Не удалось инициализировать BCCSP PKCS11 в ЦС Fabric с HSM

В одном из моих проектов я использую Fabric CA в качестве корневого центра сертификации для использования NitroKey2 HSM следующим образом:

Для CA Fabric: https://hyperledger-fabric.readthedocs.io/en/release-2.2/hsm.html

Для NitroKey: https://docs.nitrokey.com/hsm/linux/certificate-authority.html

Некоторые из основных шагов, упомянутых ниже, и конец в журналах, которые они показывают:

       Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

Вопрос: Кто-нибудь работал с подобной установкой и есть какие-либо комментарии по этому поводу?

Журналы некоторых основных шагов:

Шаг 1: инициализируйте слот тестовой меткой

      ➜ NHSM pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --init-pin --so-pin=0123456789012345 --new-pin=123456 --label=“test” --pin=648219 --slot-index 0
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
➜ NHSM
➜ NHSM pkcs11-tool -O
Using slot 0 with a present token (0x0)
Profile object 1849802432
profile_id: ‘4’
➜ NHSM

Следующий шаг :

Следуйте документации Fabric CA, например, скомпилируйте Fabric-CA-Server с параметром pkcs11, настройте bccsp:

      bccsp:
  default: PKCS11
  pkcs11:
    library: /usr/local/lib/opensc-pkcs11.so
    pin: "123456"
    hash: SHA2
    security: 256
    label: test
    Immutable: false

Запущен сервер CA Fabric Native, но в журналах отображается следующее:

      2022/05/02 10:41:32 [DEBUG] Initializing BCCSP with PKCS11 options {SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore: DummyKeystore: Library:/usr/local/lib/opensc-pkcs11.so Label:****** Pin:****** SoftVerify:false Immutable:false AltId:}
2022/05/02 10:41:32 [DEBUG] Closing server DBs
Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

Журналы OpenSC показывают следующее:

      P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] slot.c:448:slot_allocate: Allocated slot 0x0 for card in reader Nitrokey Nitrokey HSM
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1124:pkcs15_init_slot: Called
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1216:pkcs15_init_slot: Initialized slot 0x0 with token test (UserPIN) www.CardContact.de PKCS#15 emulatedDENK0106167
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1450:_add_pin_related_objects: Add objects related to PIN(‘UserPIN’,ID:01)
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1668:pkcs15_create_tokens: Add public objects to slot 0x9f04290
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1514:_add_public_objects: 0 public objects to process
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1067:pkcs15_add_object: Slot:0 Setting object handle of 0x0 to 0x8d1cdf0
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1672:pkcs15_create_tokens: All tokens created
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:352:C_Initialize: C_Initialize() = CKR_OK
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:490:C_GetSlotList: C_GetSlotList(token=1, plug-n-play)
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:491:C_GetSlotList: VSS C_GetSlotList before ctx_detect_detect
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1386:pcsc_detect_readers: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1399:pcsc_detect_readers: Probing PC/SC readers
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1568:pcsc_detect_readers: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:497:C_GetSlotList: VSS C_GetSlotList after ctx_detect_readers
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:391:card_detect_all: Detect all cards
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:217:card_detect: Nitrokey Nitrokey HSM: Detecting smart card
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: Nitrokey Nitrokey HSM check
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:407:refresh_attributes: current state: 0x00000122
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:408:refresh_attributes: previous state: 0x00000022
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:464:refresh_attributes: card present
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.164 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:533:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:536:C_GetSlotList: was only a size inquiry (1)
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:490:C_GetSlotList: C_GetSlotList(token=1, refresh)
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:491:C_GetSlotList: VSS C_GetSlotList before ctx_detect_detect
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:497:C_GetSlotList: VSS C_GetSlotList after ctx_detect_readers
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] slot.c:391:card_detect_all: Detect all cards
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] slot.c:217:card_detect: Nitrokey Nitrokey HSM: Detecting smart card
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: Nitrokey Nitrokey HSM check
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] reader-pcsc.c:385:refresh_attributes: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:533:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:541:C_GetSlotList: VSS C_GetSlotList after slot->id reassigned
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:554:C_GetSlotList: returned 1 slots
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:555:C_GetSlotList: VSS Returning a new slot list
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] framework-pkcs15.c:552:C_GetTokenInfo: C_GetTokenInfo(0)
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:470:slot_get_token: Slot(id=0x0): get token
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] slot.c:488:slot_get_token: Slot-get-token returns OK
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] framework-pkcs15.c:591:C_GetTokenInfo: C_GetTokenInfo() auth. object 0x580fa00, token-info flags 0x40D
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] pkcs15-pin.c:707:sc_pkcs15_get_pin_info: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:473:sc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] reader-pcsc.c:685:pcsc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:844:sc_select_file: called; type=0, path=e82b0601040181c31f0201::
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:879:sc_select_file: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] sec.c:200:sc_pin_cmd: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:548:sc_transmit_apdu: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:473:sc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:515:sc_transmit: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:363:sc_single_transmit: called
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] apdu.c:370:sc_single_transmit: CLA:0, INS:20, P1:0, P2:81, data(0) 0x700009d28620
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:323:pcsc_transmit: reader ‘Nitrokey Nitrokey HSM’
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit:
Outgoing APDU (4 bytes):
00 20 00 81 . …

P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
63 C3 c�

P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] apdu.c:537:sc_transmit: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card.c:523:sc_unlock: called
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] iso7816.c:123:iso7816_check_sw: PIN not verified (remaining tries: 3)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card-sc-hsm.c:768:sc_hsm_pin_cmd: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] sec.c:256:sc_pin_cmd: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card.c:523:sc_unlock: called
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] reader-pcsc.c:737:pcsc_unlock: called
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] pkcs15-pin.c:742:sc_pkcs15_get_pin_info: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] framework-pkcs15.c:609:C_GetTokenInfo: C_GetTokenInfo(0) returns CKR_OK
2022/05/02 10:31:48 [DEBUG] Closing server DBs
Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test
Источник

1 ответ

При отладке Fabric-CA (см . https://github.com/hyperledger/fabric-ca) было обнаружено, что метка токена hsm отличается от того, что изначально было предоставлено через командную строку, поскольку суффикс HSM добавлял дополнительную строку к label, который сделал ярлык несуществующим, поэтому ткань-ca не работала с NitroyKey HSM:

На этапе инициализации метка была указана как « тест », но она была сохранена в NitroKey как тест (UserPIN).

Инициальная фаза:

      NHSM pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --init-pin --so-pin=0123456789012345 --new-pin=123456 --label=“test” --pin=648219 --slot-index 0
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
➜ NHSM
➜ NHSM pkcs11-tool -O
Using slot 0 with a present token (0x0)
Profile object 1849802432
profile_id: ‘4’
➜ NHSM

Дана метка как тест, но сохранена как тест (UserPIN)

      ➜  NHSM pkcs11-tool -L 
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM
  token label        : test (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.4
  serial num         : DENK0106167
  pin min/max        : 6/15

изменена конфигурация bccsp (метка: test (UserPIN) вместо label:test)

      bccsp:
  default: PKCS11
  pkcs11:
    library: /usr/local/lib/opensc-pkcs11.so
    pin: "123456"
    hash: SHA2
    security: 256
    label: test (UserPIN)
    Immutable: false
Источник
Другие вопросы по тегам