Nitrokey HSM - keypairgen fails with 16-digit user PIN

cda · March 21, 2018, 11:48pm

Hello,
I am using NitrokeyHSM and I can’t generate a keypair with a user PIN of 16 digits, although it succeeds with user PIN of 8 digits for example.

Using 16-digit User PIN (my SO-PIN is always 16 digits) - KO:

$ pkcs11-tool --login --login-type so --init-pin --new-pin 1234567812345678
Using slot 0 with a present token (0x0)
Logging in to “UserPIN (nitrokey-hsm)”.
Please enter SO PIN:
User PIN successfully initialized

$ pkcs11-tool --login --pin 1234567812345678 --keypairgen --key-type rsa:2048
Using slot 0 with a present token (0x0)
error: PKCS11 function C_Login failed: rv = CKR_PIN_LEN_RANGE (0xa2)
Aborting.
Using 8-digit User PIN (SO-PIN unchanged) - OK:

$ pkcs11-tool --login --login-type so --init-pin --new-pin 12345678
Using slot 0 with a present token (0x0)
Logging in to “UserPIN (nitrokey-hsm)”.
Please enter SO PIN:
User PIN successfully initialized

$ pkcs11-tool --login --pin 12345678 --keypairgen --key-type rsa:2048
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; RSA
label: Private Key
ID: 152a8bd88674822547f051b400324ec80a3cda6a
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: Private Key
ID: 152a8bd88674822547f051b400324ec80a3cda6a
Usage: encrypt, verify, wrap

How to make this work with 16-digit User PIN?

Thanks for your support.
Regards,
Cyril

jan · March 23, 2018, 8:09am

The PIN has a maximum length of 15 (ASCII numeric).

cda · March 23, 2018, 10:54am

Thanks for the tip. I later found out that you can get the allowed user PIN min/max lengths with command:
$ pkcs11-tool --list-slots
It is just unexpected that the max length is different for SO and user PIN, and that the --init-pin still says that the too long user PIN is successfully initialized.

szszszsz · March 24, 2018, 7:22am

Hi @cda!

This could be registered to project’s issue tracking system: https://github.com/OpenSC/OpenSC/issues

nitroalex · March 26, 2018, 9:09am

I opened an issue.

cdanger · April 7, 2018, 3:56pm

Thanks for reporting the issue to OpenSC. I added a comment there to emphasize that even the sc-hsm --initialize command indicates a wrong max user PIN length (16!) when you omit the so/user pin arguments on the command line:

$ sc-hsm-tool --initialize 
Using reader with a card: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
Enter SO-PIN (16 hexadecimal characters) : 

Enter initial User-PIN (6 - 16 characters) :