tried:

A factory-reset and repeated your procedure?
Creating RSA2048 keys using gpg on the local machine and perform a keytocard with these keys? (I have already tried this with success, yet still need to test RSA4096).