At the first use of an HSM device after opening the sealed package I received PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5) when trying to login with pkcs11-tool --login --pin=648219 --test.
The hardware level is:
/usr/local/bin/pkcs11-tool --list-token-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
token label : UserPIN (SmartCard-HSM)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 2.3
serial num : DENK0100630
pin min/max : 6/15
I tried this on Centos 7.6.1810 both with stock OpenSC (0.16) and with 0.19 from tar ball. (I tried OSX with OpenSC from brew and github as well, but pkcs11-tool [--module /usr/local/lib/opensc-pkcs11.so] --show-info hung).
I tried this with 2 different HSM devices with the same result.
Any idea how to get past this issue?
Thanks, Rainer
have you tried: sc-hsm-tool
You might receive something like
Using reader with a card: Nitrokey Nitrokey HSM (DENK01011190000 ) 00 00
Version : 3.1
SmartCard-HSM has never been initialized. Please use --initialize to set SO-PIN and user PIN.
pkcs11-tool will always show initalized
I recommend using sc.hsm-tool as you are able to do the full maintainance ( e.g. init with DKEK , which is not available in pkcs#11 ) man will help you with the exact syntax
The standard process as documented does not make sc-hsm-tool.
I am not familiar with this make system and would appreciate help how to make this option. (Is it an undocumented option, or is it missing due to an error in the make files?)
I am running FreeBSD and there it is part of pkg (Paketmgr) and ports (compiling source) of OpenSC 0.19.0. It is also part of the src directory of OpenSC. In case it is not part of CentOS, have a look on https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-on-Unix-flavors
There is a step by step description and should be the same for your CentOS. When there is no yum package you could also try to find a rpm package in case you prefer to not install it with make.
I recommend using the above mentioned instruction to install OpenSC manually - in case there is no yum package. It is very fast.
@r2h2 I will check that later by trying to build it in a Docker instance.
In the meantime, perhaps it would be easier to handle this via running a packaged binaries through other OS, e.g. Debian via Docker? That surely works for GnuPG for us, as in https://github.com/Nitrokey/gpg-docker.
@Peacekeeper I think the mentioned binary is not building for @r2h2, while following the instructions.
sz@szpc-fedora-localdomain ~/w/o/opensc-docker> ./docker-run-command.sh
Running script with root privileges
=== Closing working pcscd on host
pcscd: no process found
scdaemon: no process found
root@szpc-fedora-localdomain:/app# pcscd
root@szpc-fedora-localdomain:/app# pkcs11-tool -L
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
token label : UserPIN (SmartCard-HSM)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 2.0
serial num : DENK0100398
pin min/max : 6/15
root@szpc-fedora-localdomain:/app# sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
Version : 2.0
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
Thanks. Conincidentally I just built the container from https://github.com/cremuzzi/docker-opensc in parallel, and was able to initialize the token. I was able to login with pkcs11-tool on centos/opensc 0.16 afterwards.
This is a good workaround. However, in the target environment the procedures are established around RHEL distros, so it would be nice to be able to update to the current build on RHEL and CentOS.
opensc-tool is available in the image, but sc-hsm-tool is not. I suspect that there is an issue with the make files that work on Debian but not CentOS.
Glad that you were able to install and init the key. Remember that - in case you want to backup - you also need to init with DKEK ( even if you don’t use n-of-m ). Otherwise in case of a broken HSM you restart from scratch ( and that could be a fun on a server )
Thx. I realized now that I cannot download a private key to the Nitro HSM. My use case is the migration from an Aladdin eToken to an alternative, using an existing key (the keys were generated with a key signing ceremony etc, and should be used for some time). The application is using pykcs11 to generate XML signatures.
Now I am testing the Nitro Pro to see if it can sign via pkcs11.
Yes, the keys were generated externally to have backups (which also saved us from the Return of the Coppersmith’s Attack of the Infineon chip.)
except --module I am using the same arguments for nitrohsm and etoken:
pkcs11-tool --login --pin 648219 -w /ramdisk/testcert_key.der --type privkey --label sigkey --so-pin="$SOPIN"
While eToken works, I receive CKR_FUNCTION_NOT_SUPPORTED (0x54) with the NitroHSM. for the certificate I get CKR_GENERAL_ERROR.
