Nitrokey HSM does not get fully recognized on Ubuntu Mate


#1

Hi all,

first of all: I’m totally new to this topic.
I followed the instructions on nitrokey.com/start

I installed all the required tools. Even I tried to use the zip package, which just figured out that everything is already installed.

Here is the output of dmesg:

[ 181.561280] usb 1-1.3: new full-speed USB device number 7 using dwc_otg
[ 181.694022] usb 1-1.3: New USB device found, idVendor=20a0, idProduct=4230
[ 181.694038] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 181.694046] usb 1-1.3: Product: Nitrokey HSM
[ 181.694055] usb 1-1.3: Manufacturer: Nitrokey
[ 181.694063] usb 1-1.3: SerialNumber: DENKxxxxxxxxxx

Status of pcscd:

pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; vendor preset: e
Active: active (running) since Mon 2019-04-08 10:43:52 CEST; 4s ago
Main PID: 1577 (pcscd)
CGroup: /system.slice/pcscd.service
└─1577 /usr/local/sbin/pcscd --foreground --auto-exit

Apr 08 10:43:52 pi-desktop systemd[1]: Started PC/SC Smart Card Daemon.

Syslog messages:

Apr 8 10:44:12 pi-desktop kernel: [ 181.561280] usb 1-1.3: new full-speed USB device number 7 using dwc_otg
Apr 8 10:44:13 pi-desktop kernel: [ 181.694022] usb 1-1.3: New USB device found, idVendor=20a0, idProduct=4230
Apr 8 10:44:13 pi-desktop kernel: [ 181.694038] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNu$
Apr 8 10:44:13 pi-desktop kernel: [ 181.694046] usb 1-1.3: Product: Nitrokey HSM
Apr 8 10:44:13 pi-desktop kernel: [ 181.694055] usb 1-1.3: Manufacturer: Nitrokey
Apr 8 10:44:13 pi-desktop kernel: [ 181.694063] usb 1-1.3: SerialNumber: DENKxxxxxxxxxx
Apr 8 10:44:13 pi-desktop mtp-probe: checking bus 1, device 7: "/sys/devices/platform/soc/3f980000.usb/usb1/1-$
Apr 8 10:44:13 pi-desktop mtp-probe: bus: 1, device: 7 was not an MTP device

Output of pcsc_scan:

PC/SC device scanner

V 1.5.2 © 2001-2017, Ludovic Rousseau <ludovic.rousseau@free.fr>

Using reader plug’n play mechanism
Scanning present readers…
Waiting for the first reader… / (the slash is turning)

sc-hsm-tools says:

No smart card readers found.

It seems to me no driver is getting loaded. But why?
Strange thing is, couple of weeks back pcsc_scan found the HSM. I shut down the system then. Today I wanted to continue with initialization, when I faced this issue.

Thanks in advance.
BR
Sascha


#2

Hi!

My guess is you have either old OpenSC (please post the version), or do not have user access to the device (e.g. the UDEV rule is missing or overwritten). The latter sounds more probable, since it has worked for you couple of weeks before, as you have mentioned.

What is your OS? On Ubuntu/Debian UDEV rule is shipped with the system.

Best,
Szczepan


#3

Many thanks for quick response.

I think it might be the opensc version. The installed one is 0.17.0. In the instruction it is mentioned at least 0.19.0 must be used. I have installed new one this morning … Maybe something went wrong. Foolishly I forgot to check the version number afterwards.

I forgot to mention that I did a apt-get upgrade. Probably the manually installed packages have been replaced by the ones of the repo?!

So now I’m going to try it again.

What is your OS?

As mentiond in the heading, I use Ubuntu Mate on Raspberry 3B+.

BR
Sascha


#4

For NK HSM2 OpenSC 0.19 is required, otherwise the smart card will not be recognized (its ATR was not added in the older versions).

Sounds like a possibility; a conflict with other packages rolled older version perhaps?

Do you know though, what version? And on which Ubuntu is it based on? Should be solved by the OpenSC upgrade though, so please check only if it will not work after the update (then the UDEV rule file will be the next thing to check).


#5

pi@pi-desktop:~$ opensc-tool -i
OpenSC 0.19.0 [gcc 8.3.0]
Enabled features: locking zlib readline openssl pcsc(libpcsclite.so.1)

Now I upgraded to 0.19.0. Still no smart card found.

pi@pi-desktop:~$ cat /etc/issue
Ubuntu 18.04.2 LTS \n \l

Next step should be to check the UDEV rule file.
Please give me a hint how exactly to do :slight_smile:

EDIT:
Here ( https://www.nitrokey.com/de/documentation/installation#p:nitrokey-start&os:linux ) I found a rule file which includes information about Nitrokey HSM. I followed the steps described. Additionally I changed owner to root:root. Before there was no such rule file.
Unfortunately, still unsuccessful.


#6
  1. Ubuntu has to be restarted after copying the UDEV file. Could you do so, and make another attempt?
  2. Additionally, what is the command you are mainly using to check the smart card connection?
  3. If it still does not work - (this should not be probably related, but…) do you have scdaemon package installed? If not, could you install it and check again?

#7

I did already before I wrote text above.

I check it by using pcsc_scan and/or sc-hsm-tools

I’m going to do now and report the result.

EDIT:

apt-get install scdaemon
Paketlisten werden gelesen… Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen… Fertig
scdaemon ist schon die neueste Version (2.2.4-1ubuntu1.2).
0 aktualisiert, 0 neu installiert, 0 zu entfernen und 11 nicht aktualisiert.


#8

Thank you. I have run out of ideas as of now. Let’s sum up what has been established:

  • device is working itself - has worked earlier, and it is enumerated by the kernel’s log;
  • device probably ceased to be detectable by OpenSC after an OS update;
  • smart card in the device is also working, since the device is reporting its S/N in own USB S/N field;
  • OpenSC 0.19 installed;
  • Udev rules file installed;
  • Ubuntu Mate, based on 18.04.2.

One last idea: could you restart the pcscd deamon? E.g. with:

sudo killall pcscd scdaemon
sudo pcscd &

Additionally, how have you updated the OpenSC installation? Are all packages up-to-date (namely opensc-pkcs11, besides opensc)?
We have own OpenSC packages, but compiled for x86_64: https://github.com/Nitrokey/opensc-build. There is a script included however to build for own platform. Maybe this would help?

@nitroalex Any other ideas?


#9

Please ensure that GnuPG and gpg-agent are not running in parallel to
OpenSC.


#10

I got the feeling the apt upgrade destroyed too much.
I try to start all over from scratch. This will not be that time consuming.

Before doing that I’ll backup current configuration.

Many thanks anyways.

BR
Sascha


#11

As announced I started from scratch.

Now I just installed the tools (opensc, openscx_pks11, pcscd, pcsc-tools, libccid) and the HSM get recognized. Opensc -i issues version 0.17.0.

Now I’m a bit confused. Is version 0.19.0 already necessary to recognize the Nitrokey HSM or it is necessary for further usage?

First I do now is backing up the SD card. Afterwards I continue either with the attempt to initialize HSM or upgrading opensc… Let’s see :slight_smile:

BR
Sascha


#12

I think that indeed OpenSC 0.17 was the first version the Nitrokey HSM2 was recognizable, though not all features are available, e.g.: Nitrokey HSM 2 - RSA Keys >2048.

Have it worked for you in the end?


#13

I could initialize the HSM. So far that worked for me. But as you already saw in other topic I want to import an alredy present certificate chain / private key to the HSM. You referred to an instruction that might help.

From now I’am on vacation for 1.5 weeks. Once I’m back I contact a security guy of our company. He’s going to support for that.

When I need to use DKEK shares I think I’ve bricked one of my HSM’s. Because I initialized the HSM without adding DKEK shares before.

When I understand the instruction right, then afterwards it is no more possible to do that at all, isn’t it?

Off topic:
I have to say the support in general and the quick response time in particular is great. Many thanks for that.


#14

As long as you know the SO-PIN, you can initialize the device which deletes all keys including DKEK.