Password function does not work for Nitrokey3 #180

New Issue

Open

opened 2025-08-19 09:22:46 +08:00 by AussieMakerGeek · 5 comments

AussieMakerGeek commented 2025-08-19 09:22:46 +08:00 (Migrated from github.com)

Copy Link

I'm using an ESP32 S3 and set it to NitroKey3, but within the NitroKey App, the password function does not work and crashes the app.

Is there something else that I need to do?

It works fine as a Yubikey 5 with the yubikey app but I'd prefer to use it as a Nitrokey as that can store usernames and passwords as well as OTP - Or is that not implemented?

I also tried with a Pico2350 but I get the same thing.

I'm using an ESP32 S3 and set it to NitroKey3, but within the NitroKey App, the password function does not work and crashes the app. <img width="399" height="330" alt="Image" src="https://github.com/user-attachments/assets/e93ec059-e5ba-4617-9798-55918117d689" /> Is there something else that I need to do? It works fine as a Yubikey 5 with the yubikey app but I'd prefer to use it as a Nitrokey as that can store usernames and passwords as well as OTP - Or is that not implemented? I also tried with a Pico2350 but I get the same thing.

polhenarejos commented 2025-08-20 07:32:03 +08:00 (Migrated from github.com)

Copy Link

Support for nitrokey passwords (totp, hotp, plain, etc) is not implemented yet.

Support for nitrokey passwords (totp, hotp, plain, etc) is not implemented yet.

polhenarejos commented 2025-09-07 01:21:25 +08:00 (Migrated from github.com)

Copy Link

I pushed some changes in 5facbf61 to fix this issue. Can you try the nightly development build and report?

I pushed some changes in 5facbf61 to fix this issue. Can you try the nightly development build and report?

euletheia commented 2025-10-27 22:32:09 +08:00 (Migrated from github.com)

Copy Link

Hi,

I am also interested in a working Nitrokey 3 on pico-fido, and although I don't use an ESP32 S3, since I got the same issue I thought I would report on this topic. I hope this is okay with you.

I am using the nightly build on a Raspberry Pico 2 (with Debian testing), and I get the exact same error from the Nitrokey App 2 (flatpak).
The nitropy nk3 test (run via pipx) also complains about permission being denied, but additionally produces KeyError: 'x5c'.
(I also tested with pico-fido2 and got the same results).

Trace from Nitrokey App 2

Traceback (most recent call last):
  File "/app/lib/python3.12/site-packages/nitrokeyapp/secrets_tab/worker.py", line 727, in refresh_credentials
    self.run(job)
  File "/app/lib/python3.12/site-packages/nitrokeyapp/worker.py", line 67, in run
    job.run()
  File "/app/lib/python3.12/site-packages/nitrokeyapp/secrets_tab/worker.py", line 584, in run
    credentials = Credential.list(secrets)
                  ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/lib/python3.12/site-packages/nitrokeyapp/secrets_tab/data.py", line 115, in list
    for item in secrets.list_with_properties():
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/lib/python3.12/site-packages/nitrokey/nk3/secrets_app.py", line 452, in list_with_properties
    raw_res = self._send_receive(Instruction.List, data)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/lib/python3.12/site-packages/nitrokey/nk3/secrets_app.py", line 353, in _send_receive
    return self._send_receive_inner(bytes_data, log_info=f"{ins}")
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/lib/python3.12/site-packages/nitrokey/nk3/secrets_app.py", line 388, in _send_receive_inner
    raise SecretsAppException(status_bytes.hex(), "Received error")
nitrokey.nk3.secrets_app.SecretsAppException: SecretsAppException(code=6d00/InstructionNotSupportedOrInvalid)

Trace from nitropy nk3 test --pin <myPIN>

Traceback (most recent call last):
  File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/trussed/test.py", line 147, in run_tests
    result = test_case.fn(ctx, device)
  File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/trussed/tests.py", line 417, in test_fido2
    cert = make_credential_result.response.attestation_object.att_stmt["x5c"]
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^
KeyError: 'x5c'

I can give you the full logs if you think that will help.

Thank you for this project and all the work you put in it !

Hi, I am also interested in a working Nitrokey 3 on pico-fido, and although I don't use an ESP32 S3, since I got the same issue I thought I would report on this topic. I hope this is okay with you. I am using the **nightly build** on a **Raspberry Pico 2** (with **Debian testing**), and I get the exact same error from the *Nitrokey App 2* (flatpak). The `nitropy nk3 test` (run via pipx) also complains about permission being denied, but additionally produces `KeyError: 'x5c'`. (I also tested with pico-fido2 and got the same results). ### Trace from Nitrokey App 2 ``` Traceback (most recent call last): File "/app/lib/python3.12/site-packages/nitrokeyapp/secrets_tab/worker.py", line 727, in refresh_credentials self.run(job) File "/app/lib/python3.12/site-packages/nitrokeyapp/worker.py", line 67, in run job.run() File "/app/lib/python3.12/site-packages/nitrokeyapp/secrets_tab/worker.py", line 584, in run credentials = Credential.list(secrets) ^^^^^^^^^^^^^^^^^^^^^^^^ File "/app/lib/python3.12/site-packages/nitrokeyapp/secrets_tab/data.py", line 115, in list for item in secrets.list_with_properties(): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/app/lib/python3.12/site-packages/nitrokey/nk3/secrets_app.py", line 452, in list_with_properties raw_res = self._send_receive(Instruction.List, data) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/app/lib/python3.12/site-packages/nitrokey/nk3/secrets_app.py", line 353, in _send_receive return self._send_receive_inner(bytes_data, log_info=f"{ins}") ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/app/lib/python3.12/site-packages/nitrokey/nk3/secrets_app.py", line 388, in _send_receive_inner raise SecretsAppException(status_bytes.hex(), "Received error") nitrokey.nk3.secrets_app.SecretsAppException: SecretsAppException(code=6d00/InstructionNotSupportedOrInvalid) ``` ### Trace from `nitropy nk3 test --pin <myPIN>` ``` Traceback (most recent call last): File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/trussed/test.py", line 147, in run_tests result = test_case.fn(ctx, device) File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/trussed/tests.py", line 417, in test_fido2 cert = make_credential_result.response.attestation_object.att_stmt["x5c"] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^ KeyError: 'x5c' ``` I can give you the full logs if you think that will help. Thank you for this project and all the work you put in it !

polhenarejos commented 2025-10-28 00:22:11 +08:00 (Migrated from github.com)

Copy Link

Can you try with development nightly build?

Can you try with development nightly build?

euletheia commented 2025-10-29 09:18:26 +08:00 (Migrated from github.com)

Copy Link

My apologies, I overlooked your previous answer and did not see the nightly development build yesterday...

However, if I'm not mistaken, there's no .uf2 file for the pico 2 in this nightly development build so I cloned the repository and built the file from main (5b778f2).

The Nitrokey App does not complain anymore, and I am able to generate an HMAC secret on slot 2 with the app and the cli.¹

Yet, running nitropy nk3 test again yields the same errors : SE050 and FIDO2 tests fail.
Here are the traces :

SE050

206       DEBUG fido2.hid.linux Failed opening device /dev/hidraw1
Traceback (most recent call last):
  File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/fido2/hid/linux.py", line 96, in list_descriptors
    devices.append(get_descriptor(hidraw))
                   ~~~~~~~~~~~~~~^^^^^^^^
  File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/fido2/hid/linux.py", line 53, in get_descriptor
    with open(path, "rb") as f:
         ~~~~^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/dev/hidraw1'
207       DEBUG fido2.hid.linux Failed opening device /dev/hidraw0
Traceback (most recent call last):
  File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/fido2/hid/linux.py", line 96, in list_descriptors
    devices.append(get_descriptor(hidraw))
                   ~~~~~~~~~~~~~~^^^^^^^^
  File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/fido2/hid/linux.py", line 53, in get_descriptor
    with open(path, "rb") as f:
         ~~~~^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/dev/hidraw0'

FIDO2

Traceback (most recent call last):
  File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/trussed/test.py", line 147, in run_tests
    result = test_case.fn(ctx, device)
  File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/trussed/tests.py", line 417, in test_fido2
    cert = make_credential_result.response.attestation_object.att_stmt["x5c"]
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^
KeyError: 'x5c'

---

1. Just for context (I'm not sure if this can be relevant in any way), I'm trying to get a Nitrokey 3 as a 2FA method for a KeepassXC database, and even with this pico-fido build and the recommended udev rules from Nitrokey, KeepassXC still does not detect any key (as it did for a Yubikey-provisioned pico 2). ↩︎

My apologies, I overlooked your previous answer and did not see the nightly __*development*__ build yesterday... However, if I'm not mistaken, there's no .uf2 file for the pico 2 in this nightly development build so I cloned the repository and built the file from main ([5b778f2](https://github.com/polhenarejos/pico-fido/commit/5b778f2e27d6c1ae8ad6d84c0b0e9b0bd3822a20)). The Nitrokey App does not complain anymore, and I am able to generate an HMAC secret on slot 2 with the app _and_ the cli.[^1] [^1]: Just for context (I'm not sure if this can be relevant in any way), I'm trying to get a Nitrokey 3 as a 2FA method for a KeepassXC database, and even with this pico-fido build and the recommended udev rules from Nitrokey, KeepassXC still does not detect any key (as it did for a Yubikey-provisioned pico 2). Yet, running `nitropy nk3 test` again yields the same errors : SE050 and FIDO2 tests fail. Here are the traces : ### SE050 ``` 206 DEBUG fido2.hid.linux Failed opening device /dev/hidraw1 Traceback (most recent call last): File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/fido2/hid/linux.py", line 96, in list_descriptors devices.append(get_descriptor(hidraw)) ~~~~~~~~~~~~~~^^^^^^^^ File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/fido2/hid/linux.py", line 53, in get_descriptor with open(path, "rb") as f: ~~~~^^^^^^^^^^^^ PermissionError: [Errno 13] Permission denied: '/dev/hidraw1' 207 DEBUG fido2.hid.linux Failed opening device /dev/hidraw0 Traceback (most recent call last): File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/fido2/hid/linux.py", line 96, in list_descriptors devices.append(get_descriptor(hidraw)) ~~~~~~~~~~~~~~^^^^^^^^ File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/fido2/hid/linux.py", line 53, in get_descriptor with open(path, "rb") as f: ~~~~^^^^^^^^^^^^ PermissionError: [Errno 13] Permission denied: '/dev/hidraw0' ``` ### FIDO2 ``` Traceback (most recent call last): File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/trussed/test.py", line 147, in run_tests result = test_case.fn(ctx, device) File "/home/euletheia/.local/share/pipx/venvs/pynitrokey/lib/python3.13/site-packages/pynitrokey/cli/trussed/tests.py", line 417, in test_fido2 cert = make_credential_result.response.attestation_object.att_stmt["x5c"] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^ KeyError: 'x5c' ```

👍 1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

development

nightly-development

nightly-main

v7.4

v7.2

v7.0-eddsa

v7.0

v6.6

v6.4-eddsa1

v6.4

v6.2

v6.0-eddsa1

v6.0

v5.12-eddsa1

v5.12

nightly-stable

v5.10

v5.8-eddsa1

v5.8

v5.6-eddsa1

v5.6

v5.4

v3.0

v2.10

v2.8

v2.6

v2.4

v2.2

v2.0

v1.2

v1.0

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

dearsky

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dearsky/pico-fido#180