Where are my OpenPGP slots now?

Vince · April 2, 2025, 11:34am

I got some new Nitrokey 3A mini with firmware 1.8.1

With the old version (pre 1.8), when I scanned for slots using OpenSC, I saw 2 slots with the labels: “OpenPGP card (User PIN)” and “OpenPGP card (User PIN (sig))”.
I could login to the “OpenPGP card (User PIN (sig))” slot with admin pin and import a key (after patching and compiling OpenSC).

Now, with the new keys which I received yesterday, I see only 1 slot and that slot has the label “PIV_II”. When I try to login via Admin Pin, I get a “CKR_GENERAL_ERROR” back from OpenSC.

So my questions:
Where is the “OpenPGP card (User PIN (sig))” slot gone?
How can I find and use the OpenPGP slots in a v1.8.1 key using OpenSC?

If this is not longer working, how can I downgrade the Nitrokeys to a version prior to v1.8?

nku · April 2, 2025, 11:51am

I think the issue is due to having now PIV application and opcard-rs running on the Nitrokey 3 in parallel and you need to select the driver to talk to the right application. AFIR there is a list drivers option and you could also list all readers that got detected.

/edit: opensc-tool —card-driver openpgp

Vince · April 2, 2025, 1:45pm

OK, thank you. Now I see my OpenPGP slots again. But I get a “Failed to import private key. Exception: Method C_CreateObject returned CKR_DATA_INVALID” when trying to import a key. It worked with firmware 1.7.2.

How do I find out which parameter in my key object is invalid according to the latest firmware and why did it work with the older firmware?