Fail to access virgin Nitrokey HSM (CKR_GENERAL_ERROR) / sc-hsm-tool not available on Centos 7


#1

At the first use of an HSM device after opening the sealed package I received
PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5) when trying to login with pkcs11-tool --login --pin=648219 --test.

The hardware level is:

/usr/local/bin/pkcs11-tool --list-token-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
token label : UserPIN (SmartCard-HSM)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 2.3
serial num : DENK0100630
pin min/max : 6/15

I tried this on Centos 7.6.1810 both with stock OpenSC (0.16) and with 0.19 from tar ball. (I tried OSX with OpenSC from brew and github as well, but pkcs11-tool [--module /usr/local/lib/opensc-pkcs11.so] --show-info hung).

I tried this with 2 different HSM devices with the same result.

Any idea how to get past this issue?
Thanks, Rainer


#2

You need to initialize the device first. https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#initialize-the-device


#3

I tried this as well, but it causes another error. But why would I need to initialize? --list-token-slots shows an initialized device.

pkcs11-tool --init-token --init-pin --so-pin=3537363231383830 --new-pin=648219 --label="test" --pin=648219
Using slot 0 with a present token (0x0)
error: PKCS11 function C_InitToken failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

#4

have you tried:
sc-hsm-tool
You might receive something like

Using reader with a card: Nitrokey Nitrokey HSM (DENK01011190000         ) 00 00
Version              : 3.1
SmartCard-HSM has never been initialized. Please use --initialize to set SO-PIN and user PIN. 

pkcs11-tool will always show initalized
I recommend using sc.hsm-tool as you are able to do the full maintainance ( e.g. init with DKEK , which is not available in pkcs#11 ) man will help you with the exact syntax :smiley:


#5

It has not been installed from opensc-0.19.0.tar.gz. How can I get it?


#6

It is part of OpenSC 0.19. In case you use Linux, you find some OpenSC packages for Debian and Ubuntu here: https://github.com/Nitrokey/opensc-build


#8

Centos,. Is there a tar-ball like for the main package?


#9

You might want to compile it by yourself. The sources are here: OpenSC, and here are compilation instructions.


#10

The standard process as documented does not make sc-hsm-tool.

I am not familiar with this make system and would appreciate help how to make this option. (Is it an undocumented option, or is it missing due to an error in the make files?)


#11

I am running FreeBSD and there it is part of pkg (Paketmgr) and ports (compiling source) of OpenSC 0.19.0. It is also part of the src directory of OpenSC. In case it is not part of CentOS, have a look on https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-on-Unix-flavors
There is a step by step description and should be the same for your CentOS. When there is no yum package you could also try to find a rpm package in case you prefer to not install it with make.

I recommend using the above mentioned instruction to install OpenSC manually - in case there is no yum package. It is very fast.


#12

@r2h2 I will check that later by trying to build it in a Docker instance.

In the meantime, perhaps it would be easier to handle this via running a packaged binaries through other OS, e.g. Debian via Docker? That surely works for GnuPG for us, as in https://github.com/Nitrokey/gpg-docker.

@Peacekeeper I think the mentioned binary is not building for @r2h2, while following the instructions.


#13

It builds for me in the latest Ubuntu, without any modification of the build procedure: https://github.com/Nitrokey/opensc-docker. See https://github.com/Nitrokey/gpg-docker/wiki how to use the Docker container.

Edit: adding listing

Execution listing
sz@szpc-fedora-localdomain ~/w/o/opensc-docker> ./docker-run-command.sh
Running script with root privileges
=== Closing working pcscd on host
pcscd: no process found
scdaemon: no process found
root@szpc-fedora-localdomain:/app# pcscd
root@szpc-fedora-localdomain:/app# pkcs11-tool -L
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token label        : UserPIN (SmartCard-HSM)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 2.0
  serial num         : DENK0100398
  pin min/max        : 6/15

root@szpc-fedora-localdomain:/app# sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
Version              : 2.0
Config options       :
  User PIN reset with SO-PIN enabled
SO-PIN tries left    : 15
User PIN tries left  : 3


#14

Thanks. Conincidentally I just built the container from https://github.com/cremuzzi/docker-opensc in parallel, and was able to initialize the token. I was able to login with pkcs11-tool on centos/opensc 0.16 afterwards.

This is a good workaround. However, in the target environment the procedures are established around RHEL distros, so it would be nice to be able to update to the current build on RHEL and CentOS.


#15

I published my centos-based Dockerfile at https://github.com/rhoerbe/d-opensc

opensc-tool is available in the image, but sc-hsm-tool is not. I suspect that there is an issue with the make files that work on Debian but not CentOS.


#16

To finnish up this thread I submitted an issue


#17

Resolution: need to install openssl-devel as documented.


#18

Glad that you were able to install and init the key. Remember that - in case you want to backup - you also need to init with DKEK ( even if you don’t use n-of-m ). Otherwise in case of a broken HSM you restart from scratch :smiley: ( and that could be a fun on a server )


#19

Thx. I realized now that I cannot download a private key to the Nitro HSM. My use case is the migration from an Aladdin eToken to an alternative, using an existing key (the keys were generated with a key signing ceremony etc, and should be used for some time). The application is using pykcs11 to generate XML signatures.

Now I am testing the Nitro Pro to see if it can sign via pkcs11.


#20

You can import an existing key to the Nitrokey HSM (if it’s not locked in the Aladding eToken)…


#21

Yes, the keys were generated externally to have backups (which also saved us from the Return of the Coppersmith’s Attack of the Infineon chip.)

except --module I am using the same arguments for nitrohsm and etoken:
pkcs11-tool --login --pin 648219 -w /ramdisk/testcert_key.der --type privkey --label sigkey --so-pin="$SOPIN"

While eToken works, I receive CKR_FUNCTION_NOT_SUPPORTED (0x54) with the NitroHSM. for the certificate I get CKR_GENERAL_ERROR.