How to set Nitrokey HSM transport PIN?

With which tool invocation could I set up a transport PIN for a Nitrokey HSM? A transport PIN would force the user to change the PIN to another value before they can do anything else, thus ensuring that the HSM can not been used between setting the transport PIN and changing the PIN again.

This can be done with the Key Manager in the Smart Card Shell. Select “Transport-PIN” during device initialization and choose a transport-PIN in the next dialog.

There is currently no command line tool to do that, but we are working on an enhanced version of the sc-hsm-tool from OpenSC that supports more features of the SmartCard-HSM.

For larger deployments we generally recommend to use the scripting environment and prepare scripts that do repeated provisioning. The scripting environment is always the most-up-to-date tool to work with a SmartCard-HSM, as we use that for internal testing.

The PKI-as-a-Service Portal is also based on the scripting environment and as well a good option for larger deployments.

I started the Smart Card Shell GUI and selected “File” → “Key Manager” in the menu, but got no GUI – I got an error message instead:

Running setup script config.js ...

Smart Card Shell Scripting Engine (scdp4j) 3.17.417
----------------------------------------------------------------------------
(c) 2005-2021 CardContact Systems GmbH, Minden, Germany (www.cardcontact.de)
Enter 'help' for a command overview or 'quit' to close the shell

>load("keymanager/keymanager.js");

SmartCard-HSM Version 3.4 on JCOP 3          Free memory 80608 byte
Issuer Certificate : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDINK0100001 CED=26. Oktober 2015 CXD=25. Oktober 2023 
Device Certificate : CVC id-SC-HSM Device CAR=DEDINK0100001 CHR=DENK010352500000 CED=17. März 2020 CXD=25. Oktober 2023 
Default Key Domain : 8112565D2DD57130CFC000A8750ED434040AD6BCC1137A37D1E8DE5A2BBBCBF1
GPError: ASN1 (INVALID_INDEX/0) - "Index is out of range" in /home/nmoskopp/share/bin/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1671
    at /home/nmoskopp/share/bin/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1671
    at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#1210
    at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#1307
    at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#250
    at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#42
    at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#2443

>

I’ve tried to do this with a freshly initialized V3.5 device (upgraded from V3.4) and I can see no difference between Transport PIN and the User PIN setup. Using Smart Card Shell 3.17.524 I can observe that for both cases the command 80 50 00 00 INITIALIZE UPDATE (Lc=28) sends

80 02 00 00
81 06 pp pp pp pp pp pp
82 08 so so so so so so so so
91 01 03
97 01 0A 

We’ve release a new version 3.17.548 of the Smart Card Shell that fixes the issue.

I’d like to confirm the fix. Initialization now provides 80 02 00 02 instead of 80 02 00 00 and after creating a key domain and installing the keys, the logoff brings the device to the following state:

“User PIN in transport mode or device not initialized” 6984 response to 00 20 00 81 VERIFY request.

Now the PIN must be changed, thank you!

To figure out what is causing the other “Index is out of range” error, I would need to look at the APDU Trace, in particular what the ENUMERATE OBJECTS command returns.

I’ve tried to improve sc-hsm-tool with something like sc-hsm-tool: Add --transport-pin option by saper · Pull Request #2431 · OpenSC/OpenSC · GitHub but unfortunately the whole thing gets complicated since we should not reset the card until we are ready with provisioning:

@sc-hsm I seem to hit the same bug with scsh 3.17.548:

Running setup script config.js ...

Smart Card Shell Scripting Engine (scdp4j) 3.17.441
----------------------------------------------------------------------------
(c) 2005-2021 CardContact Systems GmbH, Minden, Germany (www.cardcontact.de)
Enter 'help' for a command overview or 'quit' to close the shell

>load("keymanager/keymanager.js");

SmartCard-HSM Version 3.4 on JCOP 3          Free memory 80608 byte
Issuer Certificate : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDINK0100001 CED=26. Oktober 2015 CXD=25. Oktober 2023 
Device Certificate : CVC id-SC-HSM Device CAR=DEDINK0100001 CHR=DENK010352500000 CED=17. März 2020 CXD=25. Oktober 2023 
Default Key Domain : 8112565D2DD57130CFC000A8750ED434040AD6BCC1137A37D1E8DE5A2BBBCBF1
GPError: ASN1 (INVALID_INDEX/0) - "Index is out of range" in /home/nmoskopp/share/bin/scsh3.17.548/scsh/sc-hsm/SmartCardHSM.js#1673
    at /home/nmoskopp/share/bin/scsh3.17.548/scsh/sc-hsm/SmartCardHSM.js#1673
    at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#1214
    at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#1311
    at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#251
    at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#42
    at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#2457

>

To figure out what is causing the other “Index is out of range” error, I would need to look at the APDU Trace, in particular what the ENUMERATE OBJECTS command returns.

How exactly can I help you with that? (I.e. what do I have to input where?)

When you click on the “Trace” tab below the console, then you see the APDUs exchanged with the SmartCard-HSM.