I got some new Nitrokey 3A mini with firmware 1.8.1
With the old version (pre 1.8), when I scanned for slots using OpenSC, I saw 2 slots with the labels: “OpenPGP card (User PIN)” and “OpenPGP card (User PIN (sig))”.
I could login to the “OpenPGP card (User PIN (sig))” slot with admin pin and import a key (after patching and compiling OpenSC).
Now, with the new keys which I received yesterday, I see only 1 slot and that slot has the label “PIV_II”. When I try to login via Admin Pin, I get a “CKR_GENERAL_ERROR” back from OpenSC.
So my questions:
Where is the “OpenPGP card (User PIN (sig))” slot gone?
How can I find and use the OpenPGP slots in a v1.8.1 key using OpenSC?
If this is not longer working, how can I downgrade the Nitrokeys to a version prior to v1.8?
I think the issue is due to having now PIV application and opcard-rs running on the Nitrokey 3 in parallel and you need to select the driver to talk to the right application. AFIR there is a list drivers option and you could also list all readers that got detected.
OK, thank you. Now I see my OpenPGP slots again. But I get a “Failed to import private key. Exception: Method C_CreateObject returned CKR_DATA_INVALID” when trying to import a key. It worked with firmware 1.7.2.
How do I find out which parameter in my key object is invalid according to the latest firmware and why did it work with the older firmware?
OpenSC has a list of list of card drivers that test if they can work with a card. But it can only have one driver for a card active at a time in the same application. Looks like the Nitrokey now has a PIV applet as well as OpenPGP. Unfortunately the first driver found is the one used. See Environment variables · OpenSC/OpenSC Wiki · GitHub OPENSC_DRIVER=
and man page for opensc.conf. Look for “card-drivers =”. Multiple applications can have their own opensc.conf with different drivers or different order of drivers configured.
