Nitrokey HSM 2 compatibility opensc versions

Anil_KARADAG · February 23, 2023, 12:12pm

Hi support team,
I would like to report an issue. opensc v0.21.0 and v0.23.0 “pkcs11-tool --list-token-slots” returns error code although it lists slots and token info by 0.23.0/src/tools/pkcs11-tool.c#L1621

According to Nitrokey reference [1], opensc version should be equal or greater than v0.19. But it seems there is compatibility issue introduced since version > v0.20.0

I need support team assistance to stay on the correct page about compatile opensc versions.

Note: Nitrokey build version with v0.20.0 opensc is working fine. opensc-build/buster at master · Nitrokey/opensc-build · GitHub

[1] Nitrokey HSM with GNU/Linux - Nitrokey Documentation

thanks

saper · February 23, 2023, 1:17pm

Can you be more specific about the error message you are getting?

> pkcs11-tool -T
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK0200ABC0000         ) 00 00
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.5
  serial num         : DENK0200ABC
  pin min/max        : 6/15

This is OpenSC on FreeBSD built from git, somewhat newer than 0.23.0

Anil_KARADAG · February 23, 2023, 2:51pm

I get similar from v0.20.0, v0.21.0 v0.23.0, but pkcs11-tools’s return code is not 0.
our source codes enters “if block” for exiting. There is no logs like OpenSC/pkcs11-tool.c at 0.23.0 · OpenSC/OpenSC · GitHub, printed to say the reason of the return error.

if ! pkcs11-tool --login --pin “${HSM_USER_PIN}” --list-token-slots -v; then
echo “Error while listing token slots. Please check if HSM token is mounted”
exit 1
fi

saper · February 23, 2023, 3:50pm

What happens if you try without --login --pin "${HSM_USER_PIN}"?

I am getting the error code if I provide the wrong pin for example:

> pkcs11-tool -l -p 648220 -T -v ; echo $?
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK0200ABC0000         ) 00 00
  manufacturer:  Nitrokey
  hardware ver:  0.0
  firmware ver:  0.0
  flags:         token present, removable device, hardware slot
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.5
  serial num         : DENK0200ABC
  pin min/max        : 6/15
error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
1

Anil_KARADAG · February 23, 2023, 6:30pm

Marcin,
There is no error like yours for user login operation. In addition PIN is correct because, the system is active and data signing process is working fine on exists environment. My job is to prepare a new system to keep that up-to-date.

Anil_KARADAG · February 24, 2023, 6:59am

Hi Marcin,
After your highlight, I found the issue on my system. PIN is defined as protected variable and my branch should be protected to access that.

The interesting point is why I dont get human readable error message like you

error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)
Aborting.
1

many thanks for your assistance. I am really appreciated…

saper · February 24, 2023, 7:24pm

Now it is all clear: I get the same effect with an empty string or empty variable:

> /usr/local/bin/pkcs11-tool -T -l -p "" ; echo $? 
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK0200ABC0000         ) 00 00
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, user PIN count low, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.5 
  serial num         : DENK0200ABC
  pin min/max        : 6/15
1

So an empty string seems to be a “special case”.