Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve error message for provisioner test #323

Closed
hollunder opened this issue Feb 22, 2023 · 3 comments · Fixed by #367
Closed

Improve error message for provisioner test #323

hollunder opened this issue Feb 22, 2023 · 3 comments · Fixed by #367
Labels
bug Something isn't working device/Nitrokey 3 UI

Comments

@hollunder
Copy link

hollunder commented Feb 22, 2023
edited
Loading

After quite a while I was playing around with my Nitrokey 3A NFC again and ran the test suite nitropy nk3 test --all and it failed.
One error message was particularly unhelpful:
[4/5] provisioner Firmware mode FAILURE Failed to establish context: Service not available. (0x8010001D)

  1. I don't understand what is being tested.
  2. It does not tell me which service is not available.
  3. It give me no clue on how to resolve the issue.
  4. There is no documentation available anywhere.

The only way I happened to stumble upon a possible solution is because the competitor Yubikey used to throw a very similar error message that is just as bad and I could find a solution for that Yubico/yubioath-flutter#78.

After issuing a systemctl start pcscd.service (pcsc stuff was already installed, perhaps I ran into this before and forgot) I still get a test failure but with a different message and I still do not know whether this is to be expected.
[4/5] provisioner Firmware mode FAILURE No smartcard with UUID <UUID> found

Please improve the error messages to avoid this kind of confusion.

$ nitropy nk3 version               
Command line tool to interact with Nitrokey devices 0.4.33
v1.2.2
@robin-nitrokey
Copy link
Member

As you noticed, it is a bit tricky to get this test to work (and requires additional dependencies). This makes it hard to show concise and instructive error message. And this is the reason why it is disabled by default. Also, the test is only relevant during production and not for devices in the field. We should add that to the documentation for the --all option and maybe add an additional flag to enable production tests.

If you still want to get this to work, make sure that pcsc_scan -r lists the Nitrokey 3 device. If not, your libccid device database might be outdated. Nitrokey 3 support was added in 1.5.0. If you have an older version, you can also manually replace the device database with this one. The path depends on your distribution – for me it’s /etc/libccid_Info.plist (Debian).

@hollunder
Copy link
Author

Thanks, that helped me along and all five tests succeed.

On Arch the package containing the ccid database is called ccid. After installing it I had to restart pcscd.service (from the package pcsclite).
Then I got:

$ pcsc_scan -r
0: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00

The test also finally succeeded:

$ nitropy nk3 test
... 
[1/4]	uuid         	UUID query              	SUCCESS  	<UUID>
[2/4]	version      	Firmware version query  	SUCCESS  	v1.2.2
[3/4]	provisioner  	Firmware mode           	SUCCESS  	
Please press the touch button on the device ...
Please press the touch button on the device ...
[4/4]	fido2        	FIDO2                   	SUCCESS

As you can see, this test is enabled by default. The only additional test that is run with --all is the bootloader test and succeeded out of the box for me.

[3/5]	bootloader   	Bootloader configuration  	SUCCESS

Does that mean that the wrong test gets excluded by default?

@szszszsz
Copy link
Member

szszszsz commented Apr 7, 2023

@robin-nitrokey What's the status of this ticket?

@szszszsz szszszsz added bug Something isn't working UI labels Apr 7, 2023
robin-nitrokey added a commit that referenced this issue Apr 7, 2023
@robin-nitrokey
nk3 test: Fix provisioner test
adb2361 
This patch adds the provisioner test to the default excludes for the
nitropy nk3 test command.  The reason for this is that it the test is
not relevant outside of production and is likely to fail if
gnupg/scdaemon is running or if there is an issue with pcscd.

It also changes the test setup so that the provisioner test case is
always listed, even if pyscard is not installed.  In this case, it is
marked as skipped.

Fixes #323
@robin-nitrokey robin-nitrokey mentioned this issue Apr 7, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working device/Nitrokey 3 UI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nk3 test: Fix provisioner test Nitrokey/pynitrokey
3 participants
@hollunder @szszszsz @robin-nitrokey