[FIXED] Nitrokey HSM2 does not accept pin or so-pin after initialization

beirnsi-ls · March 10, 2020, 10:23am

I recently started playing around with the nitrokey HSM 2. I followed the intsructions on the nitrokey.com/start page to get it initialized. sc-hsm-tool --initialize allowed me to set the SO-PIN and the PIN. Ever since then, every command that asks me for either of those errors out.

I started with key initialization:

 $ sc-hsm-tool --initialize
Using reader with a card: Nitrokey Nitrokey HSM
Enter SO-PIN (16 hexadecimal characters) :

Enter initial User-PIN (6 - 16 characters) :

After initialization, I tried a command which uses a login:

 $ pkcs11-tool -l --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.3
  serial num         : DENK0103012
  pin min/max        : 6/15
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_PIN_LEN_RANGE (0xa2)
Aborting.

Different command requiring a login:

 $ pkcs11-tool --id 0 --read-object --type pubkey -l --module /usr/local/lib/opensc-pkcs11.so
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_PIN_LEN_RANGE (0xa2)
Aborting.

So I tried resetting the pin:

 $ pkcs15-tool --unblock-pin
Using reader with a card: Nitrokey Nitrokey HSM
Enter PUK [SOPIN]:
Enter new PIN [UserPIN]:
PIN code too long, try again.

Obviously, somehow the pin code I used (16 chars) was too long, even though the initialize error did not give me any error whatsoever and it also told me the pin could be up to 16 chars long. Making the pin shorter worked:

 $ pkcs15-tool --unblock-pin
Using reader with a card: Nitrokey Nitrokey HSM
Enter PUK [SOPIN]:
Enter new PIN [UserPIN]:
Enter new PIN again [UserPIN]:

No errors!

However, I still can’t use login:

pkcs11-tool -O --login
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_DATA_LEN_RANGE (0x21)
Aborting.

And now I also can’t unblock the pin anymore:

 $ pkcs15-tool --unblock-pin
Using reader with a card: Nitrokey Nitrokey HSM
Enter PUK [SOPIN]:
Enter new PIN [UserPIN]:
Enter new PIN again [UserPIN]:
PIN unblocking failed: Invalid arguments

Even with the simplest pin (123456), I can’t make it work. Is there anything I can do to alleviate this problem?

beirnsi-ls · March 10, 2020, 10:46am

Fixed. Using the information here: https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#initialize-the-device

 $ pkcs11-tool --login --login-type so --init-pin
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter SO PIN:
Please enter the new PIN:
Please enter the new PIN again:
User PIN successfully initialized

Login now seems to work!

 $ pkcs11-tool -O --login
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: