Nitrokey HSM 2 VS APDU : the verify command with the PIN code is sometimes answering '6D 00'

Hello all,

I do have a Nitrokey HSM, and a C/C++ project to send APDU command to it.

The Nitrokey is initialized, and plugged on my computer. I start my project to send the verify command, with the Nitrokey PIN code : it answer several times ‘6D 00’, which should not be returned on this command !

I unplugged, plugged it again, re-launch my project, several times : after 4-5 times, it works and the Nitrokey HSM answers ‘90 00’.

Any idea why ? Or what I can do to make it work at each time ?

Thank you,

If VERIFY returns 6D00, then the applet/application is not yet or no longer selected. This can happen, if the device is accessed by more than one process, i.e. your application accesses the device and the browser has an open connection via PKCS#11.

The normal sequence is:

  1. Cold or warm reset
  4. Do somethings with the keys

When you issue a SELECT(AID), then a currently verified PIN is reset, so a subsequent SELECT requires a fresh authentication.

In our middleware we typically use the following sequence:

  1. Connect to card, but skip reset
  2. Issue a VERIFY without pin to query the authentication state
  3. If 9000 is returned, then the application is selected and the PIN verified
  4. If no 9000 is returned issue SELECT(AID) and query user to enter the PIN
  5. Do something with the keys

When accessing the device via PC/SC, then an explicit reset is usually not required. The PC/SC daemon will activate (and thus reset) the device to obtain the ATR. Then applications can access the device in exclusive or shared mode. When all applications close their sessions, then PC/SC will deactivate the device. Care should be taken if power management deactivates the device, in that case application selection and PIN authentication state is lost.

Yes, the SELECT solved the issue !

Thank you.