Generating an attestation certificate on the Nitrokey HSM 2

Hi all,

Is anybody aware of a way to generate an attestation certificate (ideally x509, but any format is acceptable) for a key stored on a Nitrokey HSM 2?

I’m looking for a feature similar to this one in the YubiHSM: https://developers.yubico.com/YubiHSM2/Concepts/Attestation.html

(It’d be nice if it was tied to a pre-loaded key that ultimately comes from a Nitrokey CA, but attesting against another key generated on the HSM would also be acceptable).

An attestation certificate is automatically generated for all public keys when you generate the key pair. If you use the Smart Card Shell to generate a key, then you can see the attestation certificate linked to the private key.

The attestation is actually an authenticated card verifiable certificate request (CSR) as defined in the BSI TR 03110, which is the basis of the EAC PKI used in passports and national eID cards. The CSR is signed by the device authentication key, which is certified by the Device Issuer CA, which is ultimately signed by the Scheme Root CA.

The CSR (we usually call the structure authenticated public key) is also used in the public key authentication, authenticated key derivation and XKEK key domain management. So it’s a quite universal mechanism in the SmartCard-HSM.

Unfortunately OpenSC does not have support for CV-Certificates, but our own PKCS#11 module does support those certificate types. Those CSR are also well supported in the Java and JavaScript support libraries. The PKI-as-a-Service Portal uses the CSRs when issuing certificates.

A brief explanation of the PKI in the context of Public Key Authentication can be found in this presentation.

Thanks for the response!

As a follow up – do you know where I can find public certificates for the Device Issuer CA and Scheme Root CA? I’m guessing that both of these are published by either Nitrokey or the Smartcard-HSM team.

The SRCA root certificate DESRCACC100001 is included in the OpenSC source code, the scsh/sc-hsm/SmartCardHSM.js module of the Smart Card Shell and is imported as trust anchor in any device produced.

The Device Issuer CA certificate is stored with the Device Certificate in the EF with id 2F02. The content in the file is actually the concatenation of the Device Certificate and the Device Issuer CA certificate, both as TLV encoded CV-Certificate.

To get an idea how that works, I’d suggest to take a look at the sc-hsm-sdk-scripts/examples/agreeKey.js script in the sc-hsm-workspace, that is part of the starterkit.

That example shows how you can use the authenticated key agreement mechanism to derive a common secret between two communication endpoints. The scheme uses key attestation to validate that the other public key used in ECDH is actually located on a SmartCard-HSM.

Thanks again! Sorry, one more follow-up: what format is DESRCACC1000001 in? It doesn’t appear to be BER, DER, or PKCS#12.

The certificate is a Card Verifiable Certificate (CVC) in the TR-03110 format commonly used for Extended Access Control (EAC) in passports, eID cards and electronic drivers licenses.

CVCs are much compacter that X.509 certificates and are small enough to be verified by a smart card. CVC certificates are the basic for a number of security features in the SmartCard-HSM (like public key authentication, authenticated key derivation, XKEK key domains etc.).

There is a script for the Smart Card Shell that you can use to open and display the content of the file.