I recently started playing around with the nitrokey HSM 2. I followed the intsructions on the nitrokey.com/start page to get it initialized. sc-hsm-tool --initialize
allowed me to set the SO-PIN and the PIN. Ever since then, every command that asks me for either of those errors out.
I started with key initialization:
$ sc-hsm-tool --initialize
Using reader with a card: Nitrokey Nitrokey HSM
Enter SO-PIN (16 hexadecimal characters) :
Enter initial User-PIN (6 - 16 characters) :
After initialization, I tried a command which uses a login:
$ pkcs11-tool -l --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM
token label : SmartCard-HSM (UserPIN)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 3.3
serial num : DENK0103012
pin min/max : 6/15
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_PIN_LEN_RANGE (0xa2)
Aborting.
Different command requiring a login:
$ pkcs11-tool --id 0 --read-object --type pubkey -l --module /usr/local/lib/opensc-pkcs11.so
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_PIN_LEN_RANGE (0xa2)
Aborting.
So I tried resetting the pin:
$ pkcs15-tool --unblock-pin
Using reader with a card: Nitrokey Nitrokey HSM
Enter PUK [SOPIN]:
Enter new PIN [UserPIN]:
PIN code too long, try again.
Obviously, somehow the pin code I used (16 chars) was too long, even though the initialize error did not give me any error whatsoever and it also told me the pin could be up to 16 chars long. Making the pin shorter worked:
$ pkcs15-tool --unblock-pin
Using reader with a card: Nitrokey Nitrokey HSM
Enter PUK [SOPIN]:
Enter new PIN [UserPIN]:
Enter new PIN again [UserPIN]:
No errors!
However, I still can’t use login:
pkcs11-tool -O --login
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_DATA_LEN_RANGE (0x21)
Aborting.
And now I also can’t unblock the pin anymore:
$ pkcs15-tool --unblock-pin
Using reader with a card: Nitrokey Nitrokey HSM
Enter PUK [SOPIN]:
Enter new PIN [UserPIN]:
Enter new PIN again [UserPIN]:
PIN unblocking failed: Invalid arguments
Even with the simplest pin (123456), I can’t make it work. Is there anything I can do to alleviate this problem?