With which tool invocation could I set up a transport PIN for a Nitrokey HSM? A transport PIN would force the user to change the PIN to another value before they can do anything else, thus ensuring that the HSM can not been used between setting the transport PIN and changing the PIN again.
1 Like
sc-hsm
September 16, 2020, 7:38am
2
This can be done with the Key Manager in the Smart Card Shell . Select “Transport-PIN” during device initialization and choose a transport-PIN in the next dialog.
There is currently no command line tool to do that, but we are working on an enhanced version of the sc-hsm-tool from OpenSC that supports more features of the SmartCard-HSM.
For larger deployments we generally recommend to use the scripting environment and prepare scripts that do repeated provisioning. The scripting environment is always the most-up-to-date tool to work with a SmartCard-HSM, as we use that for internal testing.
The PKI-as-a-Service Portal is also based on the scripting environment and as well a good option for larger deployments.
1 Like
I started the Smart Card Shell GUI and selected “File” → “Key Manager” in the menu, but got no GUI – I got an error message instead:
Running setup script config.js ...
Smart Card Shell Scripting Engine (scdp4j) 3.17.417
----------------------------------------------------------------------------
(c) 2005-2021 CardContact Systems GmbH, Minden, Germany (www.cardcontact.de)
Enter 'help' for a command overview or 'quit' to close the shell
>load("keymanager/keymanager.js");
SmartCard-HSM Version 3.4 on JCOP 3 Free memory 80608 byte
Issuer Certificate : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDINK0100001 CED=26. Oktober 2015 CXD=25. Oktober 2023
Device Certificate : CVC id-SC-HSM Device CAR=DEDINK0100001 CHR=DENK010352500000 CED=17. März 2020 CXD=25. Oktober 2023
Default Key Domain : 8112565D2DD57130CFC000A8750ED434040AD6BCC1137A37D1E8DE5A2BBBCBF1
GPError: ASN1 (INVALID_INDEX/0) - "Index is out of range" in /home/nmoskopp/share/bin/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1671
at /home/nmoskopp/share/bin/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1671
at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#1210
at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#1307
at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#250
at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#42
at /home/nmoskopp/share/bin/CardContact/scsh3/keymanager/keymanager.js#2443
>
saper
November 4, 2021, 12:23am
4
I’ve tried to do this with a freshly initialized V3.5 device (upgraded from V3.4) and I can see no difference between Transport PIN and the User PIN setup. Using Smart Card Shell 3.17.524 I can observe that for both cases the command 80 50 00 00 INITIALIZE UPDATE
(Lc=28) sends
80 02 00 00
81 06 pp pp pp pp pp pp
82 08 so so so so so so so so
91 01 03
97 01 0A
sc-hsm
November 4, 2021, 11:22am
5
We’ve release a new version 3.17.548 of the Smart Card Shell that fixes the issue.
1 Like
saper
November 4, 2021, 11:47am
6
I’d like to confirm the fix. Initialization now provides 80 02 00 02
instead of 80 02 00 00
and after creating a key domain and installing the keys, the logoff brings the device to the following state:
“User PIN in transport mode or device not initialized” 6984 response to 00 20 00 81 VERIFY
request.
Now the PIN must be changed, thank you!
sc-hsm
November 4, 2021, 12:16pm
7
To figure out what is causing the other “Index is out of range” error, I would need to look at the APDU Trace, in particular what the ENUMERATE OBJECTS command returns.
saper
November 4, 2021, 4:16pm
8
I’ve tried to improve sc-hsm-tool with something like sc-hsm-tool: Add --transport-pin option by saper · Pull Request #2431 · OpenSC/OpenSC · GitHub but unfortunately the whole thing gets complicated since we should not reset the card until we are ready with provisioning:
opened 04:12PM - 04 Nov 21 UTC
closed 11:05AM - 26 Jan 24 UTC
### Problem Description
This is not a bug, rather a question how to solve the… issue give the current OpenSC architecture.
I have submitted a preliminary patch to allow SmartCardHSM to be initialized with a transport PIN:
https://github.com/OpenSC/OpenSC/pull/2431
After the initialization is done the card is left open (authenticated) so any provisioning can be done before
the transport PIN needs to be changed.
This works if SCSH is used to set up the token.
But OpenSC commands cannot be used because most of them reset the card and select the application, which logs the card off and PIN has to be changes.
### Proposed Resolution
Inhibit full card reset and applet selection in certain cases, preferably without an extra command-line option.
### Steps to reproduce
1. Apply https://github.com/OpenSC/OpenSC/pull/2431 and rebuild
2. Run `./src/tools/sc-hsm-tool -XT --so-pin 3537363231383830 --pin 000000 -s 1` to re-initialize the token
3. Run `./src/tools/opensc-tool -s 00:20:00:81`
The last command returns the error which indicates that User PIN has to be changed:
```
Using reader with a card: Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00
Sending: 00 20 00 81
Received (SW1=0x69, SW2=0x84)
```
### Expected result
1. One could argue that "opensc-tool -s" should really do what is asked for - only send the APDU required.
But running other tools, like unwrapping the keys with `sc-hsm-tool`, `pkcs11-tool` key generation, could possibly be made to work.
2. SCSH reports PIN status `90 00` if started after the initialization. Key management is possible from there.
### Logs
OpenSC debug from the "opensc-tool -s" execution
```text
P:6773; T:0x34391285760 17:10:56.553 [opensc-tool] ctx.c:853:sc_context_create: ===================================
P:6773; T:0x34391285760 17:10:56.553 [opensc-tool] ctx.c:854:sc_context_create: opensc version: 0.22.0
P:6773; T:0x34391285760 17:10:56.553 [opensc-tool] reader-pcsc.c:888:pcsc_init: PC/SC options: connect_exclusive=0 disconnect_action=0 transaction_end_action=0 reconnect_action=0 enable_pinpad=1 enable_pace=1
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1388:pcsc_detect_readers: called
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1401:pcsc_detect_readers: Probing PC/SC readers
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1454:pcsc_detect_readers: Establish PC/SC context
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1337:pcsc_add_reader: Adding new PC/SC reader 'Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00'
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:362:refresh_attributes: Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00 check
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:409:refresh_attributes: current state: 0x00000122
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:410:refresh_attributes: previous state: 0x00000000
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:464:refresh_attributes: card present, changed
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1555:pcsc_detect_readers: Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00:SCardConnect(SHARED): 0x00000000
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1154:detect_reader_features: called
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1156:detect_reader_features: Requesting reader features ...
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1177:detect_reader_features: Reader feature 12 found
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1084:part10_detect_max_data: get dwMaxAPDUDataSize property returned 65536
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1287:detect_reader_features: Reader supports transceiving 65536 bytes of data
P:6773; T:0x34391285760 17:10:56.554 [opensc-tool] reader-pcsc.c:1123:part10_get_vendor_product: id_vendor=20a0 id_product=4230
P:6773; T:0x34391285760 17:10:56.555 [opensc-tool] reader-pcsc.c:1570:pcsc_detect_readers: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.555 [opensc-tool] sc.c:335:sc_detect_card_presence: called
P:6773; T:0x34391285760 17:10:56.555 [opensc-tool] reader-pcsc.c:474:pcsc_detect_card_presence: called
P:6773; T:0x34391285760 17:10:56.555 [opensc-tool] reader-pcsc.c:362:refresh_attributes: Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00 check
P:6773; T:0x34391285760 17:10:56.556 [opensc-tool] reader-pcsc.c:387:refresh_attributes: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.556 [opensc-tool] reader-pcsc.c:479:pcsc_detect_card_presence: returning with: 5
P:6773; T:0x34391285760 17:10:56.556 [opensc-tool] sc.c:340:sc_detect_card_presence: returning with: 5
P:6773; T:0x34391285760 17:10:56.556 [opensc-tool] sc.c:335:sc_detect_card_presence: called
P:6773; T:0x34391285760 17:10:56.556 [opensc-tool] reader-pcsc.c:474:pcsc_detect_card_presence: called
P:6773; T:0x34391285760 17:10:56.556 [opensc-tool] reader-pcsc.c:362:refresh_attributes: Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00 check
P:6773; T:0x34391285760 17:10:56.557 [opensc-tool] reader-pcsc.c:387:refresh_attributes: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.557 [opensc-tool] reader-pcsc.c:479:pcsc_detect_card_presence: returning with: 5
P:6773; T:0x34391285760 17:10:56.557 [opensc-tool] sc.c:340:sc_detect_card_presence: returning with: 5
P:6773; T:0x34391285760 17:10:56.557 [opensc-tool] card.c:254:sc_connect_card: called
P:6773; T:0x34391285760 17:10:56.557 [opensc-tool] reader-pcsc.c:608:pcsc_connect: called
P:6773; T:0x34391285760 17:10:56.557 [opensc-tool] reader-pcsc.c:362:refresh_attributes: Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00 check
P:6773; T:0x34391285760 17:10:56.558 [opensc-tool] reader-pcsc.c:387:refresh_attributes: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.558 [opensc-tool] reader-pcsc.c:640:pcsc_connect: Initial protocol: T=1
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3b:d2:18:00:81:31:fe:58:c9:03:16
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:8E:80:01:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:18
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:8E:80:01:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:18
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:DE:18:FF:81:91:FE:1F:C3:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:1C
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] reader-pcsc.c:654:pcsc_connect: Final protocol: T=1
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:279:sc_connect_card: matching configured ATRs
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:288:sc_connect_card: trying driver 'cardos'
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3b:d2:18:00:81:31:fe:58:c9:03:16
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:288:sc_connect_card: trying driver 'authentic'
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:288:sc_connect_card: trying driver 'iasecc'
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00
P:6773; T:0x34391285760 17:10:56.559 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:288:sc_connect_card: trying driver 'sc-hsm'
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:8E:80:01:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:18
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:293:sc_connect_card: matched driver 'SmartCard-HSM'
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:8E:80:01:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:18
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:DE:18:FF:81:91:FE:1F:C3:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:1C
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card-sc-hsm.c:1617:sc_hsm_init: called
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] apdu.c:548:sc_transmit_apdu: called
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:473:sc_lock: called
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] reader-pcsc.c:687:pcsc_lock: called
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] card.c:513:sc_lock: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] apdu.c:515:sc_transmit: called
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] apdu.c:363:sc_single_transmit: called
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] apdu.c:367:sc_single_transmit: CLA:0, INS:A4, P1:4, P2:0, data(11) 0x7fffffffda30
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] reader-pcsc.c:325:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00'
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] reader-pcsc.c:326:pcsc_transmit:
Outgoing APDU (17 bytes):
00 A4 04 00 0B E8 2B 06 01 04 01 81 C3 1F 02 01 ......+.........
00 .
P:6773; T:0x34391285760 17:10:56.560 [opensc-tool] reader-pcsc.c:244:pcsc_internal_transmit: called
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] reader-pcsc.c:335:pcsc_transmit:
Incoming APDU (14 bytes):
6F 0A 82 01 78 85 05 00 03 05 03 05 90 00 o...x.........
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] apdu.c:537:sc_transmit: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] card.c:523:sc_unlock: called
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] reader-pcsc.c:739:pcsc_unlock: called
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] iso7816.c:366:iso7816_process_fci: shareable: yes
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] iso7816.c:386:iso7816_process_fci: type: DF
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] iso7816.c:387:iso7816_process_fci: EF structure: 0
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] iso7816.c:388:iso7816_process_fci: tag 0x82: 0x78
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] card.c:382:sc_connect_card: card info name:'SmartCard-HSM version 3.5', type:26000, flags:0x0, max_send/recv_size:1215/65536
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] card.c:1606:sc_card_sm_check: called
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] card.c:1230:match_atr_table: ATR : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.598 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:FE:18:00:00:81:31:FE:45:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:FA
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3B:8E:80:01:80:31:81:54:48:53:4D:31:73:80:21:40:81:07:18
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:1244:match_atr_table: ignored - wrong length
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:1241:match_atr_table: ATR try : 3b:de:18:ff:81:91:fe:1f:c3:80:31:81:54:48:53:4d:31:73:80:21:40:81:07:1c
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:1614:sc_card_sm_check: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:397:sc_connect_card: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] apdu.c:669:sc_bytes2apdu: CASE_1 APDU: 4 bytes: ins=20 p1=00 p2=81 lc=0000 le=0000
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:473:sc_lock: called
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] reader-pcsc.c:687:pcsc_lock: called
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:513:sc_lock: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] apdu.c:548:sc_transmit_apdu: called
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:473:sc_lock: called
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] card.c:513:sc_lock: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] apdu.c:515:sc_transmit: called
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] apdu.c:363:sc_single_transmit: called
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] apdu.c:367:sc_single_transmit: CLA:0, INS:20, P1:0, P2:81, data(0) 0x0
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] reader-pcsc.c:325:pcsc_transmit: reader 'Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00'
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] reader-pcsc.c:326:pcsc_transmit:
Outgoing APDU (4 bytes):
00 20 00 81 . ..
P:6773; T:0x34391285760 17:10:56.599 [opensc-tool] reader-pcsc.c:244:pcsc_internal_transmit: called
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] reader-pcsc.c:335:pcsc_transmit:
Incoming APDU (2 bytes):
69 84 i.
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] apdu.c:537:sc_transmit: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] card.c:523:sc_unlock: called
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] card.c:523:sc_unlock: called
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] reader-pcsc.c:739:pcsc_unlock: called
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] card.c:414:sc_disconnect_card: called
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] reader-pcsc.c:672:pcsc_disconnect: Nitrokey Nitrokey HSM (DENK02006540000 ) 00 00:SCardDisconnect returned: 0x00000000
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] card.c:436:sc_disconnect_card: returning with: 0 (Success)
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] ctx.c:929:sc_release_context: called
P:6773; T:0x34391285760 17:10:56.628 [opensc-tool] reader-pcsc.c:976:pcsc_finish: called
```
@sc-hsm I seem to hit the same bug with scsh 3.17.548:
Running setup script config.js ...
Smart Card Shell Scripting Engine (scdp4j) 3.17.441
----------------------------------------------------------------------------
(c) 2005-2021 CardContact Systems GmbH, Minden, Germany (www.cardcontact.de)
Enter 'help' for a command overview or 'quit' to close the shell
>load("keymanager/keymanager.js");
SmartCard-HSM Version 3.4 on JCOP 3 Free memory 80608 byte
Issuer Certificate : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDINK0100001 CED=26. Oktober 2015 CXD=25. Oktober 2023
Device Certificate : CVC id-SC-HSM Device CAR=DEDINK0100001 CHR=DENK010352500000 CED=17. März 2020 CXD=25. Oktober 2023
Default Key Domain : 8112565D2DD57130CFC000A8750ED434040AD6BCC1137A37D1E8DE5A2BBBCBF1
GPError: ASN1 (INVALID_INDEX/0) - "Index is out of range" in /home/nmoskopp/share/bin/scsh3.17.548/scsh/sc-hsm/SmartCardHSM.js#1673
at /home/nmoskopp/share/bin/scsh3.17.548/scsh/sc-hsm/SmartCardHSM.js#1673
at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#1214
at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#1311
at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#251
at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#42
at /home/nmoskopp/share/bin/scsh3.17.548/keymanager/keymanager.js#2457
>
To figure out what is causing the other “Index is out of range” error, I would need to look at the APDU Trace, in particular what the ENUMERATE OBJECTS command returns.
How exactly can I help you with that? (I.e. what do I have to input where?)
sc-hsm
November 12, 2021, 3:53pm
11
When you click on the “Trace” tab below the console, then you see the APDUs exchanged with the SmartCard-HSM.