Using Python/libnitrokey with Nitrokey HSM under macOS


#1

Hi all,

I’m currently programming for the Nitrokey HSM under macOS High Sierra 10.13.3.

I’ve initialised the HSM, generated the DKEK and generated key pairs without any trouble. I’ve also tested with sc-hsm-tool to make sure there are no errors.

I compiled libnitrokey and used the Python bindings example, however I can’t get past the login process. As far as I can tell I’ve set up the device correctly, but wasn’t sure if I needed to call something else to get this to work or if I needed to call it at all.

I set debug to true and set the debug level to highest, however the output wasn’t useful:

[Tue Feb 27 15:45:27 2018][DEBUG_L2]	setDefaultDelay
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	setDefaultDelay
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	connect
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_connect *IN* 
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	Connection success: 0
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	connect
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_connect *IN* 
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	Connection success: 0
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	total_comm_runs 0,
    communication_successful 0,
    (
        command_successful_recv 0,
        command_result_not_equal_0_recv 0,
    ),
    sends_executed 0,
    recv_executed 0,
    successful_storage_commands 0,
    total_retries 0,
    (
        busy 0,
        busy_progressbar 0,
        CRC_other_than_awaited 0,
        wrong_CRC 0,
    ),
    low_level_reconnect 0,
    sending_error 0,
    receiving_error 0,
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	disconnect
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_disconnectSTORAGE
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_disconnect *IN* 
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	Disconnection success: 1
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	total_comm_runs 0,
    communication_successful 0,
    (
        command_successful_recv 0,
        command_result_not_equal_0_recv 0,
    ),
    sends_executed 0,
    recv_executed 0,
    successful_storage_commands 0,
    total_retries 0,
    (
        busy 0,
        busy_progressbar 0,
        CRC_other_than_awaited 0,
        wrong_CRC 0,
    ),
    low_level_reconnect 0,
    sending_error 0,
    receiving_error 0,
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	disconnect
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_disconnectPRO
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_disconnect *IN* 
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	Disconnection success: 1
Could not connect to Nitrokey

Any pointers would be appreciated.


#2

Hi,

may I misunderstood something, but the libnitrokey is the basis for working with Nitrokey Pro and Nitrokey Storage. The HSM is not used with this lib… You should have a look at OpenSC project instead.

@szszszsz can you please confirm?

Kind regards
Alex


#3

Hi @paulmalyschko!

Sorry, I have not got email notice about your post somehow and I missed it.
As @nitroalex mentioned, libnitrokey at the moment supports only additional (that is, besides smartcard) features of the Pro and Storage devices - Password Safe, OTP and encrypted storage.
For Smartcard-related functionality OpenSC should be best with Nitrokey HSM. For Pro, Start and Storage better would probably be GPGME.
I will update libnitrokey's readme to make that clear.

Could I ask what were your initial plans? I could perhaps give you some more clues.

Edit: here I have made a brief Pro vs HSM comparison


#4

It seems the e-mail server wasn’t delivering. I got a heap of e-mails at the same time which I was expecting a week ago when trying to confirm my e-mail address. Oh well.

Apologies I’ve never worked with smartcard technology, so it’s all new to me. I eventually made the connection that libnitrokey was only for the Storage and Pro. The clues were there, but it wasn’t explicitly mentioned, so I wasn’t sure.

Initial plans are to demo initialising and encrypting/decrypting files programmatically in Python, but looks like I’ll have to use a package like python-pkcs11 for that. At the moment I’m just calling the same command line programs in the documentation.

I’m about to write the encryption/decryption part right now, shouldn’t be too hard.


#5

Looks like it. Sorry about that.

No needed! This is what forum for is. I will make sure this is explicit to avoid confusion.

We actually have a similar project, if you would like to peek - Nitrokey Encryption Tool.


#6

I had a quick look, and it helped me organise my thoughts. I ended up making a Nitrokey Python package (though it’s not closed to finished), which I’d like to open source at some point if I can convince my employer to do so.