NitroKey HSM2 unable to communicate with Fabric CA Server

Objective: Fabric CA as RCA to use NitroKey2 HSM for its private key :

Step-1: initialise a slot with test label
➜ NHSM pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --init-pin --so-pin=0123456789012345 --new-pin=123456 --label=“test” --pin=648219 --slot-index 0
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
➜ NHSM
➜ NHSM pkcs11-tool -O
Using slot 0 with a present token (0x0)
Profile object 1849802432
profile_id: ‘4’
➜ NHSM

Next Step :

Started Fabric CA Server Natively , but it showing following on the logs :
2022/05/02 10:41:32 [DEBUG] Initializing BCCSP with PKCS11 options {SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore: DummyKeystore: Library:/usr/local/lib/opensc-pkcs11.so Label:****** Pin:****** SoftVerify:false Immutable:false AltId:}
2022/05/02 10:41:32 [DEBUG] Closing server DBs
Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

OpenSC Logs shows the following :

P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] slot.c:448:slot_allocate: Allocated slot 0x0 for card in reader Nitrokey Nitrokey HSM
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1124:pkcs15_init_slot: Called
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1216:pkcs15_init_slot: Initialized slot 0x0 with token test (UserPIN) www.CardContact.de PKCS#15 emulatedDENK0106167
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1450:_add_pin_related_objects: Add objects related to PIN(‘UserPIN’,ID:01)
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1668:pkcs15_create_tokens: Add public objects to slot 0x9f04290
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1514:_add_public_objects: 0 public objects to process
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1067:pkcs15_add_object: Slot:0 Setting object handle of 0x0 to 0x8d1cdf0
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1672:pkcs15_create_tokens: All tokens created
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:352:C_Initialize: C_Initialize() = CKR_OK
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:490:C_GetSlotList: C_GetSlotList(token=1, plug-n-play)
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:491:C_GetSlotList: VSS C_GetSlotList before ctx_detect_detect
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1386:pcsc_detect_readers: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1399:pcsc_detect_readers: Probing PC/SC readers
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1568:pcsc_detect_readers: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:497:C_GetSlotList: VSS C_GetSlotList after ctx_detect_readers
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:391:card_detect_all: Detect all cards
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:217:card_detect: Nitrokey Nitrokey HSM: Detecting smart card
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: Nitrokey Nitrokey HSM check
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:407:refresh_attributes: current state: 0x00000122
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:408:refresh_attributes: previous state: 0x00000022
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:464:refresh_attributes: card present
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.164 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:533:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:536:C_GetSlotList: was only a size inquiry (1)
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:490:C_GetSlotList: C_GetSlotList(token=1, refresh)
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:491:C_GetSlotList: VSS C_GetSlotList before ctx_detect_detect
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:497:C_GetSlotList: VSS C_GetSlotList after ctx_detect_readers
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] slot.c:391:card_detect_all: Detect all cards
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] slot.c:217:card_detect: Nitrokey Nitrokey HSM: Detecting smart card
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: Nitrokey Nitrokey HSM check
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] reader-pcsc.c:385:refresh_attributes: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:533:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:541:C_GetSlotList: VSS C_GetSlotList after slot->id reassigned
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:554:C_GetSlotList: returned 1 slots
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:555:C_GetSlotList: VSS Returning a new slot list
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] framework-pkcs15.c:552:C_GetTokenInfo: C_GetTokenInfo(0)
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:470:slot_get_token: Slot(id=0x0): get token
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] slot.c:488:slot_get_token: Slot-get-token returns OK
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] framework-pkcs15.c:591:C_GetTokenInfo: C_GetTokenInfo() auth. object 0x580fa00, token-info flags 0x40D
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] pkcs15-pin.c:707:sc_pkcs15_get_pin_info: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:473:sc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] reader-pcsc.c:685:pcsc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:844:sc_select_file: called; type=0, path=e82b0601040181c31f0201::
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:879:sc_select_file: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] sec.c:200:sc_pin_cmd: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:548:sc_transmit_apdu: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:473:sc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:515:sc_transmit: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:363:sc_single_transmit: called
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] apdu.c:370:sc_single_transmit: CLA:0, INS:20, P1:0, P2:81, data(0) 0x700009d28620
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:323:pcsc_transmit: reader ‘Nitrokey Nitrokey HSM’
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit:
Outgoing APDU (4 bytes):
00 20 00 81 . …

P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
63 C3 c�

P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] apdu.c:537:sc_transmit: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card.c:523:sc_unlock: called
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] iso7816.c:123:iso7816_check_sw: PIN not verified (remaining tries: 3)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card-sc-hsm.c:768:sc_hsm_pin_cmd: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] sec.c:256:sc_pin_cmd: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card.c:523:sc_unlock: called
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] reader-pcsc.c:737:pcsc_unlock: called
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] pkcs15-pin.c:742:sc_pkcs15_get_pin_info: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] framework-pkcs15.c:609:C_GetTokenInfo: C_GetTokenInfo(0) returns CKR_OK
2022/05/02 10:31:48 [DEBUG] Closing server DBs
Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

@saper @sc-hsm May you please help ?

That seems to be an issue with the CA software. The logs look OK.

Is this EJBCA ? If yes, there is a HowTo and EJBCA also has some documentation on the integration.

My guess is, that slot name and token label are somewhat mixed up. The slot name in OpenSC is derived from the card reader naming scheme, which is different on Windows, Linux and MacOS.

@sc-hsm I debugged the fabric-ca , it sorted out , the issue was the label-name , init vs stored (refer the below details)

During the init phase, the label was given as 'test ', but it got stored to NitroKey as test (UserPIN) refer : pkcs11-tool -L

➜ NHSM pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --init-pin --so-pin=0123456789012345 --new-pin=123456 --label=“test” --pin=648219 --slot-index 0
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
➜ NHSM
➜ NHSM pkcs11-tool -O
Using slot 0 with a present token (0x0)
Profile object 1849802432
profile_id: ‘4’
➜ NHSM
➜  NHSM pkcs11-tool -L 
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM
  token label        : test (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.4
  serial num         : DENK0106167
  pin min/max        : 6/15

changed bccsp config ( label: test (UserPIN) instead of label:test) and it works

bccsp:
  default: PKCS11
  pkcs11:
    library: /usr/local/lib/opensc-pkcs11.so
    pin: "123456"
    hash: SHA2
    security: 256
    label: test (UserPIN)
    Immutable: false
1 Like

Yes, that is a specific OpenSC thing. The token label is extended by the authentication method.

And I wasn’t aware, that Fabric CA is actually a Hyperledger CA system. Has obviously nothing to do with EJBCA.

1 Like

thanks @sc-hsm ,

Is this extension follow any specific pattern e.g. if given a token name as sumit then it will be converted to sumit (UserPIN)