[NK3AM] "nitropy nk3 test" fails for an out-of-the-box device

I’ve received my Nitrokey 3A Mini in the mail today and started to test it with “nitropy” (0.4.26) using the command “nitropy nk3 test”, which failed with the following output:

Command line tool to interact with Nitrokey devices 0.4.26
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0

Running tests for Nitrokey 3 at /dev/hidraw0

[1/3]	UUID query              	SUCCESS  	E18721AB5FBC1C630000000000000000
[2/3]	Firmware version query  	SUCCESS  	v1.1.0
Please press the touch button on the device ...
[3/3]	FIDO2                   	FAILURE  	Unexpected FIDO2 cert hash for version v1.1.0: 4c331d7af869fd1d8217198b917a33d1fa503e9778da7638504a64a438661ae0

3 tests, 2 successful, 0 skipped, 1 failed

Summary: 1 device(s) tested, 0 successful, 1 failed

Critical error:
Test failed for 1 device(s)

FIDO2 generally seems to be working but I’m a bit worried what’s wrong there.

Edit:

Had a quick look at nitropy’s code at GitHub and it could just be that the hashes have been changed
with firmware version 1.1.0, while nitropy only has hashes up to version 1.0.3 (see https://github.com/Nitrokey/pynitrokey/blob/bf3cdfa6e87055a82ca9e0ea22086614c2095fbb/pynitrokey/cli/nk3/test.py#L30)

Hey @dmrauh ,

yes, you are too fast :wink: pynitrokey needs a new release with the needed changes, it will be released today! So version 0.4.27 should not throw this error anymore.

edit: as an explanation what happens here: the nRF52 models are delivered with another set of fido2 certificates, this is exactly what you see there. This PR introduced the new hash, which is btw. the one you posted. So it’s all fine for your device.

best

1 Like

For the sake of completeness: Release v0.4.27.nitrokey · Nitrokey/pynitrokey · GitHub
PyPI should have it available, too…

I came around testing the v0.4.27 release of pynitrokey today and “nitropy nk3 test” is still throwing an error for me:

Command line tool to interact with Nitrokey devices 0.4.27
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0

Running tests for Nitrokey 3 at /dev/hidraw0

[1/3]	UUID query              	SUCCESS  	E18721AB5FBC1C630000000000000000
[2/3]	Firmware version query  	SUCCESS  	v1.1.0
Please press the touch button on the device ...
[3/3]	FIDO2                   	FAILURE  	'x5c'

3 tests, 2 successful, 0 skipped, 1 failed

Summary: 1 device(s) tested, 0 successful, 1 failed

Critical error:
Test failed for 1 device(s)

where the relevant part of the log says:

3772      ERROR pynitrokey.cli.nk3.test An exception occured during the execution of the test FIDO2:
Traceback (most recent call last):
  File "/home/dmrauh/.local/lib/python3.10/site-packages/pynitrokey/cli/nk3/test.py", line 225, in run_tests
    result = test_case.fn(ctx, device)
  File "/home/dmrauh/.local/lib/python3.10/site-packages/pynitrokey/cli/nk3/test.py", line 173, in test_fido2
    cert = make_credential_result.attestation_object.att_stmt["x5c"]
KeyError: 'x5c'

Edit:

This issue is most likely related: nk3 test: Improve error message if FIDO2 attestion cert is missing · Issue #253 · Nitrokey/pynitrokey · GitHub

Question is, whether my Nitrokey is faulty or the test suite :slight_smile:

Hey,

this is clearly not expected,
can you please write to support (at) nitrokey (com) with your S0xxxxxx to clarify this issue.

best

After my Nitrokey has been replaced, the new one is working fine :slight_smile:

1 Like