Signtool usage with Nitrokey HSM

If so, it isn’t used in the command, is it? I thought, may it works when choosing the CSP driver name in the command instead of “Microsoft Base Smart Card Crypto Provider”. But this is just guessing here.

Hello,

@jan I am using RSA 2048 keys

I have indeed installed the minidriver distributed alongqside the sc-hsm-middleware.

@nitroalex I tried to list anoted CSP (for instance OpenSC CSP), and the certificate itself is not found. The system find the certificate only with “Microsoft Base Smart Card Crypto Provider”.

Also, I did not found any option to specify the driver name. My understanding is that Windows select the appropriate driver automatically.

I don’t know what the problem is here, being honest.

Is there a more verbose (debug) output available for the signtool?

Hi,

I’m trying to do code signing with Nitrokey HSM 2, too. (Currently with a self-signed certificate)

Java code signing already works with the java jarsigner. But not with signtool. Tried:

signtool.exe sign /n "codesigntest" /csp "OpenSC CSP" /kc "codesigntest" /fd SHA256 /debug /v test.exe

Does not work. It only finds certificates in the windows cert store, not on the HSM.

When I export the certificate to a file and execute the signtool like this:

signtool sign /f CodeSignTest.cer /csp "OpenSC CSP" /k "0" test.exe

It is accessing the HSM, as I get a new error window:
image

Windows device manager shows as device “unknown smartcard”.
image

But OpenSC is installed.

Did you manage to get it working?

It’s important to understand, that some Windows tools are 32-bit, while others are 64-bit. If you install OpenSC, then you need to install the 32-bit and 64-bit version.

If you install our own sc-hsm-middleware, then the 64-bit installer puts both, 32-bit and 64-bit DLL and executables on your disk.

To troubleshoot this Microsoft madness, I usually try certutil -scinfo in both version (available in C:\Windows\System32 (64-bit) and C:\Windows\SysWOW64 (32-bit).

Btw. the minidriver from OpenSC is a R/W driver, while the sc-hsm-middleware minidriver is a read-only driver.

Hi,

my version of signtool is 64bit.
image

I get:

C:\Windows\System32\certutil.exe -scinfo
Die Microsoft Smartcard-Ressourcenverwaltung wird ausgeführt.
Aktueller Leser-/Kartenstatus:
Leser: 1
  0: Nitrokey Nitrokey HSM 0
--- Leser: Nitrokey Nitrokey HSM 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: Die Smartcard kann verwendet werden.
---  Karte:
---    ATR:
        ......


=======================================================
Karte im Leser wird analysiert: Nitrokey Nitrokey HSM 0
SCardGetCardTypeProviderName: Das System kann die angegebene Datei nicht finden. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Anbietername kann nicht abgerufen werden für SCardGetCardTypeProviderName: Das System kann die angegebene Datei nicht finden. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Anbietername kann nicht abgerufen werden für
--------------===========================--------------
CertUtil: -SCInfo-Befehl ist fehlgeschlagen: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: Das System kann die angegebene Datei nicht finden.    

Now installed 32bit, though.

C:\Windows\SysWOW64\certutil.exe -scinfo
Die Microsoft Smartcard-Ressourcenverwaltung wird ausgeführt.
Aktueller Leser-/Kartenstatus:
Leser: 1
  0: Nitrokey Nitrokey HSM 0
--- Leser: Nitrokey Nitrokey HSM 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: Die Smartcard wird von einem anderen Prozess verwendet.
---  Karte:
---    ATR:
        ......


=======================================================
Karte im Leser wird analysiert: Nitrokey Nitrokey HSM 0
SCardGetCardTypeProviderName: Das System kann die angegebene Datei nicht finden. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Anbietername kann nicht abgerufen werden für SCardGetCardTypeProviderName: Das System kann die angegebene Datei nicht finden. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Anbietername kann nicht abgerufen werden für
--------------===========================--------------
CertUtil: -SCInfo-Befehl ist fehlgeschlagen: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: Das System kann die angegebene Datei nicht finden.    

What’s missing?

Can you check the registry to confirm that the ATR matches the correct minidriver ?

Should be something like

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\SmartCard-HSM (4K)]
“80000001”=“C:\\Program Files\\OpenSC Project\\OpenSC\\minidriver\\opensc-minidriver.dll”
“Crypto Provider”=“Microsoft Base Smart Card Crypto Provider”
“Smart Card Key Storage Provider”=“Microsoft Smart Card Key Storage Provider”
“ATR”=hex:3b,de,18,ff,81,91,fe,1f,c3,80,31,81,54,48,53,4d,31,73,80,21,40,81,07,1c
“ATRMask”=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff

Hi,

I have this:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\SmartCard-HSM]
"Crypto Provider"="OpenSC CSP"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="C:\\Program Files\\OpenSC Project\\OpenSC\\minidriver\\opensc-minidriver.dll"
"ATR"=hex:3b,fe,18,00,00,81,31,fe,45,80,31,81,54,48,53,4d,31,73,80,21,40,81,07,\
  fa
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
  ff,ff,ff

ATR from certutil is:

3b de 18 ff 81 91 fe 1f  c3 80 31 81 54 48 53 4d   ;.........1.THSM
    31 73 80 21 40 81 07 1c                            1s.!@...

So seems this entry is missing, as the ATR does not match… I’ll add it.

Now I get, when using certutil:
image

Update: The 80000001 was not imported correctly… I had to add it manually in the registry.
And WHEW… now I see:
image

:smile:

It’s great you have solved that!

@nitroalex Could you update our guides please?

Edit: Ah, sorry @mstein - I have misunderstood you have reached the final PIN screen, and got the signature.

But I still cannot use signtool, yet.

signtool.exe sign /n "codesigntest" /csp "OpenSC CSP" /kc "codesigntest" /fd SHA256 /debug /v test.exe

does not find the certificate on the HSM.

and

signtool sign /f CodeSignTest.cer /csp "OpenSC CSP" /k "0" test.exe

shows me:
image

80000001 must contain double slashes, which were replaced by single slashes in the above post. I edited the post to correct this.

Now what is the correct commandline?

With jarsigner I am able to sign jars with this certificate. But not yet with signtool from Microsoft.

I’ve managed to perform a code signing operation using signtool with a test key I generated on a SmartCard-HSM. Here is what I did:

  1. Generate a RSA 2048 key pair and a certificate with extended key usage id-kp-codeSigning.
  2. Run certutil -scinfo to display the certificate
  3. Select “Import” in the certificate details view
  4. Verify that the certificate shows up in certmgr.msc
  5. Use signtool filetosign.exe

Created an issue on OpenSC to track progress.

Registry file to add the new ATR after installing OpenSC 0.19 is available in the starterkit and here

Which commandline?

And is it possible without installing the certificate locally? (like with jarsigner)

I used

signtool filetosign.exe

Nothing further. I don’t know if you can do that without installing the certificate first.

Hi,

now I managed it to do the signing without extracting the certificate:

signtool.exe sign /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 /n "CodeSignTest" test.exe

Now I only have to solve how to automate the pin request. Other tokens have the option “single sign on”, so you only have to enter the pin one time, until it is unplugged.

Is there something like that available here too?

Hi,
Did you find a way to implement a “single sign on”?

Hi @zohars,

I automated the pin request with an AutoIt script. It is searching every 10 seconds for a dialog “Windows-Sicherheit” and then entering the Pin “123456”.

But problem currently: The windows session must be active and may not be locked. The signing cannot run as a “service”, it must be in the same session.

#Include <WinAPI.au3>


Local $hWnd, $iCmp, $sClassName = ""

While(True)
	If WinExists("Windows-Sicherheit") Then
		EnterPin("Windows-Sicherheit")
	EndIf
	Sleep(10000)
WEnd


Func EnterPin($promptTitle)
	$hWnd = WinGetHandle($promptTitle)
		$sClassName = _WinAPI_GetClassName(WinGetHandle($hWnd))
		$iCmp = StringCompare($sClassName, "Credential Dialog Xaml Host")
		if ($iCmp = 0) Then
			WinActivate($hWnd)

			Send("123456{ENTER}")
		EndIf
EndFunc

Thank you for the quick response.
I hope that in the future there will be a better mechanism then having a script which insert the pin to the UI window.
I’ve found a similar post - Nitrokey HSM n-of-m Authentication so I guess that I’ll check for updates