dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

PicoHSM Slot Behavior Inconsistency Between Ubuntu and Windows #74

New Issue
Closed
opened 2025-01-15 23:15:32 +08:00 by Otmane65 · 19 comments
Otmane65 commented 2025-01-15 23:15:32 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

When using PicoHSM on Ubuntu, I've encountered several inconsistencies compared to Windows behavior:

Slot Detection

  • On Ubuntu: PicoHSM appears as two slots
  • On Windows: PicoHSM appears as a single slot
    image

Initialization and Login Issues

  • Initial setup works correctly
  • Direct token generation fails

Login behavior:

  • Fails when using slot 0
  • Works when explicitly specifying slot ID 4
    image

Impact on OpenSSL Operations

The slot ID discrepancy (slot 4 vs slot 0) causes issues with subsequent OpenSSL operations, affecting the overall workflow.

When using PicoHSM on Ubuntu, I've encountered several inconsistencies compared to Windows behavior: ## Slot Detection - On Ubuntu: PicoHSM appears as two slots - On Windows: PicoHSM appears as a single slot ![image](https://github.com/user-attachments/assets/62195805-2c18-4385-9440-e22a5a436bbd) ## Initialization and Login Issues - Initial setup works correctly - Direct token generation fails ## Login behavior: - Fails when using slot 0 - Works when explicitly specifying slot ID 4 ![image](https://github.com/user-attachments/assets/972dfaa8-9138-41db-ba17-9996524849f7) ## Impact on OpenSSL Operations The slot ID discrepancy (slot 4 vs slot 0) causes issues with subsequent OpenSSL operations, affecting the overall workflow.
polhenarejos commented 2025-01-16 00:19:28 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

Can you try with v5.2?

Can you try with v5.2?
Otmane65 commented 2025-01-16 15:51:44 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

yes the same issue with v5.2

yes the same issue with v5.2
polhenarejos commented 2025-01-16 16:30:11 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

Which OpenSC version you use? I got different outputs. I'm using v0.26. Check it and upgrade it if needed.

Which OpenSC version you use? I got different outputs. I'm using v0.26. Check it and upgrade it if needed.
Otmane65 commented 2025-01-16 17:23:15 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

I have successfully upgraded OpenSC to version 0.26 by compiling it manually. However, I am still facing the same issue. I
image

I have successfully upgraded OpenSC to version 0.26 by compiling it manually. However, I am still facing the same issue. I ![image](https://github.com/user-attachments/assets/7c2a8051-f3ce-443f-8bf8-04d655400edc)
Otmane65 commented 2025-01-16 18:45:39 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

Is it possible to test PicoHSM functionalities with an ESP8266? If yes, how can I integrate the ESP8266 for such testing?

Is it possible to test PicoHSM functionalities with an ESP8266? If yes, how can I integrate the ESP8266 for such testing?
polhenarejos commented 2025-01-17 01:22:53 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

No, it's not. Only ESP32-S3 is supported.

Can you opensc-tool -l ?

No, it's not. Only ESP32-S3 is supported. Can you `opensc-tool -l` ?
Disappear9 commented 2025-01-17 04:01:52 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

Same issue here

Ubuntu 22.04
OpenSC 0.26.1 manually compiled
pico_hsm_pico-5.2.uf2

$ pkcs11-tool -L

Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM [Pico Key CCID OTP FIDO Interfac] (E660...
  token label        : Pico-HSM
  token manufacturer : Pol Henarejos
  token model        : PKCS#15 emulated
  token flags        : login required, PIN pad present, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 5.2
  serial num         : ESPICOHSMTR
  pin min/max        : 6/15
  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM
Slot 1 (0x4): Nitrokey Nitrokey HSM [Pico Key WebCCID Interface] (E660...
  token label        : Pico-HSM
  token manufacturer : Pol Henarejos
  token model        : PKCS#15 emulated
  token flags        : login required, PIN pad present, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 5.2
  serial num         : ESPICOHSMTR
  pin min/max        : 6/15
  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM


$ pkcs11-tool --login --pin 648219 --test --slot 0
error: PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
$ pkcs11-tool --login --pin 648219 --test --slot 4
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  RIPEMD160: OK
  SHA-1: OK
  SHA256: OK
Ciphers: not implemented
Signatures (currently only for RSA)
  testing key 0 (root)  -- non-RSA, skipping
  testing key 1 (intermediate)  -- non-RSA, skipping
Signatures: no private key found in this slot
Verify (currently only for RSA)
  testing key 0 (root) -- non-RSA, skipping
  testing key 1 (intermediate) with 1 mechanism -- non-RSA, skipping
Decryption (currently only for RSA)
  testing key 0 (root) -- non-RSA, skipping
  testing key 1 (intermediate) -- non-RSA, skipping
No errors

$ opensc-tool -l

# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Nitrokey Nitrokey HSM [Pico Key CCID OTP FIDO Interfac] (E66XXXXXX) 00 00
1    Yes             Nitrokey Nitrokey HSM [Pico Key WebCCID Interface] (E66XXXXXX) 01 00
Same issue here ``` Ubuntu 22.04 OpenSC 0.26.1 manually compiled pico_hsm_pico-5.2.uf2 ``` $ pkcs11-tool -L ``` Available slots: Slot 0 (0x0): Nitrokey Nitrokey HSM [Pico Key CCID OTP FIDO Interfac] (E660... token label : Pico-HSM token manufacturer : Pol Henarejos token model : PKCS#15 emulated token flags : login required, PIN pad present, rng, token initialized, PIN initialized hardware version : 24.13 firmware version : 5.2 serial num : ESPICOHSMTR pin min/max : 6/15 uri : pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM Slot 1 (0x4): Nitrokey Nitrokey HSM [Pico Key WebCCID Interface] (E660... token label : Pico-HSM token manufacturer : Pol Henarejos token model : PKCS#15 emulated token flags : login required, PIN pad present, rng, token initialized, PIN initialized hardware version : 24.13 firmware version : 5.2 serial num : ESPICOHSMTR pin min/max : 6/15 uri : pkcs11:model=PKCS%2315%20emulated;manufacturer=Pol%20Henarejos;serial=ESPICOHSMTR;token=Pico-HSM ``` ``` $ pkcs11-tool --login --pin 648219 --test --slot 0 error: PKCS11 function C_Login failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. $ pkcs11-tool --login --pin 648219 --test --slot 4 C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK RIPEMD160: OK SHA-1: OK SHA256: OK Ciphers: not implemented Signatures (currently only for RSA) testing key 0 (root) -- non-RSA, skipping testing key 1 (intermediate) -- non-RSA, skipping Signatures: no private key found in this slot Verify (currently only for RSA) testing key 0 (root) -- non-RSA, skipping testing key 1 (intermediate) with 1 mechanism -- non-RSA, skipping Decryption (currently only for RSA) testing key 0 (root) -- non-RSA, skipping testing key 1 (intermediate) -- non-RSA, skipping No errors ``` $ opensc-tool -l ``` # Detected readers (pcsc) Nr. Card Features Name 0 Yes Nitrokey Nitrokey HSM [Pico Key CCID OTP FIDO Interfac] (E66XXXXXX) 00 00 1 Yes Nitrokey Nitrokey HSM [Pico Key WebCCID Interface] (E66XXXXXX) 01 00 ```
polhenarejos commented 2025-01-18 03:58:56 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

Seems a bug with CCID 1.5 and above. It looks through the different interfaces and try loading them if the descriptor is a Smart Card class. CCID and WebCCID are Smart Card descriptors, so both are loaded. However, since both belong to the same, only the last is opened and this is why you can communicate only with slot 4 (webCCID).

I pushed a tweak by changing maxSlot of WebCCID to a wrong value to cause a timeout in LibCCID and deactivate this interface, leaving only 1. This still works with WebUSB Commissioner since it does not check maxSlot value.

Can you try with the development branch? A nightly build will be available tomorrow if you don't want to build it.

Seems a bug with CCID 1.5 and above. It looks through the different interfaces and try loading them if the descriptor is a Smart Card class. CCID and WebCCID are Smart Card descriptors, so both are loaded. However, since both belong to the same, only the last is opened and this is why you can communicate only with slot 4 (webCCID). I pushed a tweak by changing maxSlot of WebCCID to a wrong value to cause a timeout in LibCCID and deactivate this interface, leaving only 1. This still works with WebUSB Commissioner since it does not check maxSlot value. Can you try with the development branch? A [nightly build](https://github.com/polhenarejos/pico-hsm/releases/tag/nightly-development) will be available tomorrow if you don't want to build it.
Disappear9 commented 2025-01-18 11:35:22 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

Update:
my bad, i flashed the previous nightly build 5.0 version.

seems working now :) and all commands takes some more time to run

$ opensc-tool -l

# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Nitrokey Nitrokey HSM [Pico Key CCID OTP FIDO Interfac] (E660) 00 00

$ pkcs11-tool --login --pin 648219 --test

Using slot 0 with a present token (0x0)
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  RIPEMD160: OK
  SHA-1: OK
  SHA256: OK
Ciphers: not implemented
Signatures (currently only for RSA)
Signatures: no private key found in this slot
Verify (currently only for RSA)
  No private key found for testing
Decryption (currently only for RSA)
No errors
Update: my bad, i flashed the previous nightly build 5.0 version. seems working now :) and all commands takes some more time to run $ opensc-tool -l ``` # Detected readers (pcsc) Nr. Card Features Name 0 Yes Nitrokey Nitrokey HSM [Pico Key CCID OTP FIDO Interfac] (E660) 00 00 ``` $ pkcs11-tool --login --pin 648219 --test ``` Using slot 0 with a present token (0x0) C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK RIPEMD160: OK SHA-1: OK SHA256: OK Ciphers: not implemented Signatures (currently only for RSA) Signatures: no private key found in this slot Verify (currently only for RSA) No private key found for testing Decryption (currently only for RSA) No errors ```
polhenarejos commented 2025-01-18 17:01:57 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

You have to use v5.2 from the development nightly build.

You have to use v5.2 from the development nightly build.
Disappear9 commented 2025-01-18 23:06:49 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

i have tested v5.2 nightly build for a while, all function seems working fine, just need to wait more time for that timeout.
and why pico-hsm-tool.py phy wcid disable didn't disable WebCCID interface?

i have tested v5.2 nightly build for a while, all function seems working fine, just need to wait more time for that timeout. and why `pico-hsm-tool.py phy wcid disable` didn't disable WebCCID interface?
polhenarejos commented 2025-01-18 23:13:59 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

I forgot to remove it from the tool. WebCCID is used by Pico Commissioner through WebUSB, so it cannot be disables anymore.
The thing is that this is a bug fron LibCCID that happens on newer versions. For instance, it doesn’t happen in macOS. So apparently the linux user has to decide between the slot timeout or Pico Commissioner.

I forgot to remove it from the tool. WebCCID is used by Pico Commissioner through WebUSB, so it cannot be disables anymore. The thing is that this is a bug fron LibCCID that happens on newer versions. For instance, it doesn’t happen in macOS. So apparently the linux user has to decide between the slot timeout or Pico Commissioner.
geekman commented 2025-02-12 00:21:15 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

I'm also facing the same problem, as multiple slots/cards are appearing.

I have downloaded the latest nightly (seems like it was built 12 hours ago) and flashed it, but instead of reducing to a single slot, another slot appeared:

$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             PicoHSM [Pico Key CCID OTP FIDO Interfac] (E663xxxx) 00 00
1    Yes             PicoHSM [Pico Key WebCCID Interface] (E663xxxx) 01 00
2    Yes             PicoHSM [Pico Key WebCCID Interface] (E663xxxx) 01 01

opensc is version 0.21, on Debian 11. Let me know what other informatin is required.

I'm also facing the same problem, as multiple slots/cards are appearing. I have downloaded the latest nightly (seems like it was built 12 hours ago) and flashed it, but instead of reducing to a single slot, another slot appeared: ``` $ opensc-tool -l # Detected readers (pcsc) Nr. Card Features Name 0 Yes PicoHSM [Pico Key CCID OTP FIDO Interfac] (E663xxxx) 00 00 1 Yes PicoHSM [Pico Key WebCCID Interface] (E663xxxx) 01 00 2 Yes PicoHSM [Pico Key WebCCID Interface] (E663xxxx) 01 01 ``` opensc is version 0.21, on Debian 11. Let me know what other informatin is required.
polhenarejos commented 2025-02-12 00:27:05 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

It was corrected in the development nightly build. Are you using stable or development?

It was corrected in the development nightly build. Are you using stable or development?
geekman commented 2025-02-12 00:36:01 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

It says "nightly development", according to the link you posted above. Downloaded the UF2 a few times just to double-check. I'm using the waveshare-rp2040-zero build.

It says "nightly development", according to the link you posted above. Downloaded the UF2 a few times just to double-check. I'm using the `waveshare-rp2040-zero` build.
polhenarejos commented 2025-02-12 01:50:09 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

I’d need the log of pcscd.

  1. Terminate pcscd service.
  2. Execute sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee -i log.txt
  3. Wait for 5-10 seconds and kill it by ctrl-c.
  4. Upload log.txt file.
I’d need the log of pcscd. 1. Terminate pcscd service. 2. Execute `sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee -i log.txt` 3. Wait for 5-10 seconds and kill it by ctrl-c. 4. Upload log.txt file.
geekman commented 2025-02-12 14:34:09 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

I've gathered the log from pcscd as requested. I kept the original PID/VID and added it to /etc/libccid_Info.plist to get pcscd to recognize the device and use the generic driver.

pcscd-log.txt

I've gathered the log from pcscd as requested. I kept the original PID/VID and added it to `/etc/libccid_Info.plist` to get pcscd to recognize the device and use the generic driver. [pcscd-log.txt](https://github.com/user-attachments/files/18763249/pcscd-log.txt)
polhenarejos commented 2025-02-12 20:26:22 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

I pushed some changes in the development branch. Can you check them?

I pushed some changes in the development branch. Can you check them?
geekman commented 2025-02-12 23:18:53 +08:00 (Migrated from https://github.com/polhenarejos/pico-hsm)
Copy Link

Looks like it's working now. It's down to 1 card only. Thanks!

Looks like it's working now. It's down to 1 card only. Thanks!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 bug
Something isn't working
 dependencies
Pull requests that update a dependency file
 dependencies
Pull requests that update a dependency file
 documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 question
Further information is requested
 question
Further information is requested
 wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label bug good first issue
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dearsky
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dearsky/pico-hsm#74
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?