Nitrokey HSM not recognized as a pkcs11 device

Ma_Ar · March 7, 2022, 3:57am

When trying to use pkcs11-tool or sc-hsm-tool, the HSM2 ios not being recognized as a SC reader.

A check of lsusb shows that HSM to be plugged in.

Output of  pkcs11-tool -I:
Cryptoki version 3.0
Manufacturer     OpenSC Project
Library          OpenSC smartcard framework (ver 0.22)
No slots.

I did recently update GnuPG (building from source) to be able to use OpenPGP cards v3.4 (no prebuilt options that support 4096 bit RSA keys). Read another poster stating that OpenSC is somewhat incompatible with GNuPG. Since there is a module opensc-pkcs11.so that gets loads with the pkcs11-tools command, would that mean that the openssl engine is getting used with this command?

What is the equivalent engine in GNuPG builds then?

There is also that fact OpenSSL is building their own SC module so OpenSC has stopped development on their SSL engine.

Tried doing reinstall of opensc & opensc-pkcs11, but still have same error.

(Sorry if parts make no sense. I’m just starting to learn about this and not a developer.)

szszszsz · March 7, 2022, 12:38pm

Hi!

GnuPG might lock the smart card. Best to stop it and reload pcscd like this:

$ gpgconf --kill all
$ sudo systemctl restart pcscd pcscd.socket
# then test for slots
$ pkcs11-tool -I

Ma_Ar · March 10, 2022, 6:09am

Thanks for the suggestion. I tried your proposed solution but did not fix.

Also, tried masking the services and ended up doing several reboots and a kernel update had just gotten pushed.

Tried taking similar step with any Yubikey services that were running as well.

Tried to rebuild and reinstall alternate package, sc-hsm-embedded. Still can’t find SC reader available.

szszszsz · March 10, 2022, 12:07pm

Hi!

Sorry, I have made a mistake in that listing. It should be systemctl restart there, not systemctl stop. Can you check again?

Can you check if the Nitrokey is listed in the system log?

$ dmesg | grep Nitrokey -C4

Regarding other questions:

Since there is a module opensc-pkcs11.so that gets loads with the pkcs11-tools command, would that mean that the openssl engine is getting used with this command?

Yes, OpenSSL can use OpenSC libraries as an engine.

What is the equivalent engine in GNuPG builds then?

I believe the GnuPG does not share any engine library. There is a proxy library, which allows to use HSM as an OpenPGP smartcard, however I do not recall its name unfortunately.

Ma_Ar · March 10, 2022, 4:55pm

First thing did it I had tried starting the pcscd service again when testing myself, but I did overlook starting the socket again.

So I’m essentially limited to using one or the other modules unless manually starting stopping gpg and pcscd services?

SInce the RSA 4096 keys were not able to be stored until OpenPGP card v3.4 and the Nitrokey HSM 2 uses 4096 keys and it’s basically a SC and SC reader combined, why shouldn’t the same engine read my v3.4 SC?

Are the 4096 keys not being implemented the same as in both scenario (i.e. natively) or have I just been to lazy to try to get my SCs setup without a GUI (Kleopatra)?

Thanks for the help.