Nitrokey 3 PKCS11 status / lib

a2800276 · January 4, 2024, 11:21am

Hi, I’m trying to use the Nitrokey 3 as a pkcs11 backend, but am having trouble finding any information on how. The feature table and shop description clearly state it’s supported, the docs only provide pkcs11 info for the Nitrokey HSM.

There is this not so promising topic in the forum, and some others that are unanswered. The closest I can find in github is this snippet, which contains the comment “# Make sure that the PYKCS11LIB env variable is set”. This is particularly frustrating, because knowing what lib to use/set the variable to is exactly the information (i.e what driver lib to use …) I’m looking for!

Thanks in advance for any pointers!

nku · January 4, 2024, 4:47pm

As the opcard-rs application on the Nitrokey 3 is OpenPGP Card compatible, you could use it with opensc.

saper · January 5, 2024, 10:52pm

This is on my FreeBSD box right now:

One window - I start sudo pcscd -adf to see that communication with the card (warning: the output contains secret stuff like PINs)
Second window - I run the following commands:

> /usr/local/bin/pkcs11-tool -T
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
  token label        : OpenPGP card (User PIN)
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : 000fffffffff
  pin min/max        : 6/127
Slot 1 (0x1): Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
  token label        : OpenPGP card (User PIN (sig))
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : 000fffffffff
  pin min/max        : 6/127
> /usr/local/bin/pkcs11-tool -O --slot 0         
Public Key Object; EC_EDWARDS  EC_POINT 255 bits
  EC_POINT:   042038269546eff4875291c4c2ca4c4b4120afa56a57603bc73953575d396dc237d5
  EC_PARAMS:  06032b6570 (OID 1.3.101.112)
  label:      Authentication key
  ID:         03
  Usage:      verify
  Access:     none
Public Key Object; EC_MONTGOMERY  EC_POINT 255 bits
  EC_POINT:   042036d3d03081235f0707b99c178bd03085401194b129780af473378a5b31d0d757
  EC_PARAMS:  06032b656e (OID 1.3.101.110)
  label:      Encryption key
  ID:         02
  Usage:      derive
  Access:     none
Profile object 4288853216
  profile_id:          CKP_PUBLIC_CERTIFICATES_TOKEN (4)

openpgp-tool from OpenSC (as @nku suggested):

> openpgp-tool -K
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Aut Algorithm:   EDDSA
Aut Create Date: 2023-12-22 19:13:34
Aut Fingerprint: 2d:95:41:9c:2c:47:7a:bc:a1:e7:dc:d9:c1:4a:88:c5:c3:07:dd:91
Dec Algorithm:   ECDH
Dec Create Date: 2023-12-22 19:13:34
Dec Fingerprint: cb:3d:95:9e:63:62:15:2a:da:d3:9f:c3:56:6d:12:69:b6:52:8e:d3
Sig Algorithm:   EDDSA
Sig Create Date: 2023-12-22 19:13:34
Sig Fingerprint: f2:ee:32:6f:54:2b:78:44:22:b4:fd:10:33:fb:9d:a8:17:64:f4:7a

So, it looks like pcscd + opensc + pkcs11 tools can read the card and find the keys.

a2800276 · January 6, 2024, 11:31am

Thanks, that was helpful!