Cannot Initialize new Nitrokey HSM

betabrain · January 8, 2024, 2:43pm

I’ve just received my Nitrokey HSM and am trying to initialize it. Unfortunately this fails:

user@macbook ~ % sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -vvv
P:14543; T:0x8001609408 15:42:26.330 [sc-hsm-tool] ctx.c:966:sc_context_create: ===================================
P:14543; T:0x8001609408 15:42:26.330 [sc-hsm-tool] ctx.c:967:sc_context_create: OpenSC version: 0.24.0
P:14543; T:0x8001609408 15:42:26.330 [sc-hsm-tool] ctx.c:968:sc_context_create: Configured for sc-hsm-tool (/opt/homebrew/Cellar/opensc/0.24.0/bin/sc-hsm-tool)
P:14543; T:0x8001609408 15:42:26.330 [sc-hsm-tool] reader-pcsc.c:898:pcsc_init: PC/SC options: connect_exclusive=0 disconnect_action=0 transaction_end_action=0 reconnect_action=0 enable_pinpad=1 enable_pace=1
P:14543; T:0x8001609408 15:42:26.331 [sc-hsm-tool] reader-pcsc.c:1399:pcsc_detect_readers: called
P:14543; T:0x8001609408 15:42:26.331 [sc-hsm-tool] reader-pcsc.c:1412:pcsc_detect_readers: Probing PC/SC readers
P:14543; T:0x8001609408 15:42:26.331 [sc-hsm-tool] reader-pcsc.c:1465:pcsc_detect_readers: Establish PC/SC context
P:14543; T:0x8001609408 15:42:26.340 [sc-hsm-tool] reader-pcsc.c:1348:pcsc_add_reader: Adding new PC/SC reader 'Nitrokey Nitrokey HSM'
P:14543; T:0x8001609408 15:42:26.340 [sc-hsm-tool] reader-pcsc.c:362:refresh_attributes: Nitrokey Nitrokey HSM check
P:14543; T:0x8001609408 15:42:26.341 [sc-hsm-tool] reader-pcsc.c:408:refresh_attributes: current  state: 0x00000022
P:14543; T:0x8001609408 15:42:26.341 [sc-hsm-tool] reader-pcsc.c:409:refresh_attributes: previous state: 0x00000000
P:14543; T:0x8001609408 15:42:26.341 [sc-hsm-tool] reader-pcsc.c:464:refresh_attributes: card present, changed
P:14543; T:0x8001609408 15:42:26.342 [sc-hsm-tool] reader-pcsc.c:1566:pcsc_detect_readers: Nitrokey Nitrokey HSM:SCardConnect(SHARED): 0x80100066
P:14543; T:0x8001609408 15:42:26.342 [sc-hsm-tool] reader-pcsc.c:1581:pcsc_detect_readers: returning with: 0 (Success)
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] sc.c:340:sc_detect_card_presence: called
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] reader-pcsc.c:362:refresh_attributes: Nitrokey Nitrokey HSM check
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] reader-pcsc.c:387:refresh_attributes: returning with: 0 (Success)
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] reader-pcsc.c:480:pcsc_detect_card_presence: returning with: 1
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] sc.c:351:sc_detect_card_presence: returning with: 1
Using reader with a card: Nitrokey Nitrokey HSM
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] sc.c:340:sc_detect_card_presence: called
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:14543; T:0x8001609408 15:42:26.343 [sc-hsm-tool] reader-pcsc.c:362:refresh_attributes: Nitrokey Nitrokey HSM check
P:14543; T:0x8001609408 15:42:26.344 [sc-hsm-tool] reader-pcsc.c:387:refresh_attributes: returning with: 0 (Success)
P:14543; T:0x8001609408 15:42:26.344 [sc-hsm-tool] reader-pcsc.c:480:pcsc_detect_card_presence: returning with: 1
P:14543; T:0x8001609408 15:42:26.344 [sc-hsm-tool] sc.c:351:sc_detect_card_presence: returning with: 1
Connecting to card in reader Nitrokey Nitrokey HSM...
P:14543; T:0x8001609408 15:42:26.344 [sc-hsm-tool] card.c:254:sc_connect_card: called
P:14543; T:0x8001609408 15:42:26.344 [sc-hsm-tool] reader-pcsc.c:611:pcsc_connect: called
P:14543; T:0x8001609408 15:42:26.344 [sc-hsm-tool] reader-pcsc.c:362:refresh_attributes: Nitrokey Nitrokey HSM check
P:14543; T:0x8001609408 15:42:26.344 [sc-hsm-tool] reader-pcsc.c:387:refresh_attributes: returning with: 0 (Success)
P:14543; T:0x8001609408 15:42:26.345 [sc-hsm-tool] reader-pcsc.c:634:pcsc_connect: Nitrokey Nitrokey HSM:SCardConnect failed: 0x80100066
P:14543; T:0x8001609408 15:42:26.345 [sc-hsm-tool] card.c:403:sc_connect_card: returning with: -1113 (Unresponsive card (correctly inserted?))
Failed to connect to card: Unresponsive card (correctly inserted?)
Failed to connect to card: Success
P:14543; T:0x8001609408 15:42:26.345 [sc-hsm-tool] ctx.c:1051:sc_release_context: called
P:14543; T:0x8001609408 15:42:26.345 [sc-hsm-tool] reader-pcsc.c:979:pcsc_finish: called

The other command also fails.

user@macbook ~ % pkcs11-tool --module /opt/homebrew/Cellar/opensc/0.24.0/lib/pkcs11/opensc-pkcs11.so --init-token --init-pin --so-pin=3537363231383830 --new-pin=648219 --label="test" --pin=648219
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_DEVICE_ERROR (0x30)
Aborting.

Arturo_TheMonster · January 8, 2024, 4:24pm

I have exactly the same problem on win10 and win11 pc, on linux(centos7) it works as expected.

daringer · January 9, 2024, 5:26pm

hey @betabrain

Just crosschecked, there has been an update on the smartcard to 4.0 - this might be the reason for this issue - we are looking into it right now - I’ll update you through the support-ticket how to proceed.

Please write us using support(at)nitrokey(dot)com
thanks

betabrain · January 17, 2024, 8:04am

I’ve veen able to initialize the devices under Debian 12 without issue. I guess something is mission on the other OS though. I’ve tried OSX and OpenBSD.

daringer · January 17, 2024, 12:14pm

Yes, we observe this currently under windows and mac only…

betabrain · January 18, 2024, 2:57pm

I’m not sure why, but now that the HSM is initialized I can talk to it normally on OpenBSD too.

daringer · January 19, 2024, 1:44pm

can you confirm that it also works on mac after initialization ?

daringer · January 23, 2024, 4:08pm

it looks like this is an OpenSC issue/PR, see this issue here on github

especially the linked post has binaries which should resolve the issue, could you try these and report if this changes something for you?

daringer · January 25, 2024, 2:17pm

There are essentially two issues happening here in parallel:

Any Nitrokey HSM2 shipped from beginning of January 2024 until January 20th has an incompatibility with Windows and MacOSX, we have a new firmware in place to fix that, but the device needs to be sent in - if you have such a device and need Windows/MacOSX compatibility, please write us (support (at) nitrokey (dot) com) with your order number (SOxxxxxxx) and we’ll replace your device.
The OpenSC release 0.24 comes with a fresh new bug which also breaks Windows compatibility with many HSM devices (including the Nitrokey HSM2). So please use either 0.23 OR use the binaries you can find in the
related issue.

thanks for your patience,
best

saper · January 28, 2024, 1:25pm

What is different with those Nitrokey? Do you ship with Smartcard-HSM 4.0 chip now?

daringer · January 29, 2024, 11:23am

Hey,

yes, Smartcard 4.0 and an updated firmware, which now got updated again

best

saper · January 29, 2024, 3:30pm

Cool, if you ask me you could have named this Nitrokey HSM 3, I think the difference is substantial?