Globalsign: No Cryptographic Service Provider listed - Nitrokey HSM2, install cert via CSP in Internet Explorer

jan · May 14, 2019, 1:38pm

Which RSA key length and which OpenSC version are you using?

mstein · May 15, 2019, 5:09am

RSA Public Key: 2048

Private Key 2048 bit

OpenSC 0.19.0

mstein · May 20, 2019, 11:37am

Hi,

any news here? Any idea?
It should be possible to choose “OpenSC CSP” as Croptography Security Provider, right?

Here for example:
https://secure.comodo.net/products/frontpage?area=SecureEmailCertificate
This is available to choose at comodo.

But not on the page of globalsign. (cannot post the link here, as it contains a personal token)

nitroalex · May 21, 2019, 7:25am

Hello,

as far as I understand, the OpenSC driver is not shown in the combobox of GlobalSign. I would have thought, that OpenSC should be shown anyway, no matter if a device is already plugged in. So it looks to me as if this connection between the website and the CSP does not work yet, no matter which OpenSC-compatible device you would plug in.

So the problem may is connected to the OpenSC installation itself or the way the GlobalSign website is working.

Or did I get it wrong?

Kind regards
Alex

mstein · May 21, 2019, 2:38pm

Hi,

so I’ll contact globalsign again. They need to tell me, why OpenSC is not visible in the selection.

szszszsz · May 22, 2019, 8:02am

For the future reference, the solution seems to be provided at Signtool usage with Nitrokey HSM

mstein · May 22, 2019, 9:27am

No, sorry… I still do not have the official certificate on the HSM. It is not yet possible. Globalsign Support is still in contact with me.

But to proceed to the second stage (doing the signing), I added a self signed certificate to try code signing.

mstein · May 24, 2019, 9:29am

Which one should be the right one and selectable in the combobox to be able to install the certificate on the HSM?

Microsoft Base Smart CardCrypto Provider
OpenSC CSP"
Microsoft Enhanced Cryptographic Provider v1.0

mstein · May 24, 2019, 9:52am

I now tried with comodo if I am anyhow able to write a certificate to the HSM 2…

https://secure.comodo.net/products/frontpage?area=SecureEmailCertificate

Using “OpenSC CSP” and “Microsoft base Smart Card Crypto Provider” - both tell me:
"Smartcard is readonly" What’s wrong?

Strange is, it does not ask me for a PIN.

Using microsoft enhanced cryptographic provider, it will save the certificate whereever, but not on the smartcard

sc-hsm · May 25, 2019, 3:37pm

Can you add this to the app default section in the opensc.conf file ? That is located in the OpenSC installation directory.

These are the default settings for a SmartCard-HSM, but I just figured, that for the new ATR there is no definition in the defaults.

# SmartCard-HSM 4k with contact-based interface or USB-Stick
card_atr 3B:DE:18:FF:81:91:FE:1F:C3:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:1C {
	driver = "sc-hsm";
	read_only = false;
	md_supports_X509_enrollment = true;
	md_supports_container_key_gen = true;
	md_guid_as_label = true;
}

read_only is true if there is not card specific setting.

mstein · May 27, 2019, 9:40am

Hi,

did you try that?

I appended the mentioned part here:
C:\Program Files\OpenSC Project\OpenSC\opensc.conf

I even put the part at the beginning of the file and at the end.

But I still get “Smartcard is readonly”.

Also rebooted my computer after the change.

sc-hsm · May 27, 2019, 9:49am

Try replacing “read_only” with “md_read_only”. That is the correct key for 0.19. Only post 0.19 versions use “read_only”.

mstein · May 27, 2019, 11:34am

Did not work, too. Still the same error. “Smartcard is read only”

Also rebooted computer. (don’t know if it is neccessary)

Anything else missing?

Using OpenSC 0.19

This is what my C:\Program Files\OpenSC Project\OpenSC\opensc.conf now contains:

app default {
	# debug = 3;
	# debug_file = opensc-debug.txt;
	framework pkcs15 {
		# use_file_caching = true;
	}
}

# SmartCard-HSM 4k with contact-based interface or USB-Stick
card_atr 3B:DE:18:FF:81:91:FE:1F:C3:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:1C {
	driver = "sc-hsm";
	md_read_only = false;
	md_supports_X509_enrollment = true;
	md_supports_container_key_gen = true;
	md_guid_as_label = true;
}

sc-hsm · May 27, 2019, 11:54am

The card_atr section must be in app default {}

app default {
	# debug = 3;
	# debug_file = opensc-debug.txt;
	framework pkcs15 {
		# use_file_caching = true;
	}

	# SmartCard-HSM 4k with contact-based interface or USB-Stick
	card_atr 3B:DE:18:FF:81:91:FE:1F:C3:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:1C {
		driver = "sc-hsm";
		md_read_only = false;
		md_supports_X509_enrollment = true;
		md_supports_container_key_gen = true;
		md_guid_as_label = true;
	}
}

I also added a working opensc.conf to the starterkit.

mstein · May 27, 2019, 12:00pm

ahh… ok.

Now it tells me “smartcard can be used”

But in the next step I get a popup:

What next?

sc-hsm · May 27, 2019, 12:22pm

Can you create a log file ?

You need to create a c:\tmp directory and using regedit set HKEY_LOCAL_MACHINE/Software/OpenSC Project/OpenSC/MiniDriverDebug to 1.

sc-hsm · May 27, 2019, 4:06pm

The log does not show an error. According to it, the device contains a key ‘codesigntest’ and a certificate. Let check at OpenSC if someone has an idea what is going wrong.

Created an issue on OpenSC.

mstein · May 29, 2019, 5:22am

Hi,

ok they said try the branch " frankmorgner:bin_to_hex"

So look like I have to try to compile it myself?..

szszszsz · May 29, 2019, 7:33am

Hi,

There should be some ready-to-install build artefacts from the CI, but I cannot find them. Will ask.

mstein · May 29, 2019, 7:33am

Hi,

additional question:
is the Nitrokey HSM 2/3/4k conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

Because that is the minimum requirement for Issuance and Management of Code signing chapter 16.3 of the Code Signing Working Group. (see https://casecurity.org/wp-content/uploads/2016/09/Minimum-requirements-for-the-Issuance-and-Management-of-code-signing.pdf)