Unable to generate or move 521-bit ECC keys onto Nitrokey Pro 2

mac · November 2, 2020, 12:28am

My issue seems to be similar to Can't import NISTP521 encryption key into Nitrokey Pro 2.

I’m able to generate NIST P-521 keys, but if I try to import them onto my hardware token I get the same error as in the other question:

gpg> key 2
          
sec  nistp521/ED5CD5B6194F3522
     created: 2020-11-01  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  nistp521/171F4A02E938DC69
     created: 2020-11-01  expires: never       usage: E   
ssb* nistp521/009A993E868D29E9
     created: 2020-11-01  expires: never       usage: S   
ssb  nistp521/3C7C267634A07D1B
     created: 2020-11-01  expires: never       usage: A   
[ultimate] (1). test user (testme) <test@test.co>

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Invalid value

On this test I was able to import my authentication key, but not the encryption or signing keys. Attempting to import the primary key also fails with the same error.

I’ve been trying this several different ways, and most of the time I can’t import any of the keys. I’ve also tried configuring the card for nistp521 keys using the gpg-connect-agent commands Nitrokey’s announcement of ECC support, modified to specify nistp521t1. These configure each key slot correctly, but when I go to generate the keys, I get an error: gpg: error checking the PIN: Invalid value. I’ve tested with gpg 2.2.23 and gpg4win and get the same error on both systems.

The datasheet says 521-bit ECC keys should be supported, but has anyone actually been able to use them?

alt3r-3go · November 29, 2020, 7:39pm

That may be the problem, there have been similar problems reported for this version in the forum recently, I had something like that as well with Pro. Please give the newest released version a try (gpg4win - 3.1.14, contains GnuPG 2.2.25, so respectively on other OSes).

mac · November 30, 2020, 4:22am

Just confirmed with GnuPG 2.2.25, I’m still getting the KEYTOCARD failed: Invalid value error, even with a newly generated key.

szszszsz · December 1, 2020, 1:17pm

Reported with logs from reproduction to GnuPG:

https://dev.gnupg.org/T5163

I have managed to import only the Authentication subkey to slot 3.

Edit: slightly connected, OpenSC: https://github.com/OpenSC/OpenSC/issues/1906

szszszsz · December 23, 2020, 9:25am

Should be solved with the recent GnuPG release, 2.2.26 (21.12.2020):

Noteworthy changes in version 2.2.26
====================================
(...)
  * scd: Fix writing of ECC keys to an OpenPGP card.  [#5163]

Raphux · September 13, 2021, 5:20pm

I confirm it works with, at least, GnuPG 2.2.29 (on ArchLinux).
Thx a lot for the follow up @szszszsz .