Generating an attestation certificate on the Nitrokey HSM 2

Hi all,

Is anybody aware of a way to generate an attestation certificate (ideally x509, but any format is acceptable) for a key stored on a Nitrokey HSM 2?

I’m looking for a feature similar to this one in the YubiHSM: Attestation

(It’d be nice if it was tied to a pre-loaded key that ultimately comes from a Nitrokey CA, but attesting against another key generated on the HSM would also be acceptable).

An attestation certificate is automatically generated for all public keys when you generate the key pair. If you use the Smart Card Shell to generate a key, then you can see the attestation certificate linked to the private key.

The attestation is actually an authenticated card verifiable certificate request (CSR) as defined in the BSI TR 03110, which is the basis of the EAC PKI used in passports and national eID cards. The CSR is signed by the device authentication key, which is certified by the Device Issuer CA, which is ultimately signed by the Scheme Root CA.

The CSR (we usually call the structure authenticated public key) is also used in the public key authentication, authenticated key derivation and XKEK key domain management. So it’s a quite universal mechanism in the SmartCard-HSM.

Unfortunately OpenSC does not have support for CV-Certificates, but our own PKCS#11 module does support those certificate types. Those CSR are also well supported in the Java and JavaScript support libraries. The PKI-as-a-Service Portal uses the CSRs when issuing certificates.

A brief explanation of the PKI in the context of Public Key Authentication can be found in this presentation.

Thanks for the response!

As a follow up – do you know where I can find public certificates for the Device Issuer CA and Scheme Root CA? I’m guessing that both of these are published by either Nitrokey or the Smartcard-HSM team.

The SRCA root certificate DESRCACC100001 is included in the OpenSC source code, the scsh/sc-hsm/SmartCardHSM.js module of the Smart Card Shell and is imported as trust anchor in any device produced.

The Device Issuer CA certificate is stored with the Device Certificate in the EF with id 2F02. The content in the file is actually the concatenation of the Device Certificate and the Device Issuer CA certificate, both as TLV encoded CV-Certificate.

To get an idea how that works, I’d suggest to take a look at the sc-hsm-sdk-scripts/examples/agreeKey.js script in the sc-hsm-workspace, that is part of the starterkit.

That example shows how you can use the authenticated key agreement mechanism to derive a common secret between two communication endpoints. The scheme uses key attestation to validate that the other public key used in ECDH is actually located on a SmartCard-HSM.

Thanks again! Sorry, one more follow-up: what format is DESRCACC1000001 in? It doesn’t appear to be BER, DER, or PKCS#12.

The certificate is a Card Verifiable Certificate (CVC) in the TR-03110 format commonly used for Extended Access Control (EAC) in passports, eID cards and electronic drivers licenses.

CVCs are much compacter that X.509 certificates and are small enough to be verified by a smart card. CVC certificates are the basic for a number of security features in the SmartCard-HSM (like public key authentication, authenticated key derivation, XKEK key domains etc.).

There is a script for the Smart Card Shell that you can use to open and display the content of the file.

Hello, I’m a bit late to this party.

I’m interested in retrieving these certificates from the Nitrokey HSM2 using an API (i.e., not a CLI app) - are there any libraries which I could use for that, or is there any documentation on how the interface looks if I were to try and write a library from scratch?

From the examples that you mention I can tell that the sc-hsm examples use smartcard-specific protocols (using APDUs…) - is that how the core of the functionality is meant to be accessed?

The PKCS#11 module supports reading the device and device issuer certificate and also allows reading the CSR with attestation:

asc@caprese:~/share/projects/sc-hsm-embedded$ pkcs11-tool --module src/pkcs11/.libs/ -O
Using slot 0 with a present token (0x5)
Certificate Object; type = unknown cert type
  label:      C.DevAut
Certificate Object; type = unknown cert type
  label:      C.DICA

pkcs11-tool from OpenSC reports “unknown cert type”, because it does not support CVCs.

For Java you can use the OCF module or the SmartCard-HSM JCE-Provider.