For OpenSC 0.15: Are you sure about the compatibility? That’s something I haven’t seen mentioned neither in the product description, nor the support section.
First about the error Failed to store private key: Non unique object ID. The OpenSC wiki mentions a bit later the command how to delete a certificate - however doesn’t look obvious to me why in the command to import a complete PKCS12 only pubkey and privkey are deleted - but not the cert. Maybe I should ask the OpenSC folks if the wording should be improved there - so partially I have to blame myself for that one.
# Deletes just the certificate
pkcs15-init --delete-objects cert --id 3
# Documented to import a PKCS12 is:
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pinHowever adding –delete-object privkey,pubkey,cert instead fails: Failed to store private key: Invalid arguments
The only thing I got working with pkcs15-init was to import the private key and certificate from separate files which requires to use openssl to extract both into separate files. - Adds another step, but worked reliably for me.
Now concerning the wiping of the the key, the (latest I could find) is from September:
>opensc-tool -i
OpenSC 0.15.0g20150914124137 [Microsoft 1600]
Enabled features:pcsc openssl zlibFindings:
[ul]
*] pkcs15-init --erase-card * in the nightly yields the same error as 0.15./:m]
] openpgp-tool 0.15 release didn’t have an the documented switch, however the now nightly has (so there is a gap between what is documented and what is part of the 0.15 release…)/:m][/ul]
Here is what I get with openpgp-tool:
>openpgp-tool.exe -V
openpgp-tool - OpenPGP card utility version 0.15.0g20150914124137
...]
>openpgp-tool.exe --help
Usage: openpgp-tool [OPTIONS]
Options:
...]
-E, --erase Erase (reset) the card
>openpgp-tool.exe --erase
Using reader with a card: Nitrokey Nitrokey Pro 0
Language: de
Gender: not applicable
Erase card
Sending 0: 00 20 00 81 08 40 40 40 40 40 40 40 40
Sending 1: 00 20 00 81 08 40 40 40 40 40 40 40 40
Sending 2: 00 20 00 81 08 40 40 40 40 40 40 40 40
Sending 3: 00 20 00 81 08 40 40 40 40 40 40 40 40
Sending 4: 00 20 00 83 08 40 40 40 40 40 40 40 40
Sending 5: 00 20 00 83 08 40 40 40 40 40 40 40 40
Sending 6: 00 20 00 83 08 40 40 40 40 40 40 40 40
Sending 7: 00 20 00 83 08 40 40 40 40 40 40 40 40
Sending 8: 00 E6 00 00
Sending 9: 00 44 00 00OK so that’s basically the commands that are send as documented here: nitrokey.com/de/documentati … t-nitrokey.
The PINs get reset and the card wiped, that’s rather positive. For now I’d not mention that in the official NitroKey documentation since it is part of an unreleased version of OpenSC.
I’ve seen a coupel of rough edges and havent even gone down the rabbit hole of trying to authenticate in a Browser using a certificate (such as the StartSSL site but that’s something for another thread.)