nk3 update: Wrong nonce error if Nitrokey App 2 is running

[hkienle]

Since updating to the same version is offered by nitropy, I assume it is supported and should succeed!?

I have a Nitrokey 3A NFC.

$ nitropy nk3 update
Command line tool to interact with Nitrokey devices 0.7.3
Current firmware version:  v1.8.0
Updated firmware version:  v1.8.0
The version of the firmware image is the same as on the device.  Do you want to continue anyway? [y/N]: y
Do you want to download the firmware version v1.8.0? [Y/n]: 
Download v1.8.0: 100%|████████████████████████████████████████████████████████████| 1.08M/1.08M [00:00<00:00, 2.11MB/s]

Please do not remove the Nitrokey 3 or insert any other Nitrokey 3 devices during the update. Doing so may damage the Nitrokey 3.
Do you want to perform the firmware update now? [y/N]: y

Please press the touch button to reboot the device into bootloader mode ...

Perform firmware update: 100%|██████████████████████████████████████████████████████| 548k/548k [00:06<00:00, 85.1kB/s]
Finalize upgrade:   3%|█▉                                                               | 3/100 [00:01<00:53,  1.83%/s]
Critical error:
An unhandled exception occurred
	Exception encountered: ConnectionFailure('Wrong nonce')

--------------------------------------------------------------------------------
Critical error occurred, exiting now
Unexpected? Is this a bug? Would you like to get support/help?
- You can report issues at: https://support.nitrokey.com/
- Writing an e-mail to [email protected] is also possible
- Please attach the log: '/tmp/nitropy.log.o8eo6kx1' with any support/help request!
- Please check if you have udev rules installed: https://docs.nitrokey.com/nitrokeys/nitrokey3/firmware-update#troubleshooting-linux

[robin-nitrokey]

Thanks for the report! Can you please share the log file mentioned in the error message?

[daringer]

(transfering this issue to pynitrokey, as this is not app2)

generally this looks like the update went through without issues, the finalization step is only "waiting for the device to re-appear" - nevertheless this shouldn't happen

[hkienle]

Thanks for the report! Can you please share the log file mentioned in the error message?

https://gist.github.com/hkienle/88c6fc86ea0354447a53f6b7295d98cf

[robin-nitrokey]

Thank you! I don’t think I’ve seen this kind of error before. Did this happen only once or have you seen it multiple times? Are there any other processes that could have tried to access the device? Was the Nitrokey App 2 running at the same time?

The relevant snippets from the log

343        INFO pynitrokey.cli fido2 version: 1.2.0

Traceback (most recent call last):
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/pynitrokey/cli/__init__.py", line 137, in main
    nitropy()
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/click/core.py", line 1161, in __call__
    return self.main(*args, **kwargs)
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/click/core.py", line 1082, in main
    rv = self.invoke(ctx)
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/click/core.py", line 1697, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/click/core.py", line 1697, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/click/core.py", line 1443, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/click/core.py", line 788, in invoke
    return __callback(*args, **kwargs)
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/click/decorators.py", line 45, in new_func
    return f(get_current_context().obj, *args, **kwargs)
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/pynitrokey/cli/nk3/__init__.py", line 126, in update
    exec_update(ctx, image, version, ignore_pynitrokey_version, confirm)
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/pynitrokey/cli/nk3/update.py", line 154, in update
    return updater.update(device, image, version, ignore_pynitrokey_version)
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/nitrokey/nk3/updates.py", line 218, in update
    with self.await_device(wait_retries, callback) as device:
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/pynitrokey/cli/trussed/__init__.py", line 101, in await_device
    return self._await(self.model.name, self.device_type, retries, callback)
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/pynitrokey/cli/trussed/__init__.py", line 137, in _await
    devices = [device for device in self.list() if isinstance(device, ty)]
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/pynitrokey/cli/trussed/__init__.py", line 85, in list
    return self.list_all()
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/pynitrokey/cli/nk3/__init__.py", line 49, in list_all
    return list()
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/nitrokey/nk3/__init__.py", line 41, in list
    devices.extend(NK3.list())
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/nitrokey/nk3/_device.py", line 67, in list
    devices.append(cls.from_device(open_device(desc.path)))
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/fido2/hid/__init__.py", line 285, in open_device
    return CtapHidDevice(descriptor, open_connection(descriptor))
  File "/home/kienle/.local/share/pipx/venvs/pynitrokey/lib/python3.9/site-packages/fido2/hid/__init__.py", line 116, in __init__
    raise ConnectionFailure("Wrong nonce")
fido2.hid.ConnectionFailure: Wrong nonce

[hkienle]

Did this happen only once or have you seen it multiple times? Are there any other processes that could have tried to access the device? Was the Nitrokey App 2 running at the same time?

I tried this only once. Yes, I think the Nitrokey App 2 was running when I tried this.

I can try again if you want, let me know.

[robin-nitrokey]

I think it’s likely caused by Nitrokey App 2 and nitropy both listening for new devices (Nitrokey App 2 does this all the time, nitropy does it after the firmware update). So when the device reboots after the update, both try to initialize communication with the device, leading to this error. I’ll try to reproduce it on my side.

[robin-nitrokey]

Indeed this seems to be the cause. I can reproduce the error by:

1. Removing all Nitrokey 3 devices
2. Starting nitrokey-app2
3. Running this script:

   import time
   
   from nitrokey import nk3
   
   while True:
       devices = nk3.list()
       for device in devices:
           print(f"{device.path}: {device.name} {device.uuid()}")
       if len(devices) > 0:
           break
       time.sleep(0.1)

4. Connecting a Nitrokey 3 device

Next steps:

• Catch this error and show a better error message
• Investigate if we can just retry if we receive this error

Error

Traceback (most recent call last):
  File "/home/robin/reps/nitrokey-sdk-py/test.py", line 6, in <module>
    devices = nk3.list()
              ^^^^^^^^^^
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/nk3/__init__.py", line 41, in list
    devices.extend(NK3.list())
                   ^^^^^^^^^^
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/nk3/_device.py", line 67, in list
    devices.append(cls.from_device(open_device(desc.path)))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/nk3/_device.py", line 51, in from_device
    return cls(device)
           ^^^^^^^^^^^
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/nk3/_device.py", line 37, in __init__
    super().__init__(device, FIDO2_CERTS)
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/trussed/_device.py", line 49, in __init__
    self.admin.status()
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/trussed/admin_app.py", line 256, in status
    reply = self._call(AdminCommand.STATUS)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/trussed/admin_app.py", line 214, in _call
    return self.device._call_app(
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/trussed/_device.py", line 90, in _call_app
    return self._call(app.value, app.name, response_len, data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/robin/reps/nitrokey-sdk-py/src/nitrokey/trussed/_device.py", line 76, in _call
    response = self.device.call(command, data=data)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/robin/.cache/pypoetry/virtualenvs/nitrokey-ns8axhL7-py3.12/lib/python3.12/site-packages/fido2/hid/__init__.py", line 173, in call
    return self._do_call(cmd, data, event, on_keepalive)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/robin/.cache/pypoetry/virtualenvs/nitrokey-ns8axhL7-py3.12/lib/python3.12/site-packages/fido2/hid/__init__.py", line 213, in _do_call
    raise ConnectionFailure("Wrong channel")
fido2.hid.ConnectionFailure: Wrong channel