NitroKey HSM PKCS11 on Android

I’m currently trying to get the Nitrokey HSM PKCS11 to work on an Android device and am having a hell of a time.

Main questions here is: Has this been done by anyone at all using the Nitrokey HSM or is this completely uncharted territory?

The android device I’m testing against is a Google Pixel 3a which is Arm64-v8.

At this point I’ve cross-compiled OpenSC and OpenSC-PKCS11 libraries for Arm64-v8 android and the libraries are being loaded on the android device test app. My current failure point is when the OpenSC libraries attempt to load the pcsc library to access the plugged in NitroKey. There are no existing binaries I can find of pcsc-lite for Arm64 on android and cross-compiling those are proving to be really troublesome due to some of its dependencies. Even once those are compiled, I’m not sure they’ll have proper access to the NitroKey HSM device through whatever Android devices might be doing related to USB access.

Secondary questions: If someone has done it, what was their process? Did they also use OpenSC and PKCS11 compiled for android? Did they compile the PCSC-lite library for android as well or did they use some other android functionality to communicate with the NitroKey once the PKCS11 library was loaded?


Holy cow, for starters, can you see Nitrokey HSM as a valid USB device?

At Android app layer running on the phone, when you plug in the Nitrokey HSM device I can request and approve USB permissions for the app to access the device. When the app loads the native OpenSC PKCS11 library however, it fails to subsequently load the pcsc library during its initialization due to the pcsc library not being cross-compiled for arm64 android. I’m not entirely sure at the moment that even cross-compiling that library will be enough for the Nitrokey to be accessed by OpenSC PKCS11 library. I’m curious to find out if anyone has done this successfully and what their process was.

You can to cross-compile GitHub - CardContact/sc-hsm-embedded: PKCS#11 and CSP-Minidriver library for the SmartCard-HSM and STARCOS based signature cards (it’s smaller and simpler). But in any case you need a PKCS#11 driver

I tried cross-compiling sc-hsm-embedded as well and it too is looking for the pcsclite library during make with the error “ld.lld: error: unable to find library -lpcsclite”.

sc-hsm-embedded would probably be a better and more compact PKCS11 library to use but currently I’m trying to get it working and accessing the Nitrokey HSM device at all and both appear to be stuck on the same issue of not having access to the pcsc library built for Arm64 android =\

Cross-compiling pcsclite is proving to be difficult due to it requiring a number of libraries that are structured differently in the android toolchain. Specifically I need an arm64 android libudev library and to compile that I need librt and libcrypt which are not provided in the Android NDK.

This happens at the build time, correct? So you need to give it something like -L

Once you’ll build stuff, you’ll need to deal with a runtime linker - PKCS#11 driver will by dynamically loaded. Some random pointers: Linker Namespace  |  Android Open Source Project How does libdl work with linker in android? - Stack Overflow

Also Frank Morgner, who is now a core developer of OpenSC, has this Virtual Smart Card — vsmartcard 2023-10-01 documentation

On Android, where a traditional PC/SC framework is not available, you can use our framework to make your real contact-less smart accessible through PKCS#11. For example, an email signing application can use the PKCS#11 interface of OpenSC, which is linked against our PC/SC implementation. Then an Android App (e.g. Remote Smart Card Reader) can connect as vpicc delegating all requests and responses via NFC to a contact-less smart card that signs the mail.

1 Like

In the OP I mentioned that it was failing at the point where it’d try to load the pcsc library. I can’t point to the pcsc library because it can’t be cross-compiled for Arm64 android. Digging deeper, it can’t be cross-compiled because it depends on libudev and android doesn’t implment/use the udev library and has its own way of accessing user devices specific to android.

Dug around a bit in the Virtual Smart Card link you provided and it has potential but what I’m looking for is to get a PKCS11 library to work directly in an android app to access the connected Nitrokey HSM device.

Thanks for your help and suggestions. At this point I don’t think there’s a way to use Nitrokey HSM PKCS11 on an android device without significant work and development. It’s not impossible but the OpenSC PKCS11 libraries aren’t available as binaries or a simple cross-compile and usable format for android.

This is not mandatory. I use it on FreeBSD, which does not have one. --disable-libsystemd is one of the options used to configure it (maybe other changes are needed).

I don’t know the details of your project. If I were contracted to provide something like this, I’d definitely check out things like Virtual Smart Card, because unlike others, it hooks into Android way to talk to smart cards.

I think most of the Android devices talk to crypto components like SIM cards and others, so there must be a way. Especially if you want to talk from an app, you might need to consider native support from Android.

Maybe PC/SC can be part of this answer, maybe not, you need to see.

What is the rationale of using PKCS#11 in Android ?

There is native Java support in the Android SDK using OCF at the card layer and the SmartCard-HSM JCE-Provider.

Building pcsclite with --disable-libsystemd allows it to be cross-compiled but opensc and its pkcs11 library doesn’t have access to an attached NitroKey HSM for PKCS11 operations at this point.

I’m certain there are easier (and frankly, more common) ways to access crypto components but I’m currently focusing on getting PKCS11 working using a connected USB device (in this case the NItrokey HSM) and that requires a pkcs11 library that is compatible with Android that can access an attached USB device. As far as I’ve found, there doesn’t seem to be an android native pkcs11 library that does this which is what led me to this cross-compilation nightmare =P

I’m currently working out whether PKCS11 via a USB device is an option for Android Devices/Phones. I’m aware that there are other crypto components that are more suited but this is unfortunately what I’m currently focused on.

Thanks for the direct link to the SmartCard-HSM Android SDK! When I dug around the SmartCard-HSM site I didn’t see one. Again, I’m currently focusing on PKCS11 and unfortunately I don’t think this SDK covers that option. At least not that I can find having built and installed it.

Please let us know if you succeed!