Windows NitroKey HSM pkcs11-tool CKR_DATA_LEN_RANGE

Any suggestions why pkcs11-tool, fails to chat to NitroHSM [note there are two smart cards plugged in] ?

openssl version
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)

D:\Development\openssl>"C:\Program Files (x86)\OpenSC Project\OpenSC\tools\opensc-tool" -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Gemalto USB SmartCard Reader 0
1    Yes             Nitrokey Nitrokey HSM 0

D:\Development\openssl>"C:\Program Files (x86)\OpenSC Project\OpenSC\tools\pkcs15-tool" --reader 1 --version
OpenSC-0.22.0-rc1-74-gc902e199, rev: c902e199, commit-time: 2021-08-10 11:09:03 +0200

D:\Development\openssl>openssl engine dynamic -pre ID:pkcs11 -pre SO_PATH:D:\Development\openssl\pkcs11.dll -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:D:\Development\openssl\opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: ID:pkcs11
[Success]: SO_PATH:D:\Development\openssl\pkcs11.dll
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:D:\Development\openssl\opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine

D:\Development\openssl>"C:\Program Files (x86)\OpenSC Project\OpenSC\tools\pkcs11-tool" --module "C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" --list-objects --pin 648219
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_DATA_LEN_RANGE (0x21)
Aborting.

D:\Development\openssl>"C:\Program Files (x86)\OpenSC Project\OpenSC\tools\pkcs15-tool" --reader 1 -D
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DENK0106188
        Manufacturer ID: www.CardContact.de
        Flags          :


PIN [UserPIN]
        Object Flags   : [0x03], private, modifiable
        Auth ID        : 02
        ID             : 01
        Flags          : [0x812], local, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Path           : e82b0601040181c31f0201::
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x01], private
        ID             : 02
        Flags          : [0x9A], local, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Path           : e82b0601040181c31f0201::
        Tries left     : 15

Private RSA Key [38cf54946028d893f6d14b462d71e4c8ed9bed57]
        Object Flags   : [0x01], private
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        Algo_refs      : 0
        ModLength      : 4096
        Key ref        : 1 (0x01)
        Native         : yes
        Auth ID        : 01
        ID             : 01
        MD:guid        : b0c55d7a-57c1-7984-7805-e760635db0ea

Private EC Key [CA_private2]
        Object Flags   : [0x03], private, modifiable
        Usage          : [0x10C], sign, signRecover, derive
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        Algo_refs      : 0
        FieldLength    : 256
        Key ref        : 2 (0x02)
        Native         : yes
        Auth ID        : 01
        ID             : 10
        MD:guid        : 195731c7-84d8-3dd9-65d7-d8773754f3aa

Public EC Key [CA_private2]
        Object Flags   : [0x00]
        Usage          : [0x40], verify
        Access Flags   : [0x02], extract
        FieldLength    : 256
        Key ref        : 0 (0x00)
        Native         : no
        ID             : 10
        DirectValue    : <present>

X.509 Certificate [38cf54946028d893f6d14b462d71e4c8ed9bed57]
        Object Flags   : [0x00]
        Authority      : no
        Path           : ce01
        ID             : 01
        Encoded serial : 02 09 008610DAE1CDEBF726

1. Does it work with dropping the --module switch?
2. Can you check if sc-hsm-tool (from the OpenSC suite) queries the card and lists its details?

I think the problem is you do not tell pkcs11-tool which token to use.

What does pkcs11-tool.exe -T say?

--slot, --slot-index, and --slot-description options might be helpful here.

> C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool -T
> Available slots:
> Slot 0 (0x4): Nitrokey Nitrokey HSM 0
>   token label        : SmartCard-HSM (UserPIN)
>   token manufacturer : www.CardContact.de
>   token model        : PKCS#15 emulated
>   token flags        : login required, rng, token initialized, PIN initialized
>   hardware version   : 24.13
>   firmware version   : 3.4
>   serial num         : DENK0106188
>   pin min/max        : 6/15

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool --list-objects --pin 648219
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_DATA_LEN_RANGE (0x21)
Aborting.

sc-hsm-tool
Using reader with a card: Gemalto USB SmartCard Reader 0
Failed to connect to card: Wrong length
Failed to connect to card: Success

1. Ok, so the sc-hsm-tool's output is wrong due to not selected the right reader. Can you check again?
2. Regarding pkcs11-tool --list-objects, can you run it with the debug env variable set - OPENSC_DEBUG=9 - and send the logs?
   Mind this will contain whole traffic between the smartcard and the tool. This should not contain any secrets as long as you would not send any PINs during execution. It’s best to use some temporarily non-secret PIN for the time.
3. I see you are using OpenSC RC.1 release - can you try some else? Preferably stable. E.g.
   • Release OpenSC-0.22.0 · OpenSC/OpenSC · GitHub
   • Release OpenSC-0.21.0 · OpenSC/OpenSC · GitHub
4. Can you potentially check if that problem reproduces on Linux?

Potentially connected issues with the same error code:

• Error signing with NitroKey HSM and opensc 0.22 with algorithm CKM_ECDSA_SHA256 · Issue #2469 · OpenSC/OpenSC · GitHub (open)
• CKR_DATA_LEN_RANGE error by create cert over rest api with nitrokey hsm · Issue #227 · xipki/xipki · GitHub

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>sc-hsm-tool -r 1
Version              : 3.4
SO-PIN tries left    : 15
User PIN tries left  : 3
DKEK shares          : 1
DKEK key check value : B97A8504FF5F448C

The log is 5400 lines long, could you enable txt file upload ?

Indeed, txt or zips are not available. Can you send it compressed to support@nitrokey.com instead?

@jan @daringer Can you enable zip uploads please?

added zip upload (very limited size),
test.zip (163 Bytes)

Tried on another Windows 10 machine, which doesn’t use an external smart card for user authentication.

And the command
pcks11-tool --list-objects --pin 648219
works.

Need to investigate further.

Many thanks.

Does it work on the machine number one with only one token? I think that Gemalto is confusing OpenSC

Removing the security smart card causes the PC to become disabled.

Just encase someone else see this:

There is away around this [I’m using the Nitrokey for signing, and extracting X.509 certificates]

• I tried using opensll with engine “pkcs11” and a complete URI, but that suffers from the same problem as mentioned earlier.

OpenSC contains a util called pkcs15-crypto [it has a reader option] and you can use this for signing [if you intend to use off the shelf hashes]

OpenSC also contain a util pkcs15-tool which can be used for extracting the X.509 certificate.

Yes, the problem is with PKCS #11 interface only. And I think the problem is with the card in the Gemalto USB reader, not with Nitrokey.

This is unlikely to be exactly Error signing with NitroKey HSM and opensc 0.22 with algorithm CKM_ECDSA_SHA256 · Issue #2469 · OpenSC/OpenSC · GitHub this issue since that happens later during signing - and here we are just listing tokens.

I think sc-hsm-tool is telling the truth - “Wrong length” when accessing card reader number 0, “Success” when accessing the next one.

Can you post some details of the card in the Gemalto reader? (like its answer to reset, ATR)?

If pkcs11-tool -O --slot 0 any better?

You can also try to ignore the Gemalto reader:

        # List of readers to ignore
        # If any of the strings listed below is matched in a reader name (case
        # sensitive, partial matching possible), the reader is ignored by OpenSC.
        # Use `opensc-tool --list-readers` to see all currently connected readers.
        #
        # Default: empty
        # ignored_readers = "CardMan 1021", "SPR 532";

so the minimal opensc.conf configuration file could be something like this

app default {
	ignored_readers = "Gemalto USB SmartCard Reader 0"
}

This is still a workaround, it would be great to help OpenSC to identify your other card.

I am using this opensc.conf to get as much as I can out of OpenSC:

app default {
        debug = 9;
        debug_file = "opensc-debug.log";
}