GPG keytocard fails with card inaccessible afterwards

[Unb0rn]

Met a strange behavior - tried to replace auth key on my NK3 and while doing so I got an error with a message: gpg: error getting current key info: General error

Nitrokey 3 FW: v1.5.0-test.20230704 (wanted to play with PIV a bit)
GPG: 2.3.8

Steps to reproduce:

• Add an ECC key (NISTp521, Auth) with addkey
• Select it
• Run keytocard

The card already has a key in auth slot (ed25519) and I want to replace it.

After this error any communication with the card fails with something like:

gpg --card-status       
gpg: OpenPGP card not available: Not supported

Unplugging and replugging the card ends up with:

gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

Killing and restarting scdaemon seems to help

[Unb0rn]

Tried updating GPG to 2.4, "downgrading" NK3 firmware to 1.5.0, re-generating the key to NISTp256 - it only seemed to set key attributes to nistp256 but the key is not uploaded and the error remains the same - gpg: KEYTOCARD failed: Card error

[sosthene-nitrokey]

The GPG function of the Nitrokey 3 doesn't support NIST P521yet.

If you want this functionality to be added, please voice your support in Nitrokey/opcard-rs#36 so that we prioritize this feature.

Tried updating GPG to 2.4, "downgrading" NK3 firmware to 1.5.0, re-generating the key to NISTp256 - it only seemed to set key attributes to nistp256 but the key is not uploaded and the error remains the same - gpg: KEYTOCARD failed: Card error

I am not sure I fully understand this comment. Are you locked out of generating/importing a nistp256 key? This would be a bug.

[Unb0rn]

Initially I generated NISTp521 but today I tried several things - updated GnuPG, downgraded Nitrokey firmware to a stable version and finally generated NISTp256.

When I tried putting this new NISTp256 key to card (via GnuPG 2.4 this time if it matters) - it failed with Card error but changed authentication key attrbutes (the one I tried to push to card) from ed25519 to nistp256 and now this key on card is completely unusable and I'm afraid I have to reset my NK3 completely.

Regarding the p521 part - it's a bit off-topic - but I need it unless Nitrokey is interested in fixing OpenKeychain for Android - opened an issue in this project. In a nutshell - it works with some key lengths and curves but fails or even crashes with the others. So, I voted on that opcard-rs issue.

[sosthene-nitrokey]

Changing the key attribute will delete the key stored on the NK3, so it is to be expected that you Ed25519 key cannot be used anymore.

I am not able to reproduce the error you encountered. Importing a nistp256 with an Ed25519 key in the authentication key works properly.

Are the other slots of your keys also populated?

[Unb0rn]

Strange... So, for me:
Nitrokey 3:

Firmware version:   v1.5.0
Init status:        ok
Free blocks (int):  34
Free blocks (ext):  465
Variant:            LPC55

gpg --card-status returns these keyattrs:

Key attributes ...: ed25519 cv25519 nistp256

I can also query public keys from slots 1(sign) and 2(encrypt) with pkcs15-tool --read-public-key x, however querying the third (corrupted?) slot returns:

Public key enumeration failed: EF offset too large

Now, if I want to replace the third (auth) key I do the following:

• gpg --expert --edit-key <keyname>
• addkey -> (11) ECC (set your own capabilities) -> Allow only Authenticate -> (3) NIST P-256 -> Set some expiration date
• select the key with key N
• keytocard
  Which ends up with gpg: KEYTOCARD failed: Card error

Probably some data has been corrupted. I'm not sure what caused it - either beta firmware previously installed or trying to push unsupported (NIST P-521) key.

So the history of operations is like this:
Firmware 1.5.0 - > push ed25519, cv25519, ed25519 -> Update to beta v1.5.0-test.20230704 -> Trying to push NIST P-521 key via GnuPG -> "downgrade" back to stable 1.5.0.
Not sure where the problem appeared and if it's possible to fix the card without full reset...