OK, so there are keys on the device without meta-data or associated public key. That explains why pkcs11-tool does not report an error.
The error
Card communication error: CardException in transmit(): sun.security.smartcardio.PCSCException: Unknown error 0x7a"
makes me believe, that either something is wrong with the PC/SC driver installation or the Nitrokey reader hardware. The Nitrokey HSM is actually a Nitrokey Smart Card Reader with a SmartCard-HSM SIM card inserted. The SIM seems to work, but the reader reports communication errors.
Could you try on a different system ?
There is also what we call a use case test in the SmartCard-HSM workspace that comes with the Starterkit. You need to unpack the zip and select that directory as workspace when starting the Smart Card Shell. The tests can be run by loading the usecases/loadtest.js script. In the outline you can run individual tests or the complete test suite. It does initialize the device though.
iam checking the services
ScDeviceEnum is stopped
SCardSvr is running
Iam stopping and starting both.
i extract the workspace.zip and select the folder during scsh3gui start.
now i can login with pin and without error and this is the result:
>Creating outline...
Does not seem to be a certificate(undefined)
>r
0000 3B DE 96 FF 81 91 FE 1F C3 80 31 81 54 48 53 4D ;.........1.THSM
0010 31 73 80 21 40 81 07 92 1s.!@...
TS : 3B Direct logic
TO : DE K = 14 byte [historical characters]
TA1 : 96 Fi/f = 512/ 5 [clock rate conversion factor / max. frequency (MHz)]
Di = 32 [bit rate conversion factor]
TC1 : FF N = 255 etu [extra guardtime]
TD1 : 81 T = T=1 [protocol type]
TD2 : 91 T = T=1 [protocol type]
TA3 : FE IFSC = 254 [information field size]
TD3 : 1F T = GLO [protocol type]
TA4 : C3 X = No Pref [clock stop indicator]
U = A and B [class indicator (5, 3, 1.8 V)]
Card service indicator :
Application selection by full DF name
EF.DIR / EF.ATR access with READ RECORD
Card without MF
Card issuer data : 48534D31 HSM1
Card capabilities :
DF selection by full DF name
Proprietary write
Data unit size is 8 bits
'FF' means padding in BER.TLV coded data fields
Extended Le and Lc fields supported
Status byte(s) : 07 .
>initPIN(625292)
org.mozilla.javascript.EcmaError: ReferenceError: "initPIN" is not defined.
Some explanation needed here: The “>” prompt you see in the Smart Card Shell is actually the prompt of a JavaScript interpreter. It will accepts commands line
print("Hello World");
You can use this prompt to start scripts, aka files ending with .js that are part of the Smart Card Shell installation or the workspace you selected at startup.
Scripts will typically interact with the SmartCard-HSM at the APDU level. You can see the commands exchanged with the device in the “trace” tab.
The key manager is such a script, that creates an outline showing the data objects on a SmartCard-HSM. Like any other script the key manager can be started with
load("keymanager/keymanager.js");
or simpler by pressing CTRL-M. Other scripts can be started with CTRL-R.
Once the key manager is started, you can use the context menus on the objects in the outline on the left. To initialize the device you can open the context menu on the “SmartCard-HSM (xxx)” node and select “Initialize Device”. You are then prompted for some options, for the beginning just use the defaults.
Once you have initialized the device, you can create keys with “Generate RSA Key” on the same context menu. Once the key is generated, you can open the key entry and open the context menu at AT-CVREQ. With “Generate PKCS#10 Request” you can create a CSR. When you receive the certificate, you can use “Import certificate” to store it on the device.
The use case tests i mentioned before are also organized as a script that can be started. Similar to the key manager is opens an outline with test cases that you can select and run.
