Nitrokey Pro and X.509 certificate for email-encryption

my short field report:
Meanwhile I can easily move an existing PKCS12 container with an S/MIME certificate to a nitrokey.

slot 3 (signing)
$ pkcs15-init --id 3 --store-private-key certificatechain.p12 --format pkcs12 --auth-id 3 --verify-pin

slot 2 (encryption)
$ pkcs15-init --id 2 --store-private-key certificatechain.p12 --format pkcs12 --auth-id 3 --verify-pin

So far so good. But what we notice now, with the Nitrokey Pro prepared in this way, are the following things.

  1. Under Thunderbird 68.10.0 (Fedora 32) I have to enter the user PIN twice to use the certificate. O.K. is so far explainable that I want to encrypt and sign a mail.
  2. Under Android 9.x (/e/OS on my Fairphone 3) I cannot use the X.509 certificate stored on the Nitrokey Pro at all. :confused:

Did anyone have better experiences, or tips on LAger how to do it better.

O.K. Finally I have the following question:
Is it actually possible to generate the key material required for the S/MIME certificate directly in Nitrokey Pro and then generate a CSR? Basically I’m not comfortable with generating keys to a memory area outside of a crypto device. After all, that’s what I got a Nitrokey for.
But no matter what I try, I just can’t succeed, e.g. generating a PIN using
$ pkcs15-init --store-pin --auth-id 03 --label "Django aka BOfH (Bastard Operator from Hell)"
on the stick, another suitable key with a
$ pkcs15-init --generate-key rsa/4096 --auth-id 03
to be generated.

Is this not possible because “only” a PKCS#15 token is emulated, or am I just being too stupid (I hope it is option “b”).

Hi!

Have you seen micro-ca-tool already?

1 Like

Thanks for the hint, I will take a closer look at it and then report if I can be successful with it.

1 Like

HI @szszszsz

Have you seen micro-ca-tool already?

O.K: micro-ca-tool is basically just a big shell-script and quite well documented.

I can use it to create key IDs for Cryptostick/Nitrokey for the three Key-IDs: 01=signature key, 02=encryption key, 03=authentication key.

The generation of a CSR also works with the micro-ca-tool or the equivalent openssl call. The CA used then creates an S/MIME certificate based on my CSR.

Where I fail at the moment is the import of the certificate into the Nitrokey Start. With micro-ca-tool or the corresponding pkcs15-tool call:
$ pkcs15-init --store-certificate securemail.mailserver.guru.crt --id 3 --auth-id 03 --verify-pin
OKAY. The Auth-ID 03 corresponds to the Admin PIN, but the id is then how to define it when importing the certificate?

When importing a PKCS12 container, i.e. the certificate including the corresponding key, you would use ID 2 (required for decrypting e-mails) and select ID 3 (required for signing).

Only which slot is used for the certificate?

Hi!

For the first Nitrokey Pro (OpenPGP 2.x card) release and all Nitrokey Start only one certificate is supported, and I believe it’s always slot 3.
Just for completeness, newer Nitrokey Pro 2/Nitrokey Storage 2 (having OpenPGP 3.3 cards) handle multiple certificates in hardware, however software is in the development - OpenSC#1399.

Edit: most probably the certificate will be used for email decryption as well

HI!

O.K. how can I test whether an OpenPGP 2.x card or an OpenPGP 3.2 card is installed in the Nitrokey?

You can see the version of the OpenPGP card in your nitrokey:
$ gpg --card-status | grep version

So this is an OpenPGP 3.3 card and this Nitrokey Pro here is an OpenPGP 2.1 card

$ gpg -card status | grep version

right?

Nun gut, gibt es eigentlich wesentliche Sicherheitsfeatures die z.B. ein eine OpenPGP 2.x card nicht unterstĂĽtzt, aber dafĂĽr eine OpenPGP 3.2 card?

ttyl
Django

HI!

I am now through with my learning by doing in terms of S/MIME and Nitrokey Pro. Here is another BLOG article: https://wiki.mailserver.guru/doku.php/nitrokey:linuxmint:pro#s_mime_x509

Have fun with it and if something should be unclear or there is a bug in it, just report it!

ttyl
Django