Closed intr-cx closed 1 year ago
sosthene-nitrokey
commented
1 year ago Have you set a reset code? It looks like you do since it shows 3 remaining attempts for the reset code (if you haven't and it shows that it's another bug). Does the reset code successfully unblocks the user pin?
Did you previously install a test or alpha release on your nk3?
sosthene-nitrokey
commented
1 year ago Regarding the crash (red LED), it's probably caused by the CCID driver. It panics a bit too fasts against invalid input :sweat_smile:
You said that it panics only after the first error message. I already encountered that with the gnuk test suite, where a failing test did not clear the CCID protocol state. Then it ran the next test and panicked the card because it was not in a "clean" protocol state.
intr-cx
commented
1 year ago Hi @sosthene-nitrokey
Have you set a reset code?
I did, but only after finding out that the admin pin wasn't working. The reset code also did not let me change the admin or user pin, with the same "Card error" response.
Does the reset code successfully unblocks the user pin?
Nope.
Did you previously install a
testoralpharelease on you nk3?
Yes, v1.3.0-rc1.
sosthene-nitrokey
commented
1 year ago Thanks for the details.
Yes, v1.3.0-rc1.
This release candidates did not include the OpenPGP application, so it should not have affected the state of the openpgp application, even in stable releases, and shouldn't be the cause of the bug.
Some operations are not totally atomic, and could lead to inconsistent state after a crash, but this should not be the case here since the crash did not happen with a PIN-related operation.
AnotherStranger
commented
1 year ago Hey @sosthene-nitrokey and @intr-cx, I just encountered the same problem twice. At first, I thought that I just put in all pins false three times in a row, but the issue seems to be reproducible for me at least.
The second time, I issued an unblock command before the counter went to zero, which resolved the issue for me.
Just ping me if you need additional information.
Here is the output of nitropy nk3 status:
UUID: BCAF68B2A2E6125B9D4114218CE88913
Firmware version: v1.4.0
Init status: ok
Free blocks (int): 47
Free blocks (ext): 471Regarding the Pins getting locked out, it appears there is indeed a bug that causes the PINs to reset to their default after NFC usage. See https://github.com/Nitrokey/nitrokey-3-firmware/issues/298
Earlier today I moved one of my private keys to the Nitrokey 3A NFC, after updating it to v1.4.0. After trying to use it with OpenKeychain the smartcard seems soft-locked, unable to be reset.
My system is Archlinux and I use GnuPG's scdaemon to communicate with the Nitrokey. My phone is a Google Pixel 4a with GrapheneOS (no Google Play services)
I'll try to recall the exact steps to reproduce the issue;
Create an ed25519 key with subkey, no password protection
Export the private key using
gpg --edit-keyand thekeytocardcommandExport the private subkey in the same fashion (yes, I did this in two steps. GPG is fun.)
Update the private key stub on OpenKeychain on my phone
Insert the Nitrokey 3A using a USB A to C adapter
Encrypt a message (short string, "test")
Decrypt the message with the Nitrokey on OpenKeychain
An error shows up; "Error: Failed to get pw status bytes. Take away the Security Token now and touch TRY AGAIN"
Don't take out the security token and press Try again
The Nitrokey's LED turns solid red
Try to use the Nitrokey on my laptop again
Any pin I throw at it (1234, 123456 or my own) will result in Bad PIN
Trying to unblock the pin using the admin pin (which works, as it lets me enter a new user pin) will result in "Card error"
gpg --card-statusnow showsPIN retry counter : 0 3 3Here's the full output of
gpg --card-status;Related conversation on Matrix
I'd love to help further debug this. If more info is needed, do ask!