I am trying to change the label of a key, according to OpenSC doc, in vain:
$ pkcs15-init --change-attributes privkey --id b1b9db0f95e18c560a73a6714b4ddb17a7b1e4bf --label whatever -v
Using reader with a card: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
Connecting to card in reader Nitrokey Nitrokey HSM (010000000000000000000000) 00 00...
Using card driver SmartCard-HSM.
About to change attribute(s).
Failed to change attribute(s): Invalid arguments
It is not even asking for the user PIN. I also tried with --pin arg, same error.
The key ID arg is OK, because: if I enter a wrong one, I have a different error (Requested object not found).
What am I missing?
Have you tried using SO pin with
-a <pinid> ? I guess
pinid is 3, but please check.
If that would not work and there are no secrets involved, could you please run the command (without the
--pin arg) with OPENSC_DEBUG set and upload the log here?
Please change the PIN to phony/default one beforehand and inspect the log after (if there are already some secrets entered to the card) to make sure there would be no private information leak. You could send the log to our support email as well if not sure, for increased confidentiality.
maybe this isn’t working for HSM at all?! Please keep in mind, that OpenSC is a project for many different smartcards. It is possible that this feature hadn’t CardContacts HSM in mind yet.
I tried a bit and couldn’t keep it working yet, too. It seems like the --change-attribute flag wasn’t built extensively, as it only supports changing label until now anyway. We may have to open an issue in OpenSC and ask there.
Hmm, to my understanding pkcs15-init is not working at all with the Nitrokey HSM. It is stated
Please note, that the SmartCard-HSM is not compatible with the pkcs15-init command.
(found https://github.com/OpenSC/ )
For Initialization you would use sc-hsm-tool with --label “whatever” to assign a new label to the overall HSM USB Nitrokey.
To change a label on the key level you would use pksc11-tool, but I don’t think that is possible after creation of the key.