Nitrokey 3A NFC and Java Sun PKCS#11

Hi everybody,

I’m a longtime user of the FIDO U2F keys for 2FA, and recently purchased a pair of 3A NFC keys for a work project to implement signing via Java SunPKCS11.

I was able to use gpg to export a secret key to the first 3A per the documentation and then sign a file with gpg. :+1:

For the second 3A however I am failing to even get a key into it via keytool, SunPKCS11, and OpenSC PKCS11 drivers. For example,

> keytool -providerclass sun.security.pkcs11.SunPKCS11 -providerarg .\pkcs11.cfg -genkeypair -alias modsigning -keystore NONE -storetype PKCS11 -keyalg EC -groupname secp256r1 -storepass 123456 -v
What is your first and last name?
  [Unknown]:  Brian R
What is the name of your organizational unit?
  [Unknown]:  Dev
What is the name of your organization?
  [Unknown]:  Company
What is the name of your City or Locality?
  [Unknown]:  There
What is the name of your State or Province?
  [Unknown]:  Over There
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Brian R, OU=Dev, O=Company, L=There, ST=Over There, C=US correct?
  [no]:  y

keytool error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:422)
        at java.base/java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:721)
        at java.base/sun.security.tools.keytool.CertAndKeyGen.generateInternal(CertAndKeyGen.java:197)
        at java.base/sun.security.tools.keytool.CertAndKeyGen.generate(CertAndKeyGen.java:165)
        at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1998)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1186)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:423)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:416)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED_IN
        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_GenerateKeyPair(Native Method)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyPairGenerator.generateKeyPair(P11KeyPairGenerator.java:414)
        ... 7 more

I am using the latest stable firmware and OpenSC on Windows 10, along with the Azul OpenJDK 17.0.8.

> nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.44
UUID:               744E13861E90455CA751E553071A3FE2
Firmware version:   v1.6.0
Init status:        ok
Free blocks (int):  48
Free blocks (ext):  473
Variant:            LPC55

> pkcs11-tool --show-info
Cryptoki version 3.0
Manufacturer     OpenSC Project
Library          OpenSC smartcard framework (ver 0.24)
Using slot 0 with a present token (0x0)

> pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey CCID/ICCD Interface 0
  token label        : OpenPGP card (User PIN)
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : 000f744e1386
  pin min/max        : 6/127
Slot 1 (0x1): Nitrokey CCID/ICCD Interface 0
  token label        : OpenPGP card (User PIN (sig))
  token manufacturer : OpenPGP project
  token model        : PKCS#15 emulated
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 3.4
  firmware version   : 3.4
  serial num         : 000f744e1386
  pin min/max        : 6/127

> keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg .\pkcs11.cfg  -list -keystore NONE -storetype PKCS11 -storepass 123456 -v
Keystore type: PKCS11
Keystore provider: SunPKCS11-Nitrokey3

Your keystore contains 0 entries

I also tried again, this time using keystore to successfully create a keypair in my home directory keystore and importing it into the 3A, but that resulted in PKCS11Exception: CKR_ARGUMENTS_BAD.

Does the 3A support SunPKCS11, and if so, am I missing something?

Thank you.

On noticing recent post Nk 3c nfc generating keypair through pkcs tool, I tried pkcs11-tool for key creation:

> pkcs11-tool --login-type so --pin "123456" --keypairgen --key-type "EC:prime256v1" --label "modsign" --usage-sign -v
Using slot 0 with a present token (0x0)
Logging in to "OpenPGP card (User PIN)".
Please enter SO PIN: Key pair generated:
Private Key Object; EC
  label:      modsign
  ID:         c0b95d24aed8b5ab78bfb83735d324e25ec7ef6a
  Usage:      sign, signRecover
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 1020 bits
  EC_POINT:   04820100fa6d46dc252ea7d263ffaf8c9bf2fa96bf24ab541daf0a6c77048b8bbd5088ac3936ff0335ade9ec82da2975a26a5c3ce4390c98f24c689637d92f9d7d6b46c60000000000000000c6ffdd6c00050090a0519dc3fe01000080ca9bc3fe010000b082bec8fe7f000040819dc3fe0100002d5f0000000000000000000000000000000000000000000000000000000000000000000000000000c9ffe26c00060090000000000000000060559dc3fe0100000000000000000000c0799dc3fe010000860000000000000000519dc3fe010000410000000000000000000000000000000000000000000000ccffe76c0007008f046f7f39716d37034bc3d5ad385d9ada
  EC_PARAMS:  06082a8648ce3d030107
  label:      modsign
  ID:         c0b95d24aed8b5ab78bfb83735d324e25ec7ef6a
  Usage:      verify, verifyRecover
  Access:     none

> pkcs11-tool --list-objects --login
Using slot 0 with a present token (0x0)
Logging in to "OpenPGP card (User PIN)".
Please enter User PIN: Private Key Object; EC
  label:      Authentication key
  ID:         03
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104fa6d46dc252ea7d263ffaf8c9bf2fa96bf24ab541daf0a6c77048b8bbd5088ac3936ff0335ade9ec82da2975a26a5c3ce4390c98f24c689637d92f9d7d6b46c6
  EC_PARAMS:  06082a8648ce3d030107
  label:      Authentication key
  ID:         03
  Usage:      verify, verifyRecover
  Access:     none
Profile object 1480404688
  profile_id:          CKP_PUBLIC_CERTIFICATES_TOKEN (4)

This was encouraging, but keytool still cannot see any keys.

> keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg .\pkcs11.cfg -list -keystore NONE -storetype PKCS11 -v
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-Nitrokey3

Your keystore contains 0 entries