NK3 A FIDO2 "Failure"

Hallo

Ich habe ein Problem mit einem meiner NK3 A Keys, die “user authentication und desktop login” funktioniert nicht mehr unter Linux Mint. Ich habe bereits ein FIDO2 Factory Reset ausgeführt und ein neur PIN definiert mit dem selben Ergebnis.

Ausgabe nitropy nk3 test:

 nitropy nk3 test --pin ********
Command line tool to interact with Nitrokey devices 0.4.40
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw7

Running tests for Nitrokey 3 at /dev/hidraw7

[1/4]	uuid     	UUID query              	SUCCESS  	7868C13D7EB4AA51907ECA3B49AE4A3E
[2/4]	version  	Firmware version query  	SUCCESS  	v1.5.0
[3/4]	status   	Device status           	SUCCESS  	Status(init_status=<InitStatus.0: 0>, ifs_blocks=74, efs_blocks=478, variant=<Variant.LPC55: 1>)
Please press the touch button on the device ...
[4/4]	fido2    	FIDO2                   	FAILURE  	'x5c'

4 tests, 3 successful, 0 skipped, 1 failed

Summary: 1 device(s) tested, 0 successful, 1 failed

Critical error:
Test failed for 1 device(s) here

Auszug ‘/tmp/nitropy.log.3j05awmw’:

197        INFO pynitrokey.cli Timestamp: 2023-10-14 22:09:19.612227
197        INFO pynitrokey.cli OS: uname_result(system='Linux', node='degone', release='6.2.0-34-generic', version='#34~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 13:12:03 UTC 2', machine='x86_64')
197        INFO pynitrokey.cli Python version: 3.10.12
197        INFO pynitrokey.cli Cli arguments: ['nk3', 'test', '--pin', '[redacted]']
198        INFO pynitrokey.cli pynitrokey version: 0.4.40
199        INFO pynitrokey.cli cryptography version: 39.0.2
199        INFO pynitrokey.cli ecdsa version: 0.18.0
200        INFO pynitrokey.cli fido2 version: 1.1.1
200        INFO pynitrokey.cli pyusb version: 1.2.1
201        INFO pynitrokey.cli spsdk version: 1.10.1
202        INFO pynitrokey.cli.nk3.test platform: Linux-6.2.0-34-generic-x86_64-with-glibc2.35
202        INFO pynitrokey.cli.nk3.test uname: uname_result(system='Linux', node='degone', release='6.2.0-34-generic', version='#34~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 13:12:03 UTC 2', machine='x86_64')
390        INFO  libusbsio Loading SIO library: /home/**/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/libusbsio/bin/linux_x86_64/libusbsio.so
392        INFO  libusbsio HID enumeration[94489173171648]: initialized
PermissionError: [Errno 13] Permission denied: '/dev/hidraw6'Traceback (most recent call last):
  File "/home/deg/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/fido2/hid/linux.py", line 98, in list_descriptors
    devices.append(get_descriptor(hidraw))
  File "/home/deg/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/fido2/hid/linux.py", line 55, in get_descriptor
    with open(path, "rb") as f:
458       DEBUG fido2.hid.linux Failed opening device /dev/hidraw3531       DEBUG       root print: Found 1 Nitrokey 3 device(s):
531       DEBUG       root print: - Nitrokey 3 at /dev/hidraw7
531       DEBUG       root print: Running tests for Nitrokey 3 at /dev/hidraw7
539       DEBUG       root print: [1/4]	uuid     	UUID query              	SUCCESS  	7868C13D7EB4AA51907ECA3B49AE4A3E
547       DEBUG       root print: [2/4]	version  	Firmware version query  	SUCCESS  	v1.5.0
555        INFO pynitrokey.cli.nk3.test Device status: Status(init_status=<InitStatus.0: 0>, ifs_blocks=74, efs_blocks=478, variant=<Variant.LPC55: 1>)
555       DEBUG       root print: [3/4]	status   	Device status           	SUCCESS  	Status(init_status=<InitStatus.0: 0>, ifs_blocks=74, efs_blocks=478, variant=<Variant.LPC55: 1>)
1633      DEBUG fido2.server Fido2Server initialized for RP: PublicKeyCredentialRpEntity(name='Example RP', id='example.com')
1634      DEBUG fido2.server Starting new registration, existing credentials: 
1636      DEBUG       root print: Please press the touch button on the device ...
1637      DEBUG fido2.client Register a new credential for RP ID: example.com
1855      DEBUG fido2.ctap2.pin Got PIN token for permissions: None
1855      DEBUG fido2.ctap2.base Calling CTAP2 make_credential
2119      DEBUG  fido2.hid Got keepalive status: 02
2367      DEBUG  fido2.hid Got keepalive status: 02
2615      DEBUG  fido2.hid Got keepalive status: 02
2867      DEBUG  fido2.hid Got keepalive status: 02
3115      DEBUG  fido2.hid Got keepalive status: 02
3363      DEBUG  fido2.hid Got keepalive status: 02
3615      DEBUG  fido2.hid Got keepalive status: 02
3863      DEBUG  fido2.hid Got keepalive status: 02
4111      DEBUG  fido2.hid Got keepalive status: 02
4363      DEBUG  fido2.hid Got keepalive status: 02
4611      DEBUG  fido2.hid Got keepalive status: 01
4805      ERROR pynitrokey.cli.nk3.test An exception occured during the execution of the test fido2:
Traceback (most recent call last):
  File "/home/deg/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/pynitrokey/cli/nk3/test.py", line 375, in run_tests
    result = test_case.fn(ctx, device)
  File "/home/deg/.local/pipx/venvs/pynitrokey/lib/python3.10/site-packages/pynitrokey/cli/nk3/test.py", line 304, in test_fido2
    cert = make_credential_result.attestation_object.att_stmt["x5c"]
KeyError: 'x5c'
4806      DEBUG       root print: [4/4]	fido2    	FIDO2                   	FAILURE  	'x5c'
4806      DEBUG       root print: 4 tests, 3 successful, 0 skipped, 1 failed
4806      DEBUG       root print: Summary: 1 device(s) tested, 0 successful, 1 failed
4806      DEBUG       root print: Critical error:
4806      DEBUG       root print: Test failed for 1 device(s)
4806      DEBUG       root listing all connected devices:
4811      DEBUG       root :: 'Nitrokey FIDO2' keys
4811      DEBUG       root :: 'Nitrokey Start' keys:
4840      DEBUG       root :: 'Nitrokey 3' keys

Beim Versuch die pamu2fcfg Keys zu generieren:

pamu2fcfg > ~/.config/Nitrokey/u2f_keys
Enter PIN for /dev/hidraw7: 
error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT

Hoffe ihr könnt mi weiterhelfen, danke!

Hi, hast du die udev-rules entsprechend der Anleitung eingerichtet?

Ja die sollten in Ordnung sein, habe den Key schon länger in Betrieb. Mein Backup Key funktioniert einwandfrei. Ich habe die Rules aber nicht erneut installiert.

Was sagt denn ls -la /dev/hidraw* ?
Sieht so aus, als dass dein User hier kein Zugriff darauf hat.

Folgendes:

ls -la /dev/hidraw5
crw-rw----+ 1 root root 234, 5 Okt 15 11:27 /dev/hidraw5

Zu erwähnen ist eventuell noch das das Problem auf beiden PC`s auftritt welche ich verwende.

Some time ago I also had problems with the hidraw permissions on Manjaro too.
After a long research I have adjusted the file 41-nitrokey.rules. For each device I have added the following:
GROUP="pierre", MODE="0660",

# Nitrokey U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", GROUP="pierre", MODE="0660", TAG+="uaccess"
# Nitrokey FIDO U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", GROUP="pierre", MODE="0660", TAG+="uaccess"
# Nitrokey FIDO2
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b1", GROUP="pierre", MODE="0660", TAG+="uaccess"
# Nitrokey 3A Mini/3A NFC/3C NFC
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b2", GROUP="pierre", MODE="0660", TAG+="uaccess"
# Nitrokey 3A NFC Bootloader/3C NFC Bootloader
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42dd", GROUP="pierre", MODE="0660", TAG+="uaccess"
# Nitrokey 3A Mini Bootloader
ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42e8", GROUP="pierre", MODE="0660", TAG+="uaccess"

LABEL="u2f_end"


SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
ACTION!="add", GOTO="gnupg_rules_end"

# USB SmartCard Readers
## Crypto Stick 1.2
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP="<my_group>", MODE="0660", TAG+="uaccess"
## Nitrokey Pro
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP="<my_group>", MODE="0660", TAG+="uaccess"
## Nitrokey Pro Bootloader
ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42b4", GROUP="<my_group>", MODE="0660", TAG+="uaccess"
## Nitrokey Storage
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP="<my_group>", MODE="0660", TAG+="uaccess"
## Nitrokey Storage Bootloader
ATTR{idVendor}=="03eb", ATTR{idProduct}=="2ff1", GROUP="<my_group>", TAG+="uaccess"
## Nitrokey Start
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP="<my_group>", MODE="0660", TAG+="uaccess"
## Nitrokey HSM
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4230", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP="<my_group>", MODE="0660", TAG+="uaccess"

LABEL="gnupg_rules_end"


# Nitrokey Storage dev Entry
KERNEL=="sd?1", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4109", SYMLINK+="nitrospace", GROUP="<my_group>", MODE="0660", TAG+="uaccess"

Maybe the change will help you too.

I’ve tried the changes you mentioned above, still the same problem. The thing is that my backup key works without issues, with and without the changes in udev rules.

Couldn’t it be an hardware defect?

Frage @nku : Sind die Rechte denn korrekt von hidraw5?

ls -la /dev/hidraw5
crw-rw----+ 1 root root 234, 5 Okt 15 11:27 /dev/hidraw5

Hey @DEF,

Das hier ist die magische Zeile, die uns sagt, dass der interne Speicher vom NK3 gelöscht wurde, das deutet ziemlich sicher ein Hardware-Fehler an. Bitte schreib doch support (at) nitrokey (dot) com mit deiner Bestellnummer (SOxxxxxx), dann kümmer wir uns darum.

Als Hintergrund: hier ist der interne Flash Speicher aus irgendeinem Grund leer. Ehrlicherweise ist das das erste mal, dass wir das mit einem Nitrokey 3Ax im Feld sehen und entsprechend tippe ich auf ein Hardwareproblem. (Vielleicht sogar was in der MCU).

beste Grüße

Ok, alles klar.

Vielen Dank allen für die Hilfe!

Why your device at /dev/hidraw5? On freebsd the path is /dev/uhid0.

Maybe … Just MAYBE… Everyone else in this thread is using a Linux based system and not BSD as you are?

Yep, I saw few topics about bsd.