Troubleshooting Nitrokey opcard-rs compatibility issue with OpenPGPpy

I’m trying to figure out why Nitrokey opcard-rs isn’t working with OpenPGPpy. From what I know, they should be communicating through APDU over CCID. Any OpenPGP card that works with gnupg should work with OpenPGPpy too. However, it seems like the reader isn’t being detected by pyscard, which is the library used by OpenPGPpy to interact with CCID at a low level. What could be causing this problem?

I used pdb to step through the following code that recreates the issue:

import logging
logger = logging.getLogger("OpenPGPpy.openpgp_card")
logger.setLevel(logging.DEBUG)
handler = logging.StreamHandler()
handler.setLevel(logging.DEBUG)
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
handler.setFormatter(formatter)
logger.addHandler(handler)
import OpenPGPpy
mydevice = OpenPGPpy.OpenPGPcard()

Nitrokey Start works, opcard-rs not - while both work with gnupg.

Can you share the output of pcsc_scan -r directly before running the Python script with the Nitrokey 3 and the log messages? For me your test script works without issues with OpenPGPpy 1.1.

What’s your libccid version? Nitrokey 3 support was added in 1.5.0. It looks like you might be using an older libccid. In that case, you can manually update the device database, see: gpg does not recognized the nitrokey · Issue #263 · Nitrokey/nitrokey-3-firmware · GitHub

Thanks. This most likely fixed it. I am using libccid 1.4.34-1 and with updated plist and restarting pcscd I could detect the opcard-rs.

I am pretty sure that openpgpcard-x25519-agent for wireguard will work but cannot test it right now.

While the card is being detected, opcard-rs behaves differently compared to a Nitrokey Start:

# /opt/venvs/openpgpcard-x25519-agent/bin/openpgpcard-x25519-agent --test -vv
2023-05-18 08:10:40,929 openpgpcard_x25519_agent.cnf DEBUG: init logging at DEBUG
2023-05-18 08:10:41,000 OpenPGPpy.openpgp_card DEBUG: Available readers :
2023-05-18 08:10:41,001 OpenPGPpy.openpgp_card DEBUG:  - Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
2023-05-18 08:10:41,001 OpenPGPpy.openpgp_card DEBUG: Using reader index #0
2023-05-18 08:10:41,002 OpenPGPpy.openpgp_card DEBUG: Trying with reader : Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
2023-05-18 08:10:41,003 OpenPGPpy.openpgp_card DEBUG:  Sending 0xA4 command with 6 bytes data
2023-05-18 08:10:41,004 OpenPGPpy.openpgp_card DEBUG: -> 00 A4 04 00 06 D2 76 00 01 24 01
2023-05-18 08:10:41,028 OpenPGPpy.openpgp_card DEBUG:  Received 0 bytes data : SW 0x9000 - duration: 23.8 ms
2023-05-18 08:10:41,029 OpenPGPpy.openpgp_card DEBUG: An OpenPGP applet detected, using Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
2023-05-18 08:10:41,029 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x004F
2023-05-18 08:10:41,030 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-18 08:10:41,030 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 00 4F 00
2023-05-18 08:10:41,054 OpenPGPpy.openpgp_card DEBUG:  Received 16 bytes data : SW 0x9000 - duration: 23.6 ms
2023-05-18 08:10:41,055 OpenPGPpy.openpgp_card DEBUG: <- D2 76 00 01 24 01 03 04 00 0F EE C2 2E E1 00 00
2023-05-18 08:10:41,055 OpenPGPpy.openpgp_card DEBUG: PGP version : 3.4
2023-05-18 08:10:41,056 OpenPGPpy.openpgp_card DEBUG: Manufacturer : - unknown - (0x000F)
2023-05-18 08:10:41,056 OpenPGPpy.openpgp_card DEBUG: Serial : 4005703393
2023-05-18 08:10:41,057 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x006E
2023-05-18 08:10:41,057 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-18 08:10:41,058 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-18 08:10:41,058 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 00 6E 00 00 00 00 00
2023-05-18 08:10:41,122 OpenPGPpy.openpgp_card DEBUG:  Received 267 bytes data : SW 0x9000 - duration: 63.8 ms
2023-05-18 08:10:41,123 OpenPGPpy.openpgp_card DEBUG: <- 4F 10 D2 76 00 01 24 01 03 04 00 0F EE C2 2E E1 00 00 5F 52 0A 00 31 F5 73 C0 01 60 05 90 00 7F 66 08 02 02 1D B9 02 02 1D B9 7F 74 03 81 01 20 73 81 D8 C0 0A 3F 00 10 00 10 00 10 00 00 01 C1 0A 16 2B 06 01 04 01 DA 47 0F 01 C2 0B 12 2B 06 01 04 01 97 55 01 05 01 C3 0A 16 2B 06 01 04 01 DA 47 0F 01 C4 07 00 7F 7F 7F 03 00 03 C5 3C 9A E8 38 68 42 86 BD 9C A3 A3 E8 52 61 57 9C 7D 8B 7F 69 1B AB 89 70 62 1B 3D 2B 7B 28 94 71 9D E8 82 A8 8F D8 2A D9 06 CD 75 79 09 F5 DD CA 4B 63 2A 79 9F 46 3C 16 92 B2 B7 65 1A C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 64 5D 37 E1 64 5D 37 E1 64 5D 37 E1 DE 06 01 01 02 01 03 01 D6 02 00 20 D7 02 00 20 D8 02 00 20
2023-05-18 08:10:41,124 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x7F66
2023-05-18 08:10:41,125 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-18 08:10:41,125 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-18 08:10:41,125 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 7F 66 00 00 00 00 00
2023-05-18 08:10:41,150 OpenPGPpy.openpgp_card DEBUG:  Received 8 bytes data : SW 0x9000 - duration: 23.8 ms
2023-05-18 08:10:41,150 OpenPGPpy.openpgp_card DEBUG: <- 02 02 1D B9 02 02 1D B9
2023-05-18 08:10:41,151 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x7F74
2023-05-18 08:10:41,151 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-18 08:10:41,152 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-18 08:10:41,152 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 7F 74 00 00 00 00 00
2023-05-18 08:10:41,176 OpenPGPpy.openpgp_card DEBUG:  Received 3 bytes data : SW 0x9000 - duration: 23.7 ms
2023-05-18 08:10:41,177 OpenPGPpy.openpgp_card DEBUG: <- 81 01 20
2023-05-18 08:10:41,177 OpenPGPpy.openpgp_card DEBUG: Button ? Yes
2023-05-18 08:10:41,178 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x006E
2023-05-18 08:10:41,178 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-18 08:10:41,178 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-18 08:10:41,179 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 00 6E 00 00 00 00 00
2023-05-18 08:10:41,243 OpenPGPpy.openpgp_card DEBUG:  Received 267 bytes data : SW 0x9000 - duration: 63.9 ms
2023-05-18 08:10:41,244 OpenPGPpy.openpgp_card DEBUG: <- 4F 10 D2 76 00 01 24 01 03 04 00 0F EE C2 2E E1 00 00 5F 52 0A 00 31 F5 73 C0 01 60 05 90 00 7F 66 08 02 02 1D B9 02 02 1D B9 7F 74 03 81 01 20 73 81 D8 C0 0A 3F 00 10 00 10 00 10 00 00 01 C1 0A 16 2B 06 01 04 01 DA 47 0F 01 C2 0B 12 2B 06 01 04 01 97 55 01 05 01 C3 0A 16 2B 06 01 04 01 DA 47 0F 01 C4 07 00 7F 7F 7F 03 00 03 C5 3C 9A E8 38 68 42 86 BD 9C A3 A3 E8 52 61 57 9C 7D 8B 7F 69 1B AB 89 70 62 1B 3D 2B 7B 28 94 71 9D E8 82 A8 8F D8 2A D9 06 CD 75 79 09 F5 DD CA 4B 63 2A 79 9F 46 3C 16 92 B2 B7 65 1A C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 64 5D 37 E1 64 5D 37 E1 64 5D 37 E1 DE 06 01 01 02 01 03 01 D6 02 00 20 D7 02 00 20 D8 02 00 20
2023-05-18 08:10:41,245 OpenPGPpy.openpgp_card DEBUG:  Sending 0x47 command with 2 bytes data
2023-05-18 08:10:41,246 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-18 08:10:41,246 OpenPGPpy.openpgp_card DEBUG: -> 00 47 81 00 00 00 02 B8 00 00 00
2023-05-18 08:10:41,307 OpenPGPpy.openpgp_card DEBUG:  Received 37 bytes data : SW 0x9000 - duration: 60.9 ms
2023-05-18 08:10:41,308 OpenPGPpy.openpgp_card DEBUG: <- 7F 49 22 86 20 F1 CF C0 5C 3E 97 65 DB 05 5C 7F 51 1F 58 88 2B 35 69 B6 89 53 50 4E 81 4C 07 6A 44 0B FD F6 19
2023-05-18 08:10:41,308 OpenPGPpy.openpgp_card DEBUG:  Sending 0x20 command with 0 bytes data
2023-05-18 08:10:41,309 OpenPGPpy.openpgp_card DEBUG: -> 00 20 00 81 00
2023-05-18 08:10:41,339 OpenPGPpy.openpgp_card DEBUG:  Received 0 bytes data : SW 0x63C3 - duration: 29.9 ms
Card Index: 0x0
Card Name: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Serial Number: 0xeec22ee1
Manufacturer: 0x000F (- unknown -)
OpenPGP Version: 3.4
Signature Key: ed25519
Encryption Key: x25519 (8c/AXD6XZdsFXH9RH1iIKzVptolTUE6BTAdqRAv99hk=)
Authentication Key: ed25519
PIN Status: 3 tries remaining
Enter card user PIN:

2023-05-18 08:10:45,355 openpgpcard_x25519_agent.card DEBUG: sending command to card: 0 2a 80 86 + 27 bytes
2023-05-18 08:10:45,382 openpgpcard_x25519_agent.card DEBUG: received response from card: 6a 80 + 0 bytes
Traceback (most recent call last):
  File "/opt/venvs/openpgpcard-x25519-agent/bin/openpgpcard-x25519-agent", line 8, in <module>
    sys.exit(main())
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/cli.py", line 48, in main
    test(args["--card"])
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/cli.py", line 87, in test
    test_card(card)
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 352, in test_card
    calculate_shared_secret(card, bytearray(b"\xff" * 32), pin)
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 326, in calculate_shared_secret
    raise e
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 323, in calculate_shared_secret
    return calculate_x25519_shared_secret(card, public_key)
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 298, in calculate_x25519_shared_secret
    return send_simple_command(card, 0, 0x2A, 0x80, 0x86, data)
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 210, in send_simple_command
    raise PGPCardException(status_1, status_2)
OpenPGPpy.openpgp_card.PGPCardException: Error status : 0x6A80

AFAIR 0x6A80 means that a parameter in the data field is incorrect.

$ pip freeze
docopt-ng==0.8.1
importlib-metadata==6.6.0
openpgpcard-x25519-agent @ file:///home/pi/git/openpgpcard-x25519-agent/dist/openpgpcard_x25519_agent-0.1.dev24%2Bgc244601.d20230518-py3-none-any.whl#sha256=61a63ca379aef904998ec184c6036824d1461d774817ac5560b7550dc2f8e5ab
OpenPGPpy==1.1
packaging==23.1
pkg_resources==0.0.0
pyscard==2.0.3
setuptools-scm==7.1.0
tomli==2.0.1
typing_extensions==4.5.0
zipp==3.15.0

(created an openpgpcard-x25519-agent wheel to run on python 3.7.3 instead of python>=3.8)

For reference, here’s the openpgpcard-x25519-agent repository: ~arx10/openpgpcard-x25519-agent - socket interface to Curve25519 ECDH from an OpenPGP card - sourcehut git

It looks like the data that is sent with the PSO: Decipher command does not match the expected structure. Can you modify _send_command_and_zero in card.py to log the full command and share it here?

@robin-nitrokey

I had access again to modify the _send_command_and_zero function in card.py to just printout the comlete command:

0 42 128 134 39 166 37 127 73 34 134 32 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255

# /opt/venvs/openpgpcard-x25519-agent/bin/openpgpcard-x25519-agent --test -vv
2023-05-31 17:14:56,805 openpgpcard_x25519_agent.cnf DEBUG: init logging at DEBUG
2023-05-31 17:14:56,807 OpenPGPpy.openpgp_card DEBUG: Available readers :
2023-05-31 17:14:56,807 OpenPGPpy.openpgp_card DEBUG:  - Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
2023-05-31 17:14:56,807 OpenPGPpy.openpgp_card DEBUG: Using reader index #0
2023-05-31 17:14:56,807 OpenPGPpy.openpgp_card DEBUG: Trying with reader : Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
2023-05-31 17:14:56,809 OpenPGPpy.openpgp_card DEBUG:  Sending 0xA4 command with 6 bytes data
2023-05-31 17:14:56,809 OpenPGPpy.openpgp_card DEBUG: -> 00 A4 04 00 06 D2 76 00 01 24 01
2023-05-31 17:14:56,834 OpenPGPpy.openpgp_card DEBUG:  Received 0 bytes data : SW 0x9000 - duration: 24.8 ms
2023-05-31 17:14:56,835 OpenPGPpy.openpgp_card DEBUG: An OpenPGP applet detected, using Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
2023-05-31 17:14:56,835 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x004F
2023-05-31 17:14:56,835 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-31 17:14:56,835 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 00 4F 00
2023-05-31 17:14:56,860 OpenPGPpy.openpgp_card DEBUG:  Received 16 bytes data : SW 0x9000 - duration: 24.8 ms
2023-05-31 17:14:56,860 OpenPGPpy.openpgp_card DEBUG: <- D2 76 00 01 24 01 03 04 00 0F EE C2 2E E1 00 00
2023-05-31 17:14:56,861 OpenPGPpy.openpgp_card DEBUG: PGP version : 3.4
2023-05-31 17:14:56,861 OpenPGPpy.openpgp_card DEBUG: Manufacturer : - unknown - (0x000F)
2023-05-31 17:14:56,861 OpenPGPpy.openpgp_card DEBUG: Serial : 4005703393
2023-05-31 17:14:56,861 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x006E
2023-05-31 17:14:56,861 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-31 17:14:56,861 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-31 17:14:56,861 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 00 6E 00 00 00 00 00
2023-05-31 17:14:56,928 OpenPGPpy.openpgp_card DEBUG:  Received 267 bytes data : SW 0x9000 - duration: 66.1 ms
2023-05-31 17:14:56,928 OpenPGPpy.openpgp_card DEBUG: <- 4F 10 D2 76 00 01 24 01 03 04 00 0F EE C2 2E E1 00 00 5F 52 0A 00 31 F5 73 C0 01 60 05 90 00 7F 66 08 02 02 1D B9 02 02 1D B9 7F 74 03 81 01 20 73 81 D8 C0 0A 3F 00 10 00 10 00 10 00 00 01 C1 0A 16 2B 06 01 04 01 DA 47 0F 01 C2 0B 12 2B 06 01 04 01 97 55 01 05 01 C3 0A 16 2B 06 01 04 01 DA 47 0F 01 C4 07 00 7F 7F 7F 03 00 03 C5 3C 9A E8 38 68 42 86 BD 9C A3 A3 E8 52 61 57 9C 7D 8B 7F 69 1B AB 89 70 62 1B 3D 2B 7B 28 94 71 9D E8 82 A8 8F D8 2A D9 06 CD 75 79 09 F5 DD CA 4B 63 2A 79 9F 46 3C 16 92 B2 B7 65 1A C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 64 5D 37 E1 64 5D 37 E1 64 5D 37 E1 DE 06 01 01 02 01 03 01 D6 02 00 20 D7 02 00 20 D8 02 00 20
2023-05-31 17:14:56,929 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x7F66
2023-05-31 17:14:56,929 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-31 17:14:56,929 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-31 17:14:56,929 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 7F 66 00 00 00 00 00
2023-05-31 17:14:56,954 OpenPGPpy.openpgp_card DEBUG:  Received 8 bytes data : SW 0x9000 - duration: 24.8 ms
2023-05-31 17:14:56,954 OpenPGPpy.openpgp_card DEBUG: <- 02 02 1D B9 02 02 1D B9
2023-05-31 17:14:56,955 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x7F74
2023-05-31 17:14:56,955 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-31 17:14:56,955 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-31 17:14:56,955 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 7F 74 00 00 00 00 00
2023-05-31 17:14:56,980 OpenPGPpy.openpgp_card DEBUG:  Received 3 bytes data : SW 0x9000 - duration: 24.9 ms
2023-05-31 17:14:56,980 OpenPGPpy.openpgp_card DEBUG: <- 81 01 20
2023-05-31 17:14:56,980 OpenPGPpy.openpgp_card DEBUG: Button ? Yes
2023-05-31 17:14:56,981 OpenPGPpy.openpgp_card DEBUG: Read Data  in 0x006E
2023-05-31 17:14:56,981 OpenPGPpy.openpgp_card DEBUG:  Sending 0xCA command with 0 bytes data
2023-05-31 17:14:56,981 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-31 17:14:56,981 OpenPGPpy.openpgp_card DEBUG: -> 00 CA 00 6E 00 00 00 00 00
2023-05-31 17:14:57,047 OpenPGPpy.openpgp_card DEBUG:  Received 267 bytes data : SW 0x9000 - duration: 66.1 ms
2023-05-31 17:14:57,048 OpenPGPpy.openpgp_card DEBUG: <- 4F 10 D2 76 00 01 24 01 03 04 00 0F EE C2 2E E1 00 00 5F 52 0A 00 31 F5 73 C0 01 60 05 90 00 7F 66 08 02 02 1D B9 02 02 1D B9 7F 74 03 81 01 20 73 81 D8 C0 0A 3F 00 10 00 10 00 10 00 00 01 C1 0A 16 2B 06 01 04 01 DA 47 0F 01 C2 0B 12 2B 06 01 04 01 97 55 01 05 01 C3 0A 16 2B 06 01 04 01 DA 47 0F 01 C4 07 00 7F 7F 7F 03 00 03 C5 3C 9A E8 38 68 42 86 BD 9C A3 A3 E8 52 61 57 9C 7D 8B 7F 69 1B AB 89 70 62 1B 3D 2B 7B 28 94 71 9D E8 82 A8 8F D8 2A D9 06 CD 75 79 09 F5 DD CA 4B 63 2A 79 9F 46 3C 16 92 B2 B7 65 1A C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 64 5D 37 E1 64 5D 37 E1 64 5D 37 E1 DE 06 01 01 02 01 03 01 D6 02 00 20 D7 02 00 20 D8 02 00 20
2023-05-31 17:14:57,049 OpenPGPpy.openpgp_card DEBUG:  Sending 0x47 command with 2 bytes data
2023-05-31 17:14:57,049 OpenPGPpy.openpgp_card DEBUG:   with Le=65536
2023-05-31 17:14:57,049 OpenPGPpy.openpgp_card DEBUG: -> 00 47 81 00 00 00 02 B8 00 00 00
2023-05-31 17:14:57,111 OpenPGPpy.openpgp_card DEBUG:  Received 37 bytes data : SW 0x9000 - duration: 62.1 ms
2023-05-31 17:14:57,112 OpenPGPpy.openpgp_card DEBUG: <- 7F 49 22 86 20 F1 CF C0 5C 3E 97 65 DB 05 5C 7F 51 1F 58 88 2B 35 69 B6 89 53 50 4E 81 4C 07 6A 44 0B FD F6 19
2023-05-31 17:14:57,112 OpenPGPpy.openpgp_card DEBUG:  Sending 0x20 command with 0 bytes data
2023-05-31 17:14:57,112 OpenPGPpy.openpgp_card DEBUG: -> 00 20 00 81 00
2023-05-31 17:14:57,143 OpenPGPpy.openpgp_card DEBUG:  Received 0 bytes data : SW 0x63C3 - duration: 31.1 ms
Card Index: 0x0
Card Name: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Serial Number: 0xeec22ee1
Manufacturer: 0x000F (- unknown -)
OpenPGP Version: 3.4
Signature Key: ed25519
Encryption Key: x25519 (8c/AXD6XZdsFXH9RH1iIKzVptolTUE6BTAdqRAv99hk=)
Authentication Key: ed25519
PIN Status: 3 tries remaining
Enter card user PIN:

2023-05-31 17:15:00,081 openpgpcard_x25519_agent.card DEBUG: sending command to card: 0 2a 80 86 + 27 bytes
FULL COMMAND START
0 42 128 134 39 166 37 127 73 34 134 32 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255
FULL COMMAND END
2023-05-31 17:15:00,108 openpgpcard_x25519_agent.card DEBUG: received response from card: 6a 80 + 0 bytes
Traceback (most recent call last):
  File "/opt/venvs/openpgpcard-x25519-agent/bin/openpgpcard-x25519-agent", line 8, in <module>
    sys.exit(main())
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/cli.py", line 48, in main
    test(args["--card"])
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/cli.py", line 87, in test
    test_card(card)
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 356, in test_card
    calculate_shared_secret(card, bytearray(b"\xff" * 32), pin)
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 330, in calculate_shared_secret
    raise e
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 327, in calculate_shared_secret
    return calculate_x25519_shared_secret(card, public_key)
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 302, in calculate_x25519_shared_secret
    return send_simple_command(card, 0, 0x2A, 0x80, 0x86, data)
  File "/opt/venvs/openpgpcard-x25519-agent/lib/python3.7/site-packages/openpgpcard_x25519_agent/card.py", line 210, in send_simple_command
    raise PGPCardException(status_1, status_2)
OpenPGPpy.openpgp_card.PGPCardException: Error status : 0x6A80

Any idea how to further troubleshoot or where the issue is coming from?

Also submitted a ticket in ~arx10/openpgpcard-wireguard-go

Opened an opcard-rs ticket with the latest info.

Seems like the key derive works but the 32 bytes test public key containing only 0xff.

From: ~arx10/openpgpcard-wireguard-go#2: Invalid status 0x6A80 returned when using opcard-rs OpenPGP card on Nitrokey 3 — sourcehut todo

Ah, thanks for trying that out! It must be the case that 32 0xFF bytes is a magic value for the Nitrokey 3 or its firmware – I will fix the test_card() function to use a more “realistic” test value (xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=), which shouldn’t trigger a “false positive” failure on any cards. The opcard-rs developers might want to investigate why that particular value doesn’t work – but as long as it’s just that value (or just that and a few other special values), it shouldn’t affect real-world use of the agent.