Import p12 to the Nitrokey Pro - I'm missing something

msi2k · November 6, 2015, 7:39am

Hi

I’ve received a NitroKey Pro which I want to play around and - if I get it working - use it to have the StartSSL login certificate stored there so the key is on a more secure storage device. However I don’t think I’m getting there yet. I plan to use it for work I have to use Windows so that’s the evironment I test in.

What I did so far:
[ul]
]NitroKey Pro was properly recognized by Windows/:m]
]NitroKey App 0.2 and OpenSC 0.15 are installed/:m]
]Default Pin changed using the NitroKey App/:m]
]I have the exported the Key and Certificate from Firefox to a .p12/:m][/ul]

I created some keys for a test with pkcs15-init but then I wanted to start clean, that’s where there are already issues with the OpenSC documentation: Their wiki says “Erasing card is supported by Nitrokey (or general OpenPGP card v2) only. Gnuk and Nitrokey Start do not support.”

>opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Nitrokey Nitrokey Pro 0

>pkcs15-init --erase-card
Using reader with a card: Nitrokey Nitrokey Pro 0
Failed to erase card: Not supported

>openpgp-tool --erase
openpgp-tool: unrecognized option `--erase'
Usage: openpgp-tool [OPTIONS]
Options:
  -r, --reader <arg>            Use reader number <arg> [0]
  -w, --wait                    Wait for card insertion
  -x, --exec <arg>              Execute program <arg> with data in env vars
      --raw                     Print values in raw format
      --pretty                  Print values in pretty format
  -U, --user-info               Show card holder information
  -G, --gen-key <arg>           Generate key
  -L, --key-length <arg>        Key length (default 2048)
  -h, --help                    Print this help message
  -v, --verbose                 Verbose operation. Use several times to enable debug output.
  -V, --version                 Show version number
      --verify <arg>            Verify PIN (CHV1, CHV2, CHV3...)
      --pin <arg>               PIN string
  -d, --do <arg>                Dump private data object number <arg> (i.e. PRIVATE-DO-<arg>)

Opps, so they document a switch that is not (anymore) available with as you gpg-tool and pkcs15-init is unable to do so. As you can see it’s definitely not the Gnuk-Based NitroKey Start.

The other issue is actually importing the existing .p12 to the NitroKey: The wiki says
Pairs of key & certificate from P12 file: pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin

That should be the command to import both key and certificate in one go… right, but that’s what I get:

>pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key mykey.p12 --format pkcs12 --auth-id 3 --verify-pin
Using reader with a card: Nitrokey Nitrokey Pro 0
User PIN required.
Please enter User PIN [Admin PIN]: 2015-11-06 08:33:06.298 cannot lock memory, sensitive data may be paged to disk
2015-11-06 08:33:06.500 cannot lock memory, sensitive data may be paged to disk
Deleted 2 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key: Importing 3 certificates:
  0: /CN=mailadress@example.org/emailAddress=mailadress@example.org
  1: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
  2: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Client CA
Failed to store private key: Non unique object ID

Anything I’m doing just the plain wrong way? - I’m happy to learn more and to contribute to the documentation.

jan · November 6, 2015, 9:29am

I believe OpenSC 0.15 doesn’t support NK Pro yet. Can you try the latest nightly build? sourceforge.net/projects/opensc/ … C/nightly/

Alternatively to OpenSc you could use gpgsm.

msi2k · November 6, 2015, 2:27pm

For OpenSC 0.15: Are you sure about the compatibility? That’s something I haven’t seen mentioned neither in the product description, nor the support section.

First about the error Failed to store private key: Non unique object ID. The OpenSC wiki mentions a bit later the command how to delete a certificate - however doesn’t look obvious to me why in the command to import a complete PKCS12 only pubkey and privkey are deleted - but not the cert. Maybe I should ask the OpenSC folks if the wording should be improved there - so partially I have to blame myself for that one.

# Deletes just the certificate
pkcs15-init --delete-objects cert --id 3

# Documented to import a PKCS12 is:
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin

However adding –delete-object privkey,pubkey,cert instead fails: Failed to store private key: Invalid arguments

The only thing I got working with pkcs15-init was to import the private key and certificate from separate files which requires to use openssl to extract both into separate files. - Adds another step, but worked reliably for me.

Now concerning the wiping of the the key, the (latest I could find) is from September:

>opensc-tool -i
OpenSC 0.15.0g20150914124137 [Microsoft 1600]
Enabled features:pcsc openssl zlib

Findings:
[ul]
*] pkcs15-init --erase-card * in the nightly yields the same error as 0.15./:m]
] openpgp-tool 0.15 release didn’t have an the documented switch, however the now nightly has (so there is a gap between what is documented and what is part of the 0.15 release…)/:m][/ul]

Here is what I get with openpgp-tool:

>openpgp-tool.exe -V
openpgp-tool - OpenPGP card utility version 0.15.0g20150914124137
...]

>openpgp-tool.exe --help
Usage: openpgp-tool [OPTIONS]
Options:
...]
  -E, --erase                   Erase (reset) the card

>openpgp-tool.exe --erase
Using reader with a card: Nitrokey Nitrokey Pro 0
Language:  de
Gender:    not applicable
Erase card
Sending 0: 00 20 00 81 08 40 40 40 40 40 40 40 40
Sending 1: 00 20 00 81 08 40 40 40 40 40 40 40 40
Sending 2: 00 20 00 81 08 40 40 40 40 40 40 40 40
Sending 3: 00 20 00 81 08 40 40 40 40 40 40 40 40
Sending 4: 00 20 00 83 08 40 40 40 40 40 40 40 40
Sending 5: 00 20 00 83 08 40 40 40 40 40 40 40 40
Sending 6: 00 20 00 83 08 40 40 40 40 40 40 40 40
Sending 7: 00 20 00 83 08 40 40 40 40 40 40 40 40
Sending 8: 00 E6 00 00
Sending 9: 00 44 00 00

OK so that’s basically the commands that are send as documented here: nitrokey.com/de/documentati … t-nitrokey.
The PINs get reset and the card wiped, that’s rather positive. For now I’d not mention that in the official NitroKey documentation since it is part of an unreleased version of OpenSC.

I’ve seen a coupel of rough edges and havent even gone down the rabbit hole of trying to authenticate in a Browser using a certificate (such as the StartSSL site but that’s something for another thread.)

alheisner · November 6, 2015, 7:08pm

“havent even gone down the rabbit hole of trying to authenticate in a Browser using a certificate”

Actually, I’m doing just that with cacert.org, it wasn’t too bad. I loaded the private key and public certificate on the NitroKey with gpg, then loaded the opensc-pkcs11.dll in FireFox.

msi2k · November 7, 2015, 7:34am

Hi alheisner

Sorry my last post was a bit ranty but a bit of frustration due to mismatch between OpenSC’s documented options that don’t exist in a release version :-\

Maybe I should have a closer look a gpg and try importing the certificate this way, because opensc-pkcs11.dll was loaded and I was asked the user PIN but the certificate wasn’t shown (yet). The minidriver didn’t see a certificate either in Chrome. Then again, I’ll try things a bit more, maybe I’ll get through.

jan · November 27, 2015, 3:21pm

Firefox’s PIN dialogs may be misleading because Firefox isn’t aware of two different PINs. You should know if the User-PIN or Admin-PIN has to be entered and ignore the dialog asking for User PIN. When generating a key or certificate you may need the Admin PIN.