Key Counter in NitroKey HSM

The NitroKey HSM literature talks about Key Counter that can limit the number of times the key can be used.

However I cannot find documentation on where to specify this in any documentation. Are there examples?


as far as I can see it is not implemented in the command set of the OpenSC project yet. Maybe a feature request is worth a try?
There are probably other options to manage this (maybe by setting the value directly with help of opensc-explorer?). I try to find out…

Kind regards

Ah… and by the way: you mean the “key use counter”, do you?

Hi dchan! You would need the SDK. Please register at the CardContact Developer Network to get access to the SDK.

Yes. I was referring to the Key Use Counter

I did download the CardContact SDK and studied over the weekend.

Looks like it requires some extra data when constructing the GAKP payload in the APDU…I modified CardContact’s scsh scripts and confirms it works

opensc_explorer also displays the counter as a proprietary attribute:

OpenSC [E82B/0601/0401/81C3/1F02/01]> info CC05

Elementary File  ID CC05

File path:     CC05
File size:     0 bytes
EF structure:  Transparent
ACL for READ:         N/A
ACL for UPDATE:       N/A
ACL for DELETE:       N/A
ACL for WRITE:        N/A
ACL for CRYPTO:       N/A
Proprietary attributes:  90 04 00 00 00 F6

Open to ideas on how to integrate this properly into pkcs11-tool. Perhaps as a tag in --key-type? E.g

pkcs11-tool -k --key-type "EC:prime256v1/counter=255" -l

Hi @dchan,

that’s great! If you can provide a short description for other users here, you are welcome to do so :wink:

If you are willing to get this feature integrated in pkcs11-tool even better!

We’d have to ask the opensc people anyway, but in my point of view it would be best to introduce a new flag like


where the functionality is disabled by default.

Integrating this information in the --key-type flag is may confusing and may conflicts with older instructions/scripts.

Are you willing to open a issue/feature request on github?

Kind regards

Sure, I have opened up issue #1154 on GitHub.

1 Like

Can you provide any simple example on how to use the scsh for setting a key with a counter?
I would be gratefull
Thank you