Nitrokey HSM - Cannot change key label

cdanger · April 7, 2018, 9:31pm

Hello,
I am trying to change the label of a key, according to OpenSC doc, in vain:

$ pkcs15-init --change-attributes privkey --id b1b9db0f95e18c560a73a6714b4ddb17a7b1e4bf  --label whatever -v
Using reader with a card: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
Connecting to card in reader Nitrokey Nitrokey HSM (010000000000000000000000) 00 00...
Using card driver SmartCard-HSM.
Found nitrokey-hsm
About to change attribute(s).
Failed to change attribute(s): Invalid arguments

It is not even asking for the user PIN. I also tried with --pin arg, same error.

The key ID arg is OK, because: if I enter a wrong one, I have a different error (Requested object not found).

What am I missing?

Regards,
Cyril

szszszsz · April 9, 2018, 6:34am

Hi Cyril!

Have you tried using SO pin with --so-pin and -a <pinid> ? I guess pinid is 3, but please check.

If that would not work and there are no secrets involved, could you please run the command (without the --pin arg) with OPENSC_DEBUG set and upload the log here?
Please change the PIN to phony/default one beforehand and inspect the log after (if there are already some secrets entered to the card) to make sure there would be no private information leak. You could send the log to our support email as well if not sure, for increased confidentiality.

nitroalex · April 9, 2018, 8:04am

Hi,

maybe this isn’t working for HSM at all?! Please keep in mind, that OpenSC is a project for many different smartcards. It is possible that this feature hadn’t CardContacts HSM in mind yet.

I tried a bit and couldn’t keep it working yet, too. It seems like the --change-attribute flag wasn’t built extensively, as it only supports changing label until now anyway. We may have to open an issue in OpenSC and ask there.

Kind regards
Alex

Peacekeeper · October 26, 2018, 10:35pm

Hmm, to my understanding pkcs15-init is not working at all with the Nitrokey HSM. It is stated

Please note, that the SmartCard-HSM is not compatible with the pkcs15-init command.
(found https://github.com/OpenSC/ )
For Initialization you would use sc-hsm-tool with --label “whatever” to assign a new label to the overall HSM USB Nitrokey.
To change a label on the key level you would use pksc11-tool, but I don’t think that is possible after creation of the key.