Nitrokey Pro and PKCS#11 support on Linux

Hello all,

now that I’m a proud and happy user of Nitrokey Pro when it comes to my GnuPG crypto needs, I started looking into using it for user authentication to my local system. From what I gather, using pam_pkcs11 is the way to go here for me. However the device doesn’t seem to play nicely with opensc-tool. During my lunch break I could get it to show the device once, at which point I thought “ok, I can pick up from here this evening”. But then it started behaving weirdly (something about not finding the opengpg application on the card?) and I had to plug it out and back in to get it working again - and when I got back home, it wouldn’t show up anymore.
I tried it on two different computers and have also made sure to use the latest git version from the OpenSC repository which was mentioned somewhere in a support document.

Now my firmware is 0.7 and I saw on Github that there’s a 1.0 release. Would upgrading help? Can I flash a new firmware without erasing the stored keys? On a related note, you should probably start signing your git commits with GPG more often (there’s only one signed commit in the log). Seems like a good idea for a security-related product which supports GPG :slight_smile:
Feel free to answer in german or english and don’t hesitate to ask me for debug outputs or whatever…

All the best

Another update:

I read some more OpenSC docs and found that it doesn’t access the reader itself but actually uses pcsc for that. So when I start pcscd, the Crypto Stick shows up in opensc-tool -r. However there are some error messages shown by pcscd:

00000000 ccid_usb.c:588:OpenUSBByName() Can't claim interface 3/16: -6
00000203 ifdhandler.c:130:CreateChannelByNameOrChannel() failed
00000010 readerfactory.c:1043:RFInitializeReader() Open Port 0x200001 Failed (usb:20a0/4108:libudev:1:/dev/bus/usb/003/016)
00000010 readerfactory.c:335:RFAddReader() Crypto Stick Crypto Stick v1.4 (0000332C0000000000000000) init failed.
00000018 hotplug_libudev.c:507:HPAddDevice() Failed adding USB device: Crypto Stick Crypto Stick v1.4

Not sure whether that is relevant but I’ll continue experimenting with getting pkcs11 to work.

Another update before the weekend: looks like the error messages aren’t serios. After starting pcsd and configuring GnuPG to use it as described in the Arch Linux Wiki, both pkcs11-tool and gpg can access the card without problems. So I’m making progress but I think the official documentation could do with some serious improvements if an advanced user with crypto (though not smartcard) experience like me needs to experiment that much to get things working.

One thing that isn’t yet 100% clear to me is how PKCS11, 15 and OpenGPG data relate to another. Since I already created keys with GnuPG, how do I best use these with PKCS11 or 15? Do I just need to import a X.509 certificate? With or without public and/or private key? Associate them with multiple keys?
I’m sure I’ll get behind it somehow and it’s even fun to find these things out for myself, I just wanted to point out that it currently isn’t very accessible to someone who never worked with that kind of SmartCard-related domain knowledge.

Also if someone could elaborate on my initial question of flashing the firmware, it would be appreciated.

Cheers and all the best

Don’t worry, you have the latest firmware (just confusing numbers). Also a firmware update of Nitrokey Pro is not possible.

I agree. It would really help us if you could suggest specific steps or aspects which helped you (and should be documented).

Nitrokey Pro has space for 3 RSA keys (encryption, signing, authentication) and one X.509 certificate. RSA keys can be used for both OpenPGP and X.509/PKCS#11. Now, for your existing key you should generate a Certificate Signing Request and send it to your CA. You can store the returned X.509 certificate into your Nitrokey Pro.