GPError: Card (CARD_INVALID_SW/28416)

Hi,
on a HSM I created a PKA with 2 key domains. One DKEK with group signer key and one XKEK but after the creation of the XKEK key domain the HSM is not usable anymore with SCS 3.18.39.

GPError: Card (CARD_INVALID_SW/28416) - “Unexpected SW1/SW2=6F00 (Checking error: No precise diagnosis) received” in C:\Users[Username]\Downloads\scsh-3.18.39\scsh\sc-hsm\ManagePKA.js#226
at C:\Users\Username\Downloads\scsh-3.18.39\scsh\sc-hsm\ManagePKA.js#226
at C:\Users\Username\Downloads\scsh-3.18.39\keymanager\keymanager.js#405
at C:\Users\Username\Downloads\scsh-3.18.39\keymanager\keymanager.js#388
at C:\Users\Username\Downloads\scsh-3.18.39\keymanager\keymanager.js#331
at C:\Users\Username\Downloads\scsh-3.18.39\keymanager\keymanager.js#1495
at C:\Users\Username\Downloads\scsh-3.18.39\keymanager\keymanager.js#294
at C:\Users\Username\Downloads\scsh-3.18.39\keymanager\keymanager.js#310

This is the same on another computer.
pkcs15-tool --reader 1 -D is showing something. Also sc-hsm-tool -r 1 is showing Version 3.5

I initialized the token via sc-hsm-tool but I cannot update the token via PKI as a service. It is not recognized as a token to be selected for a firmware update…
I initialized the token again with SCS, rebooted the pc, then I was able to register the token but currently the Token ID is not selectable.
It seems, that when I select Home > Update Firmware > Create Firmware Update Request a new service request is been created which I cannot cancel. :astonished:

I am not able to reproduce this but did not test it 100% the same way.

This was the way used
Initialize Device
using SCS on the secure computer

  • “Initialize Device”
  • Enter agreed SO-PIN
  • Enter “uu vvv ww HSM” as a label name for the HSM
  • click OK without entering a provisioning URL
  • select authentication mechanism “Public Key Authentication”
  • enter 3 for the total number of public keys
  • enter 2 for the number of public keys required for authentication
  • click “Yes” to allow replacing registered public keys"
  • select Device Key Encryption scheme “Key Domains”
  • Enter number of key domains 2
  • right-click on the authentication state and select “Register Public Key”
  • select the public key previously exported from the key custodians HSM
  • Add the key issued to XXX on device XXX, select OK
  • repeat this with the other public keys
  • optional right-click on the authenticated public keys and select “Logout”

test PKA with SCS

  • optional plugin the HSM from key custodian #1
  • optional replugin the HSM with PKA
  • right-click on the authentication status and select “Authenticate with Public Key”
  • select the right card reader where the HSM from key custodian #1 is connected
  • select the key “key custodian #1 key”
  • the key custodian enters PIN in a safe manner (no peeking)
  • repeat this with the other key custodians
  • expand the authenticated public keys and check that all are authenticated

create DKEK security domain

  • right-click Key domain 0 not created
  • select Create DKEK Key Domain
  • Enter number of DKEK shares 1
  • right-click on the root folder of the HSM
  • select Create DKEK Share
  • Choose DKEK Share Format "Create DKEK Share as File (Password)
  • Enter the file name for DKEK share like 2024-12-06_uu_vvv_ww_HSM_DKEK_share.pbe
  • OK
  • Enter agreed password for DKEK share
  • right-click on DKEK set-up in progress with 1 of 1 shares missing
  • select Import DKEK share
  • Choose DKEK Share Format "Import DKEK Share from File (Password)
  • Enter file name containing DKEK Share
  • Enter password for DKEK share
    after a moment the DKEK has been created

create group signer

  • right-click on DKEK key domain
  • select Generate ECC Key
  • select Curve brainpoolP256r1
  • Enter Key Label SBA group signer
  • Enter 70,92
  • backup group signer via right click on group signer and select “export key and certificate”
  • Enter file name like vvv group signer
  • OK

add device to the key domain membership

  • right-click on the root folder and select Export Device ID
  • Enter file name DENKXXX uu vvv ww HSM.id
  • right-click on the group-signer certificate (on the document with the red seal) beginning with AT-)
  • select Group Signer Operations
  • select static key domain membership (>=3.4)
  • select the file name for the device id DENKXXX uu vvv ww HSM.id
  • select Yes to add the device DENKXXX to key domain YYY
  • a KDM file was created and stored next to the device id

create XKEK security domain
the PKA is authenticated

  • right click on the Key domain 1 not created
  • Select “Create XKEK Key Domain”
  • Enter name for file containing key domain membership

What I did test was to initialize this with a PKA 1 out of 2 and 2 out of 3. With and without a HMS label and used the already available group signer (but this was only without algorithm WRAP (92)) and the DKEK and XKEK security domain.

I guess since I am not able to reproduce this I don’t know if this has to been followed up.
I am now testing to add the rescue/backup HSM to the same XKEK domain with the imported group signer on the rescue HSM.
AND I will leave out to use the WRAP algorithm since it seems that there is no difference
Difference of an export of group signer w/wo wrap algorithm - Nitrokeys / HSM - Nitrokey Support

Best regards,
Tobias

I am not sure what the basis for Nitrokey HSM I is but the XKEK was introduced in a later model of the SmartCard HSM. So maybe this instruction is not supported by the hardware?

Ideally for troubleshooting, the APDU exhange with the card would be interesting.

0x6F00 is too generic error and the complete instruction would provide better insights.

Thanks.
I did not safe the trace output of scs. I guess the trace is not stored with a log rotation?
Is there a documentation how to properly report an issue (depending on the scenario/tool), when it happens again?

To diagnose the problem, I would need the exact error code SW1/SW2 reported by the device or even better a trace of the APDUs.

Regarding the issue with the firmware update, I can only see in the portal, that you created a new service request for a firmware update, but never pressed submit to inspect the token and see if an update is available.

When you press “Submit”, the portal should redirect to the OCF/SCSH client for interacting with the token. Does that happen ?

where would i find the exact error?
I pasted the shell content.
Next time I will paste the trace content.

Regarding the issue with the firmware update. I did not press Submit since the Token ID in the dropdownlist Current token in reader was not showing the current plugged in token.
So I registered additional tokens, and when then checking the dropdown list, the token which i registered before gets shown.

The funny thing is that this dropdown list shows me two other tokens which are not currently in the reader.
I submitted but nothing happens.
I killed > java -jar ocf-cc.jar -v
plugged out two tokens
logout from pkiaas

  • plugin the token
  • SCS is showing the token
  • closed SCS
  • Login Required
    Login Required
    Please insert your SmartCard-HSM and press continue or reload.
  • pressed continue
  • error message (which is right)
    Client connect
    Could not connect to your local client or smart card.
  • started java -jar ocf-cc.jar -v
  • pressed continue
  • Entered PIN in the Java window and OK
  • selected SmartCar-HSM Firmware Update Request scheduled (Submit) ID: 23191
  • Token ID dropdown list is grayed out
  • pressed cancel
  • selected the connected token
  • pressed submit
  • nothing happens
  • pressed cancel

The are two ways to do a firmware update

Case 1: You have the token at hand
Case 2: The token is installed somewhere remotely

In the first case you need to select “Current token in reader”. That basically means, that you have physical access to the token and it is inserted in the PC. This token may be any valid token, there is no need to register it first.

In the second case, you first need to register the token, then install it in a remote location. To do the firmware update, you select the token from the drop-down list and submit the request. The next time the token in the remote location connects to the portal, the firmware update is performed. You can connect the remote token using

java -jar ocf-cc.jar https://www.pki-as-a-service.net/rt/paas

This is the provisioning URL, that you typically set when initializing the device. Whenever a token connects to this URL, the portal is determining if there is a service request action pending for this token.

The token you are using to log into your account will not show up in the list, as it can’t be a remote token (You’ve just used it to login).

There is no need to register all your token, unless you want to use all of them to access your account or you install them remotely and want to remote firmware updates.

1 Like

ok, thanks for the Explanation.

next try:

  • plugged in a registered token in reader HSM 0
  • plugged a token in reader HSM 1
  • checked with the modified keymanager script the tokens in the slot
  • java -jar ocf-cc.jar -r “Nitrokey Nitrokey HSM 0”

  • logged in
  • opened ID 23191
  • selected from list the token in HSM 1
  • submit
  • nothing happens
  • logout
  • CTRL + C java
  • plugged out HSM 0
  • java -jar ocf-cc.jar -l
    shows HSM 1 connected

  • java -jar ocf-cc.jar https://www.pki-as-a-service.net/rt/paas
    SLF4J: No SLF4J providers were found.
    SLF4J: Defaulting to no-operation (NOP) logger implementation
    SLF4J: See SLF4J Error Codes for further details.
    OCF1.2;IBM Reference Implementation with OpenSCDP extensions 2.0.2.0.35
    Connecting to https://www.pki-as-a-service.net/rt/paas
    Connection of token unknown to https://www.pki-as-a-service.net/rt/paas completed

What do I wrong?

java -jar ocf-cc.jar -l
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See SLF4J Error Codes for further details.
OCF1.2;IBM Reference Implementation with OpenSCDP extensions 2.0.2.0.35
Available card terminals:
Alcorlink USB Smart Card Reader 0
Nitrokey Nitrokey HSM 1
Windows Hello for Business 1

java -jar ocf-cc.jar -r “Nitrokey Nitrokey HSM 1” https://www.pki-as-a-service.net/rt/paas
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See SLF4J Error Codes for further details.
OCF1.2;IBM Reference Implementation with OpenSCDP extensions 2.0.2.0.35
Using reader Nitrokey Nitrokey HSM 1
Connecting to https://www.pki-as-a-service.net/rt/paas
Nothing to do
Connection of token unknown to https://www.pki-as-a-service.net/rt/paas completed

connected the token to another PC with admin rights

java -jar ocf-cc.jar -v
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See SLF4J Error Codes for further details.
OCF1.2;IBM Reference Implementation with OpenSCDP extensions 2.0.2.0.35

  • nothing happens
  • CTRL + C
  • java -jar ocf-cc.jar -v -l
    shows Available card terminals:
    Microsoft UICC ISO Reader xxxxxxxx x
    Nitrokey Nitrokey HSM 0

  • java -jar ocf-cc.jar -r “Nitrokey Nitrokey HSM 0”

  • nothing happens
  • CTRL +C
  • java -jar ocf-cc.jar -r “Nitrokey Nitrokey HSM 0” https://www.pki-as-a-service.net/rt/paas
    trace output
    Connection of token unknown to https://www.pki-as-a-service.net/rt/paas

  • java -jar ocf-cc.jar -r “Nitrokey Nitrokey HSM 0”

  • logged
  • seeing for ID:23191 No firmware update available for this device issuer (makes sense since it is already on 4.1
  • connected two other tokens to the other pc without admin rights
    one is on 3.6 (using it for login) the other on 3.5
  • java -jar ocf-cc.jar -r “Nitrokey Nitrokey HSM 0”

  • logged in
  • opened ID:23190
  • selected from dropdownlist the token in HSM 1
  • submit
  • nothing happens
  • CTRL + C
  • java -jar ocf-cc.jar -r “Nitrokey Nitrokey HSM 0”

  • nothing happens as expected
  • CTRL + C
  • java -jar ocf-cc.jar -v -r “Nitrokey Nitrokey HSM 1”

  • nothing happens
  • CTRL + C
  • java -jar ocf-cc.jar -v -r “Nitrokey Nitrokey HSM 1” https://www.pki-as-a-service.net/rt/paas
    traceoutput
    Connection of token unknown to https://www.pki-as-a-service.net/rt/paas completed

  • reloading X509 CA PKIaaS
  • seeing now Firmware update available (Approve)
  • update
    Request scheduled (Produce)

java -jar ocf-cc.jar -v -r “Nitrokey Nitrokey HSM 1” https://www.pki-as-a-service.net/rt/paas
a lot of 53 C: 84 E8 00 87 - LOAD Lc=240
the LED on the HSM is green
R: SW1/SW2=9000 (Normal processing: No error) Lr=0
OK
Connection of token unknown to https://www.pki-as-a-service.net/rt/paas completed

  • refresh X509 CA PKIaaS
    Firmware update successful (Completed)
  • SCS has to be used Options > Reader Configuration two times to refresh the readers
  • CTRL + M shows now the new token ID
  • selecting the HSM 1 the token shows Not initialized

Thanks for your support. A little more complex, my first firmware update gone through only “via starting ocf-cc.jar and logging into the portal”…

How do I delete my other tokens to the same state (Not initialized) like after flashing?

Good to hear. People rarely use the remote update procedure. Typically you use the locally connected token as part of the user session. But I’m glad it still works.

V 4.1 is already the latest firmware, but the “No firmware update available for this device issuer” reminds me, that I need to configure the update DICA for that issuer. At latest when we have a V4.2.

How do I delete my other tokens to the same state (Not initialized) like after flashing?

You can’t do that. The “Not initialized” is an electronic seal (like a shrink wrap) to indicate that this device was not used before (device meaning hardware + applet + assigned Id).

There is an unofficial way: You block the SO-PIN and then try an update. The portal will detect the blocked SO-PIN and allow a firmware update to the same version.

1 Like

Thanks for your quick support.
That’s an interesting workaround but I leave it like it is after initializing this with the default values from SCS :slight_smile:
A beautiful and peaceful Christmas season