Nitrokey HSM SO-PIN conversion

Just received my first NK HSM and tried to follow the getting-started described here (Get started with the Nitrokey HSM or SmartCard-HSM -
With good intentions I’ve initialized the device and tried to set a new SO-PIN - unfortunately I did mix the description of the user PIN (ASCII chars) with the SO-PIN (16 hexdigits). So I"ve provided ‘JcobBr{y#)bE)W#b’ as SO-PIN to pkcs11-tool for change-pin.
The command was executed successfully but now I’m stuck while using the SO-PIN - e.g. can’t change user PIN because the device always states wrong SO-PIN.
I do understand that the format of my SO-PIN is wrong but how can I change the PIN to a correct format? In other words: according to the algorithm of the HSM what would be a correct SO-PIN which is accepted by the device?

Many thanks for your help


I am not sure, if I understood you right. Do you wonder, what SO-PIN is saved on the stick right now, after you tried the password mentioned above? As in “what would the HSM do if I do not give a valid PIN?”.

Well this will be probably difficult as we can not try a lot of times. The SO-PIN can only be entered wrongly 15 times at all! Therefore I do not want to give haste tips or tries.

So could you please tell us which command you did use exactly to change the PIN? As far as I can see the link above is not saying anything about how to actually change the SO-PIN, does it? Maybe you did not change the SO-PIN at all. So what did you tried?

You can read a good description over here.

Kind regards

Hi Alex,

thank you for your message.
The exact command was:

pkcs11-tool --module /usr/lib/x86_64-linux-gnu/ --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin ‘JcobBr{y#)bE)W#b’

I did not save the output, but the command executed without error.
After that the default SO-PIN wasn’t valid anymore but the random pin above doesn’t work either.

Best regards

Hi @tomshmith !

I recommend (additionally to @nitroalex help) to register issue on OpenSC page regarding this matter. Allowing to use non-hex chars in a hex field is an UI bug. They might to know too to what PIN actually it was set.

Hi @tomshmith,

sorry for the late response. Okay so you really changed the SO-PIN. I did not find out what happened so far. But did you initialized the Nitrokey HSM beforehand? So do you already have a user PIN or was changing the SO-PIN your very first action?

For the former you do not need to worry, as long as you never want to reset your key. From the OpenSC documentation it reads:

If you don’t ever want to reset the card, we suggest to set the SO-PIN to an 8 byte random value.

But this is only true if you have a valid user PIN. But I guess the latter is the case and you don’t have the user PIN at hand?

Kind regards

PS: Sorry I can’t help you so far. I will do some research on HSM these days and may can you help then…

Hi @tomshmith,

I opened an issue

Kind regards

Aaaand again. Sorry.

@tomshmith could you please have a look, what version of opensc you have installed? If you have a github account (or are willing to create one) you may help to solve this issue directly in github.

Kind regards