Hi
I’ve received a NitroKey Pro which I want to play around and - if I get it working - use it to have the StartSSL login certificate stored there so the key is on a more secure storage device. However I don’t think I’m getting there yet. I plan to use it for work I have to use Windows so that’s the evironment I test in.
What I did so far:
[ul]
]NitroKey Pro was properly recognized by Windows/:m]
]NitroKey App 0.2 and OpenSC 0.15 are installed/:m]
]Default Pin changed using the NitroKey App/:m]
]I have the exported the Key and Certificate from Firefox to a .p12/:m][/ul]
I created some keys for a test with pkcs15-init but then I wanted to start clean, that’s where there are already issues with the OpenSC documentation: Their wiki says “Erasing card is supported by Nitrokey (or general OpenPGP card v2) only. Gnuk and Nitrokey Start do not support.”
>opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Nitrokey Nitrokey Pro 0
>pkcs15-init --erase-card
Using reader with a card: Nitrokey Nitrokey Pro 0
Failed to erase card: Not supported
>openpgp-tool --erase
openpgp-tool: unrecognized option `--erase'
Usage: openpgp-tool [OPTIONS]
Options:
-r, --reader <arg> Use reader number <arg> [0]
-w, --wait Wait for card insertion
-x, --exec <arg> Execute program <arg> with data in env vars
--raw Print values in raw format
--pretty Print values in pretty format
-U, --user-info Show card holder information
-G, --gen-key <arg> Generate key
-L, --key-length <arg> Key length (default 2048)
-h, --help Print this help message
-v, --verbose Verbose operation. Use several times to enable debug output.
-V, --version Show version number
--verify <arg> Verify PIN (CHV1, CHV2, CHV3...)
--pin <arg> PIN string
-d, --do <arg> Dump private data object number <arg> (i.e. PRIVATE-DO-<arg>)
Opps, so they document a switch that is not (anymore) available with as you gpg-tool and pkcs15-init is unable to do so. As you can see it’s definitely not the Gnuk-Based NitroKey Start.
The other issue is actually importing the existing .p12 to the NitroKey: The wiki says
Pairs of key & certificate from P12 file: pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin
That should be the command to import both key and certificate in one go… right, but that’s what I get:
>pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key mykey.p12 --format pkcs12 --auth-id 3 --verify-pin
Using reader with a card: Nitrokey Nitrokey Pro 0
User PIN required.
Please enter User PIN [Admin PIN]: 2015-11-06 08:33:06.298 cannot lock memory, sensitive data may be paged to disk
2015-11-06 08:33:06.500 cannot lock memory, sensitive data may be paged to disk
Deleted 2 objects
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key: Importing 3 certificates:
0: /CN=mailadress@example.org/emailAddress=mailadress@example.org
1: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Client CA
Failed to store private key: Non unique object ID
Anything I’m doing just the plain wrong way? - I’m happy to learn more and to contribute to the documentation.