This is Nitrokey HSM 2, first at firmware 3.3 then 3.4
Using what I believe I have downloaded as scsh 3.17.502 but it reports itself as “Smart Card Shell Scripting Engine (scdp4j) 3.17.401”.
Before firmware upgrade I have created a group signer key for XKEK and followed the XKEK tutorial to create the domain and exchange keys, all worked fine.
Since I have anticipated that I need to upgrade that token to a new firmware, group signer was created on a separate DKEK and I could export it to a .wky file.
After the firmware upgrade:
- I have restored the DKEK.
- And exported new identity (after firmware upgrade it changes).
- Generated new KDM (3.4 static memebership).
Now an attempt to use the Key Domain Membership file results in the following error:
GPError: shell (USER_DEFINED/0) - "Assertion failed" in .../scsh3.17.502/config.js#49 at .../scsh3.17.502/config.js#49 at .../scsh3.17.502/keymanager/keymanager.js#537 at .../scsh3.17.502/keymanager/keymanager.js#2418
This points to the line:
assert(groupkey.verifyATWith(this.crypto, devcert.getPublicKey(root.getPublicKey()), devcert.getPublicKeyOID()));
Does this mean group signer certificate is no longer valid because the device ID it is hosted on has been changed?
How can I make my group signer portable across the devices?
Everything works fine if I use a new group signer, generated after the firmware upgrade.