I have 4 HSM on one FreeBSD server. They are all labeled as “Nitrokey HSM” from Nitrokey. 2 of them are the HSM v2, but which ?
lsusb
will provide:
Bus /dev/usb Device /dev/ugen0.5: ID 20a0:4230 Clay Logic
Bus /dev/usb Device /dev/ugen0.4: ID 20a0:4230 Clay Logic
Bus /dev/usb Device /dev/ugen0.2: ID 20a0:4230 Clay Logic
Bus /dev/usb Device /dev/ugen0.3: ID 20a0:4230 Clay Logic
Neither dmesg
, sc-hsm-tool
nor pkcs11-tool
will wave a connection between the USB Slot and the reader-slot. With pkcs11-tool
you could at least see the different versions of HSM on the different token-slots.
On RAID arrays you could enable the drive LED to blink to identify the right drive. As HSM also has a LED, I wonder if there is a function to do the same to identfy a NK HSM ?
That’s a good point. On request we do physically label Nitrokeys with their serial number to distinguish and identify them. I guess this would solve your problem.
Still your suggestion is good and I created an issue ticket. However I don’t think it will be high priority to be implemented.
Yes, label it upfront is of course a possibility. Especially my server e.g. is under the ceiling - so anyway difficult to see the LED that is glowing up ( and not to the front )
BTW: I am not sure your udev rules are implemented : In FreeBSD I use the following rules:
nomatch 32 {
match “bus” “uhub[0-9]+”;
match “mode” “host”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “logger NK HSM is attached and recognized”;
};
notify 100 {
match “system” “USB”;
match “subsystem” “DEVICE”;
match “type” “ATTACH”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “/usr/local/etc/rc.d/pcscd onestart”;
};
notify 100 {
match “system” “USB”;
match “subsystem” “DEVICE”;
match “type” “DETACH”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “/usr/local/etc/rc.d/pcscd onestop”;
};
attach 100 {
match “system” “USB”;
match “subsystem” “DEVICE”;
match “type” “ATTACH”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “/usr/local/etc/rc.d/pcscd onestart”;
};
detach 100 {
match “system” “USB”;
match “subsystem” “DEVICE”;
match “type” “DETACH”;
match “vendor” “0x20a0”;
match “product” “0x4230”;
action “/usr/local/etc/rc.d/pcscd onestop”;
};
And there is another problem hidden: When I pull out one NK HSM, the pcscd is stopped. I need to change the rc-script to check the numbers of keys - but that might be not an GNU/Linux problem.
There is one difference between models, which could help you. All Nitrokey HSM’s have serial number 010000000000000000000000
, while Nitrokey HSM2 gets its iSerial
from the smart card.
This bash line works for me:
[ $(lsusb -d 20a0:4230 | wc -l ) -gt 0 ] || echo stop
Edit: I meant to replace the action “/usr/local/etc/rc.d/pcscd onestop”;
line with the bash script containing the mentioned source.
Thanks ! hat’s a good one to include in the start and the stop scripts for the daemon. Will try it ! Thanks
With pkcs11-tool --list-token
you will get both : serial num and also the serial number concatenated in the token label string:
pkcs11-tool --list-slots G ‘DENK|Slot’
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENKxxxxxxx0000 ) 00 00
serial num : DENKxxxxxxx
Slot 1 (0x4): Nitrokey Nitrokey HSM (DENKyyyyyyy0000 ) 01 00
serial num : DENKyyyyyyy
Slot 2 (0x8): Nitrokey Nitrokey HSM (010000000000000000000000) 02 00
serial num : DENKzzzzzzz
Slot 3 (0xc): Nitrokey Nitrokey HSM (010000000000000000000000) 03 00
serial num : DENKwwwwwww
Update: Oh, I see: you mean iSerial from lsusb --verbose. And yes, there the serial number is not composed into the line of the reader
But still you will need to understand the slot no aligned with USB.
BTW: I wonder when I see the following things:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENKxxxxxxx0000 ) 00 00
manufacturer: Nitrokey
hardware ver: 0.0
firmware ver: 0.0
flags: token present, removable device, hardware slot
token label : UserPIN (SmartCard-HSM)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 3.1
serial num : DENKxxxxxxx
pin min/max : 6/15
HW and FW Version is not used, manufacturer should be Nitrokey and not the Smartcard Card producer, nor ? And the token label always has the prefix of “UserPIN ( )” ???
Strange !
Sorry for delay.
This is the expected output. The smart card is identified with the ATR, and commands are suited for this one particular. I guess hardware and firmware version getters implementation could be added. Smart card firmware and hardware are present though.
I suspect UserPIN
seems to be a prefix for tokens, which require user PIN to execute operation over it (from my OpenPGP past experience), but I have not confirmed that.