Nitrokey HSM fails when importing from PKCS#12

I am trying to import a Certificate and 2048 bit RSA Key from a PKCS#12 file using Smart Card Shell 3.14.348

The content of the certificate is shown in the Console Window followed by the text:

Importing key and certificate…
GPError: Card (CARD_INVALID_SW/27264) - “Unexpected SW1/SW2=6A80 (Checking error: Incorrect parameter in the command data field) received” in /Applications/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1229
at /Applications/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1229
at /Applications/CardContact/scsh3/scsh/sc-hsm/HSMKeyStore.js#300
at /Applications/CardContact/scsh3/keymanager/keymanager.js#1874
at /Applications/CardContact/scsh3/keymanager/keymanager.js#2028

Any ideas as to the cause of this message?

Hi,

the p12 import does only work, if you created a DKEK first. So even if you do not plan to use it, you must create a DKEK and import it whitin the p12 import process.

This is the most confusing part in the process I know of. Please try this first.

Kind regards
Alex

Hi Alex,

Thanks for the prompt reply!

I have created a DKEK (1 of 1) for the Nitrokey HSM and I think that I have imported it with sc-hsm-tool.

The Smart Card Shell Key Manager currently shows:
  • SmartCard-HSM (DENK0101507)
    • User PIN not verified, 3 tries remaining (63C3)
    • SO PIN not verified, 15 tries remaining (63CF)
    • DKEK with KCV 3C0F9917205D2DC9
      • test_rsa.key(1)
        When I have this setting I am not seeing a menu option on the SmartCard-HSM to Import from a PKCS#12 file.

However, if I initialise the device with a single DKEK share but don’t run sc-hsm-tool to import the DKEK share, then the Smart Card Shell Key Manager shows:

  • SmartCard-HSM (DENK0101507)
  • User PIN not verified, 3 tries remaining (63C3)
  • SO PIN not verified, 15 tries remaining (63CF)
  • DKEK set-up in progress
    In this case I do see the option on the SmartCard-HSm to Import from a PKCS#12 file.

I’m not sure what I am doing wrong here!

Hi Alex,

I believe that I have found the problem.  The Smart Card Shell Key Manager indicates that a Certificate and Key can be imported from a PKCS#12 file before the DKEK shares have been imported to the HSM.

This is not correct - the shares need to have been imported and the User PIN needs to have been verified before a Certificate and Key can be imported.

Once I had completed both the DKEK share import and the User PIN verification, I was able to successfully import from a PKCS#12 and access the keys.

Thanks,

Andrew

Hi Andrew,

I am glad, that you could work it out! Thanks for letting us know!

Kind regards
Alex