Nitrokey HSM 2 not recognized on OpenSUSE Tumbleweed

joglass · August 23, 2023, 3:29pm

Hello there,

strange phenomenon on openSUSE Tumbleweed. As prequisites I installed the following packages for using the Nitrokey HSM 2:

sudo zypper install opensc gnutls pcsc-tools

The versions of the software packages are currently:

opensc-0.23.0-2.2.x86_64
gnutls-3.8.0-4.5.x86_64
pcsc-tools-1.6.2-1.3.x86_64

“pcscd.service” is enabled and started. After having inserted the Nitrokey HSM 2 into a free USB port the device shows up as a proper USB device:

lsusb
    Bus 003 Device 003: ID 20a0:4230 Clay Logic Nitrokey HSM

usb-devices
    ...
    T:  Bus=03 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
    D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=20a0 ProdID=4230 Rev=01.01
    S:  Manufacturer=Nitrokey
    ...

dmesg
    ...
    [    4.258758] usb 3-1.2: New USB device found, idVendor=20a0, idProduct=4230, bcdDevice= 1.01
    [    4.258773] usb 3-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [    4.258776] usb 3-1.2: Product: Nitrokey HSM
    [    4.258779] usb 3-1.2: Manufacturer: Nitrokey
    ...

However, “pkcs11-tool” and “pkcs15-tool” do not recognize the HSM:

pkcs15-tool -D
    No smart card readers found.

pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -L
    Available slots:
    No slots.

pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -O
    No slots.

I added the “41-nitrokey.rules” udev rules from the “GitHub - Nitrokey/libnitrokey: Communicate with Nitrokey devices in a clean and easy manner” project and rebooted the machine - but to no avail. When I try “gpg2 --card-status” at least I get some kind of response:

gpg2 --card-status
    Reader ...........: 20A0:4230:DENKxxxxxxxxxxx         :0
    Application ID ...: xxxxxxxxxxxxxxxxxxxxxx
    Application type .: Unknown

I have other machines running Mint Linux 21.2 as well as Windows 10 22H2 which do work with the Nitrokey HSM 2 without problems (OK, on Windows I had to fiddle around with “libp11” a bit and the hint in the documentation towards “p11tool” is not usable - but nevertheless I got it running). Only openSUSE Tumbleweed shows this strange behaviour. Any ideas are welcome (maybe some additional udev rule?).

Best regards
Juergen

saper · August 23, 2023, 5:03pm

What probably happens: your PC/SC daemon has Policy Kit integration enabled and one has to enable the smartcard usage for the particular user:

joglass · August 24, 2023, 6:01am

Hello,

thanks for the prompt reply and the suggestion. I edited the configuration file “/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy”, set all the <allow_xxx> directives to “yes” and rebooted the machine. Sadly, this would not work. I stopped the pcscd service and started it in debug mode in the foreground:

sudo systemctl stop pcscd.service
sudo pcscd --foreground --debug

Now when I execute “pkcs11-tool -L” as a regular user I see the following errors on the pcscd console ALTHOUGH I made the polkit-related changes:

    00006119 [139677926102720] auth.c:143:IsClientAuthorized() Process 6151 (user: 1000) is NOT authorized for action: access_pcsc
    00000191 [139677926102720] winscard_svc.c:336:ContextThread() Rejected unauthorized PC/SC client

OK, I can sort this out later. So I tried “sudo pkcs11-tool -L”. No the pcscd console shows no error:

    00004245 [139677926102720] winscard_svc.c:341:ContextThread() Authorized PC/SC client
    00000013 [139677926102720] winscard_svc.c:344:ContextThread() Thread is started: dwClientID=7, threadContext @0x5642177ae720
    00000013 [139677926102720] winscard_svc.c:362:ContextThread() Received command: CMD_VERSION from client 7
    00000010 [139677926102720] winscard_svc.c:374:ContextThread() Client is protocol version 4:4
    00000005 [139677926102720] winscard_svc.c:397:ContextThread() CMD_VERSION for client 7, rv=SCARD_S_SUCCESS
    00000047 [139677926102720] winscard_svc.c:362:ContextThread() Received command: ESTABLISH_CONTEXT from client 7
    00000016 [139677926102720] winscard.c:210:SCardEstablishContext() Establishing Context: 0x4AC14B07
    00000006 [139677926102720] winscard_svc.c:466:ContextThread() ESTABLISH_CONTEXT for client 7, rv=SCARD_S_SUCCESS
    00000031 [139677926102720] winscard_svc.c:362:ContextThread() Received command: CMD_GET_READERS_STATE from client 7
    00000063 [139677926102720] winscard_svc.c:362:ContextThread() Received command: CMD_GET_READERS_STATE from client 7
    00000109 [139677926102720] winscard_svc.c:362:ContextThread() Received command: RELEASE_CONTEXT from client 7
    00000034 [139677926102720] winscard.c:224:SCardReleaseContext() Releasing Context: 0x4AC14B07
    00000016 [139677926102720] winscard_svc.c:481:ContextThread() RELEASE_CONTEXT for client 7, rv=SCARD_S_SUCCESS
    00000285 [139677926102720] winscard_svc.c:355:ContextThread() Client die: 7
    00000028 [139677926102720] winscard_svc.c:1072:MSGCleanupClient() Thread is stopping: dwClientID=7, threadContext @0x5642177ae720
    00000008 [139677926102720] winscard_svc.c:1080:MSGCleanupClient() Freeing SCONTEXT @0x5642177ae720

but pkcs11-tool still shows “No slots”. I tried two more utilities:

sudo opensc-tool --list-readers
    No smart card readers found.

and “sudo pcsc_scan” hangs indefinitely with a rotating status indicator. Very, very strange…

Best regards
Juergen

sc-hsm · August 24, 2023, 8:07am

Does pcscd detect and configure the Nitrokey ?

My guess is, that the GPG stuff tries to talk to the token directly via CCID and that this blocks pcscd from configuring the token.

joglass · August 26, 2023, 9:02am

Hello,

the Nitrokey is detected by “pcscd” but it seems that the device is not configured. I unplugged the Nitrokey then startes “pcscd” in foreground. When I plugged in the Nitrokey the console showed that a USB device was added and that it was looking for a driver - nothing else:

sudo systemctl stop pcscd.service
sudo pcscd --foreground --debug
    # when plugging in Nitrokey HSM 2 on OpenSUSE Tumbleweed
    ...
    31478721 [140124075656896] hotplug_libudev.c:645:HPEstablishUSBNotifications() USB Device add
    00000217 [140124075656896] hotplug_libudev.c:298:get_driver() Looking for a driver for VID: 0x20A0, PID: 0x4230, path: /dev/bus/usb/002/004
    ...

I tried all this on a Mint Linux 21.1 system which works like a charm with the same Nitrokey and on this system the output reads as follows:

sudo systemctl stop pcscd.service
sudo pcscd --foreground --debug
    # when plugging in Nitrokey HSM 2 on Minit Linux 21.1
    ...
    32953536 [139636184102464] hotplug_libudev.c:667:HPEstablishUSBNotifications() USB Device add
    00000408 [139636184102464] hotplug_libudev.c:300:get_driver() Looking for a driver for VID: 0x20A0, PID: 0x4230, path: /dev/bus/usb/001/004
    00000026 [139636184102464] hotplug_libudev.c:441:HPAddDevice() Adding USB device: Nitrokey Nitrokey HSM
    00000137 [139636184102464] readerfactory.c:1097:RFInitializeReader() Attempting startup of Nitrokey Nitrokey HSM (xxxxxxxxxxxxxxx) 00 00 using /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
    ...

User sc-hsm suggested that GPG could be the culprit because of connecting to the token directly via CCID. I am a bit at a loss here - I do not use GPG actively though it seems to be installed. I looked at all the “systemd” services as well as the active processes and could not find anything related to GPG.

Best regards
Juergen

sc-hsm · August 26, 2023, 9:18am

pcscd uses libccid to interface with card readers like the Nitrokey HSM. That module is usually located in /usr/lib/pcsc/driver/ifd-ccid.bundle and has a configuration file named Info.plist.

Info.plist contains a list of vendor and product ids. Can you check, if the VID and PID is listed there ?

See our blog for details.

joglass · August 27, 2023, 10:37am

Hello sc-hsm,

your hint towards “libccid” lead me to the solution (somewhat unexpected). Your blog entry pointed to a configuration file somewhere in “/usr/lib/pcsc/*” WHICH DID NOT EXIST on my installation!!! So I looked for something “ccid” and that search revealed nothing:

rpm qa *ccid*

The missing CCID driver was the root cause for my problem. I looked for the “libccid” package to install but there is no such thing for openSUSE. So I opted for Ludovic Rousseau’s “CCID free software driver for Unix” (“https://ccid.apdu.fr/”) which needs the “pcsc-lite-dev” package for compilation. There is no “pcsc-lite-dev” package for openSUSE, but a search “zypper search pcsc” revealed two things: firstly, the needed development package is called “pcsc-lite-devel” and secondly (much more important) there is a package named “pcsc-ccid” with the description “PCSC Driver for CCID Based Smart Card Readers”. And that did the trick!!!

This is the complete list of prequisite software packages I had to install to get Nitrokey HSM 2 running under openSUSE Tumbleweed:

sudo zypper install opensc gnutls pcsc-tools pcsc-ccid

I still have the problem that only an administrative user is able to see and use Nitrokey as “pkcs11-tool -L” still returns “No slots” for a regular unprivileged user. But I should be able to sort that out on my own. User “root” gets the expected output and is able to work with the Nitrokey as expected:

sudo pkcs11-tool -L
    Available slots:
    Slot 0 (0x0): Nitrokey Nitrokey HSM (xxxxxxxxxxxxxxx         ) 00 00
      token label        : SmartCard-HSM (UserPIN)
      token manufacturer : www.CardContact.de
      token model        : PKCS#15 emulated
      token flags        : login required, rng, token initialized, PIN initialized
      hardware version   : 24.13
      firmware version   : 3.5
      serial num         : xxxxxxxxxxx
      pin min/max        : 6/15

Thank you all for the support.

Best regards
Juergen

sc-hsm · August 27, 2023, 1:37pm

That seems to be a packaging problem at SUSE: pcscd does not make sense without libccid. CCID is the standard interface used by 98% of card readers in the market.

joglass · August 27, 2023, 4:36pm

Probably. When I have a look at “https://software.opensuse.org/” and do a search for, let’s say “opensc” or “pcsc-ccid”, the answer is that there are official packages only for openSUSE Tumbleweed, the leading-edge rolling release, but not for openSUSE Leap, the more stable regular release. I do not know how to interpret that - but may be PC/SC support is not on openSUSE’s priority list…

Thanks again
Juergen

joglass · September 4, 2023, 7:23am

Just for completeness: we need the additional package “openssl-engine-libp11” for using “openssl … -engine pkcs11 …” as described in “Creating a Certificate Authority - Nitrokey Documentation”. So this is the complete list of prequisites for using the Nitrokey HSM 2 on a current OpenSUSE Tumbleweed (OpenSSL 3.1.2 is installed per default - at least on my machine :-)):
sudo zypper install opensc gnutls pcsc-tools openssl-engine-libp11

The libraries can be found in the following locations:
find /usr -name *pkcs11*.so
…
/usr/lib64/engines-3/pkcs11.so
…
/usr/lib64/opensc-pkcs11.so
…

The configuration file for OpenSSL needs to have an initialization section like this:
openssl.cfg
# Initialize for “Nitrokey HSM 2”
openssl_conf = openssl_init

    [openssl_init]
    engines            = engine_section

    [engine_section]
    pkcs11             = pkcs11_section

    [pkcs11_section]
    engine_id          = pkcs11
    MODULE_PATH        = /usr/lib64/opensc-pkcs11.so
    ...

Hope this helps…

Best regards
Juergen

joglass · September 4, 2023, 7:52am

Correction:
sudo zypper install opensc gnutls pcsc-tools openssl-engine-libp11 pcsc-ccid