KDF breaks pin entry

[shaohme]

I have recently updated to latest 1.5.0 firmware for my Nitrokey 3A NFC. After factory reset the device I immediately enable KDF by executing 'kdf-setup'. Afterwards I cannot change or use PINs for my NK3 and have to factory reset again to make PIN/Admin-PIN work again.

Below is an example ouput of "Card error" occuring when trying to change Admin PIN after KDF setup.

gpg/card> admin
Admin commands are allowed

gpg/card> kdf-setup 

gpg/card> passwd
gpg: OpenPGP card no. redacted detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
Error changing the PIN: Card error

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
Error changing the PIN: Card error

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? q

gpg/card> list

Reader ...........: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Application ID ...: redacted
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: unknown
Serial number ....: BCE9DEE1
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 1
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> 

~ $ gpg --version
gpg (GnuPG) 2.2.40
libgcrypt 1.10.1
Copyright (C) 2022 g10 Code GmbH

[sosthene-nitrokey]

Hi!

Thanks for the detailed report.

This is a known issue with GnuPG releases older than 2.3. Older GnuPG releases don't recompute the PINs after configuring the KDF-DO, resulting in gpg then failing to send the appropriate PINs.

See the GnuPG ticket relevant to this issue: https://dev.gnupg.org/T3891

To solve the issue, please upgrade to a gpg version more recent than 2.3. Note that once kdf-setup has been run with an up to date release of GnuPG, the device should be fully usable even with an older release.

[shaohme]

Hi!

Thanks for the detailed report.

This is a known issue with GnuPG releases older than 2.3. Older GnuPG releases don't recompute the PINs after configuring the KDF-DO, resulting in gpg then failing to send the appropriate PINs.

See the GnuPG ticket relevant to this issue: https://dev.gnupg.org/T3891

To solve the issue, please upgrade to a gpg version more recent than 2.3. Note that once kdf-setup has been run with an up to date release of GnuPG, the device should be fully usable even with an older release.

I see. Too bad my favorite distros are currently slow at upgrading to latest GnuPG ;-)

I have used KDF with a YubiKey 5 where it seems to work, so I guess this is a problem with GnuPG 2.2.X and Nitrokey? Or maybe YubiKey firmware just works around or ignore it ...