I do have a Nitrokey HSM, and a C/C++ project to send APDU command to it.
The Nitrokey is initialized, and plugged on my computer. I start my project to send the verify command, with the Nitrokey PIN code : it answer several times ‘6D 00’, which should not be returned on this command !
I unplugged, plugged it again, re-launch my project, several times : after 4-5 times, it works and the Nitrokey HSM answers ‘90 00’.
Any idea why ? Or what I can do to make it work at each time ?
If VERIFY returns 6D00, then the applet/application is not yet or no longer selected. This can happen, if the device is accessed by more than one process, i.e. your application accesses the device and the browser has an open connection via PKCS#11.
The normal sequence is:
Cold or warm reset
SELECT(AID)
VERIFY
Do somethings with the keys
When you issue a SELECT(AID), then a currently verified PIN is reset, so a subsequent SELECT requires a fresh authentication.
In our middleware we typically use the following sequence:
Connect to card, but skip reset
Issue a VERIFY without pin to query the authentication state
If 9000 is returned, then the application is selected and the PIN verified
If no 9000 is returned issue SELECT(AID) and query user to enter the PIN
Do something with the keys
When accessing the device via PC/SC, then an explicit reset is usually not required. The PC/SC daemon will activate (and thus reset) the device to obtain the ATR. Then applications can access the device in exclusive or shared mode. When all applications close their sessions, then PC/SC will deactivate the device. Care should be taken if power management deactivates the device, in that case application selection and PIN authentication state is lost.
