Nitrokey HSM 2 no longer detected

Nitrokeys
1

I am using the Nitrokey HSM 2 since many years to store my CA and intermediate CA certificates. My host is Ubuntu Linux and all the tools like pkcs15-tool, pkcs11-tool worked without any issues. I have migrated to Ubuntu 24.04. some months ago and today I wanted to sign a new CSR and got the error that no smartcard reader was found.

The tools confirm :open_mouth:

✘ daubsi@bigigloo  ~  opensc-tool -l
No smart card readers found.

✘ daubsi@bigigloo  ~  pkcs11-tool -I
Cryptoki version 3.0
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.25)
No slots.

✘ daubsi@bigigloo  ~  pkcs15-tool --list-info
No smart card readers found.

The USB device is properly found though:

[5042503.560445] usb 2-1.5: USB disconnect, device number 3
[5042507.931914] usb 2-1.6: new full-speed USB device number 4 using ehci-pci
[5042508.011517] usb 2-1.6: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
[5042508.011525] usb 2-1.6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[5042508.011526] usb 2-1.6: Product: Nitrokey HSM
[5042508.011528] usb 2-1.6: Manufacturer: Nitrokey
[5042508.011529] usb 2-1.6: SerialNumber: DENK02006400000

Did something break during update to Ubuntu 24.04. maybe?

2

Just seeing it might be related to this:

as starting the processes as root works, otherwise I get these errors.

Apr 1 17:40:03 bigigloo pcscd[4010993]: 00000000 auth.c:143:IsClientAuthorized() Process 4010989 (user: 1000) is NOT authorized for action: access_pcsc
Apr 1 17:40:03 bigigloo pcscd[4010993]: 00000144 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client
Apr 1 17:40:03 bigigloo pcscd[4010993]: 00017161 auth.c:143:IsClientAuthorized() Process 4010989 (user: 1000) is NOT authorized for action: access_pcsc
Apr 1 17:40:03 bigigloo pcscd[4010993]: 00000132 winscard_svc.c:355:ContextThread() Rejected unauthorized PC/SC client

However the suggested fixes don’t work yet for me

3

Using these files and “systemctl restart polkit.service” made it work for me again:

daubsi@bigigloo  /usr/share/polkit-1/rules.d  cat 03-polkit-pcscd.rules
polkit.addRule(function(action, subject) {
if (action.id == “org.debian.pcsc-lite.access_pcsc” &&
subject.user == “daubsi”) {
return polkit.Result.YES;
}
});

polkit.addRule(function(action, subject) {
if (action.id == “org.debian.pcsc-lite.access_card” &&
action.lookup(“reader”).startsWith(‘Nitrokey’) &&
subject.user == “daubsi”) {
return polkit.Result.YES; }
});

Though, what I observe, is, that the commands execute all much more slowly now …?

4

Which pcsc-lite are you using?

5

Hm, it seems I don´t even have pcsc-lite? Ubuntu 24.04.02 this is. Or is it the combination of pcscd and libpcsclite?

libpcsc-perl                                     1.4.16-1build3   
libpcsclite-dev:amd64                            2.0.3-1build1    
libpcsclite1:amd64                               2.0.3-1build1    
pcsc-tools                                       1.7.1-1          
pcscd                                            2.0.3-1build1
6

Yes, Debian splits it into many packages. In general - what you need is to either have pcsc-lite without polkit support or have polkit support enabled properly, as you did with your configuration file.

If you think this is getting slower because of this and you can measure it somehow (old version works better than the new one) - this might be something to report to the distribution.

Depending on the Nitrokey HSM2 version - older cards can be slower than the newer ones (Cannot Initialize new Nitrokey HSM - #11 by daringer).

It can depend on the number of keys/certificates/files stored on the smartcard.

Speed may also may depend on caching being enabled in OpenSC or not. (I would recommend not to use caching there).