Hi everybody,
I’m a longtime user of the FIDO U2F keys for 2FA, and recently purchased a pair of 3A NFC keys for a work project to implement signing via Java SunPKCS11.
I was able to use gpg to export a secret key to the first 3A per the documentation and then sign a file with gpg. 
For the second 3A however I am failing to even get a key into it via keytool, SunPKCS11, and OpenSC PKCS11 drivers. For example,
> keytool -providerclass sun.security.pkcs11.SunPKCS11 -providerarg .\pkcs11.cfg -genkeypair -alias modsigning -keystore NONE -storetype PKCS11 -keyalg EC -groupname secp256r1 -storepass 123456 -v
What is your first and last name?
[Unknown]: Brian R
What is the name of your organizational unit?
[Unknown]: Dev
What is the name of your organization?
[Unknown]: Company
What is the name of your City or Locality?
[Unknown]: There
What is the name of your State or Province?
[Unknown]: Over There
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Brian R, OU=Dev, O=Company, L=There, ST=Over There, C=US correct?
[no]: y
keytool error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:422)
at java.base/java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:721)
at java.base/sun.security.tools.keytool.CertAndKeyGen.generateInternal(CertAndKeyGen.java:197)
at java.base/sun.security.tools.keytool.CertAndKeyGen.generate(CertAndKeyGen.java:165)
at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1998)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1186)
at java.base/sun.security.tools.keytool.Main.run(Main.java:423)
at java.base/sun.security.tools.keytool.Main.main(Main.java:416)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:414)
... 7 more
I am using the latest stable firmware and OpenSC on Windows 10, along with the Azul OpenJDK 17.0.8.
> nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.44
UUID: 744E13861E90455CA751E553071A3FE2
Firmware version: v1.6.0
Init status: ok
Free blocks (int): 48
Free blocks (ext): 473
Variant: LPC55
> pkcs11-tool --show-info
Cryptoki version 3.0
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.24)
Using slot 0 with a present token (0x0)
> pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey CCID/ICCD Interface 0
token label : OpenPGP card (User PIN)
token manufacturer : OpenPGP project
token model : PKCS#15 emulated
token flags : login required, token initialized, PIN initialized
hardware version : 3.4
firmware version : 3.4
serial num : 000f744e1386
pin min/max : 6/127
Slot 1 (0x1): Nitrokey CCID/ICCD Interface 0
token label : OpenPGP card (User PIN (sig))
token manufacturer : OpenPGP project
token model : PKCS#15 emulated
token flags : login required, token initialized, PIN initialized
hardware version : 3.4
firmware version : 3.4
serial num : 000f744e1386
pin min/max : 6/127
> keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg .\pkcs11.cfg -list -keystore NONE -storetype PKCS11 -storepass 123456 -v
Keystore type: PKCS11
Keystore provider: SunPKCS11-Nitrokey3
Your keystore contains 0 entries
I also tried again, this time using keystore to successfully create a keypair in my home directory keystore and importing it into the 3A, but that resulted in PKCS11Exception: CKR_ARGUMENTS_BAD.
Does the 3A support SunPKCS11, and if so, am I missing something?
Thank you.