Nitrokey HSM2 4K: Unwrap not working after firmware update 3.3 to 3.5

mstein · November 24, 2021, 12:36pm

Hi,

I first made a backup with wrap, then updated the Nitrokey HSM2 from firmware 3.3 to 3.5. Then initialized the Nitrokey with:

sc-hsm-tool --initialize --so-pin xxxxxxxx --pin yyyyyyy -s 1
sc-hsm-tool --import-dkek-share ..\dkek-share-1.pbe
sc-hsm-tool --unwrap-key backup.bin --key-reference 1

Then it shows:

Using reader with a card: Nitrokey Nitrokey HSM 0
Wrapped key contains:
  Key blob
  Private Key Description (PRKD)
Enter User PIN :
Key successfully imported

After pkcs15-tool -D there is only UserPIN and SOPIN visible.

Even pkcs15-tool -k shows no key
Using reader with a card: Nitrokey Nitrokey HSM 0

When I try to import again, I get:
Found existing private key description in EF with fid c401. Please remove key first, select unused key reference or use --force.

So seems the key is already present.

I also tried to import the related certificate and intermediate certificate, but still there is no private key shown.

What am I doing wrong?

I remember creating a backup token with 3.3 with this way successfully. But no more after the update to 3.5.

Best regards,
Markus

saper · November 28, 2021, 11:58pm

Can you try the following commands (I show them below with the sample output of one of the Nitrokeys I have):

> opensc-explorer
OpenSC Explorer version 0.21.0
Using reader with a card: Nitrokey Nitrokey HSM (DENK01037780000         ) 00 00
OpenSC [3F00]> cd aid:E82B0601040181C31F0201
OpenSC [E82B/0601/0401/81C3/1F02/01]> ls
FileID	Type  Size
 2F02 	 wEF   462
 C401 	 wEF    32
 CE01 	 wEF   759
 C402 	 wEF   109
 CE02 	 wEF  1077
 C403 	 wEF    62
 CE03 	 wEF   657
 CE04 	 wEF   490
 C404 	 wEF    46
 CE05 	 wEF   490
 C405 	 wEF    42
 CC00 	 wEF     0
 CC01 	 wEF     0
 CC02 	 wEF     0
 CC03 	 wEF     0
 CC04 	 wEF     0
 CC05 	 wEF     0
OpenSC [E82B/0601/0401/81C3/1F02/01]> asn1 c401
30 SEQUENCE (30 bytes)
   30 SEQUENCE (7 bytes)
      0C UTF8String (5 bytes): Key01
   30 SEQUENCE (7 bytes)
      04 OCTET STRING (1 byte): 01 .
      03 BIT STRING (2 bytes): 101110
   A1 Context 1  (10 bytes)
      30 SEQUENCE (8 bytes)
         30 SEQUENCE (2 bytes)
            04 OCTET STRING (0 bytes)
         02 INTEGER (2 bytes): 2048

can you show how are you trying to execute these steps? the trick might be to make sure they have the same IDs that match the private key IDs.

mstein · December 6, 2021, 7:11am

Hi,

that’s the output after import:

OpenSC [3F00]> cd aid:E82B0601040181C31F0201
OpenSC [E82B/0601/0401/81C3/1F02/01]> ls
FileID  Type  Size
 2F02    wEF   462
 CA00    wEF  1195
 C800    wEF    55
 CA01    wEF  1533
 C801    wEF    39
 C401    wEF  1533
 CC00    wEF     0
 CC01    wEF     0

I’m doing the import this way (replaced the pins):

sc-hsm-tool --initialize --so-pin xxxxxxxxxxxxxxxx --pin yyyyyy -s 1
sc-hsm-tool --import-dkek-share ..\dkek-share-1.pbe
sc-hsm-tool --unwrap-key backup.bin --key-reference 1
pkcs11-tool -l --write-object ..\Intermediate1.der --type cert
pkcs11-tool -l --write-object ..\mycertfile.der --type cert --label "MyCodeSignCert"