stackoom
  简体   繁体   中英

Could not initialise BCCSP PKCS11 In Fabric CA with HSM

 原文  2022-05-02 00:58:59       hyperledger-fabric-ca/ nitrokey

Question

In one of my project, I am using Fabric CA as Root Certificate Authority to use NitroKey2 HSM by following:

For Fabric CA: https://hyperledger-fabric.readthedocs.io/en/release-2.2/hsm.html

For NitroKey: https://docs.nitrokey.com/hsm/linux/certificate-authority.html

Some of the major steps mentioned below, and the end in the logs it shows:

 Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

Question: Have anyone worked on a similar setup and have any comments on this?

Logs of some of the major steps:

Step-1: initialise a slot with test label

➜ NHSM pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --init-pin --so-pin=0123456789012345 --new-pin=123456 --label=“test” --pin=648219 --slot-index 0
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
➜ NHSM
➜ NHSM pkcs11-tool -O
Using slot 0 with a present token (0x0)
Profile object 1849802432
profile_id: ‘4’
➜ NHSM

Next Step:

Followed Fabric CA documentation eg compile fabric-ca-server with pkcs11 option, setup bccsp:

bccsp:
  default: PKCS11
  pkcs11:
    library: /usr/local/lib/opensc-pkcs11.so
    pin: "123456"
    hash: SHA2
    security: 256
    label: test
    Immutable: false

Started Fabric CA Server Natively, but it showing following on the logs:

2022/05/02 10:41:32 [DEBUG] Initializing BCCSP with PKCS11 options {SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore: DummyKeystore: Library:/usr/local/lib/opensc-pkcs11.so Label:****** Pin:****** SoftVerify:false Immutable:false AltId:}
2022/05/02 10:41:32 [DEBUG] Closing server DBs
Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

OpenSC Logs shows the following: 

P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] slot.c:448:slot_allocate: Allocated slot 0x0 for card in reader Nitrokey Nitrokey HSM
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1124:pkcs15_init_slot: Called
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1216:pkcs15_init_slot: Initialized slot 0x0 with token test (UserPIN) www.CardContact.de PKCS#15 emulatedDENK0106167
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1450:_add_pin_related_objects: Add objects related to PIN(‘UserPIN’,ID:01)
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1668:pkcs15_create_tokens: Add public objects to slot 0x9f04290
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1514:_add_public_objects: 0 public objects to process
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1067:pkcs15_add_object: Slot:0 Setting object handle of 0x0 to 0x8d1cdf0
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1672:pkcs15_create_tokens: All tokens created
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:352:C_Initialize: C_Initialize() = CKR_OK
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:490:C_GetSlotList: C_GetSlotList(token=1, plug-n-play)
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:491:C_GetSlotList: VSS C_GetSlotList before ctx_detect_detect
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1386:pcsc_detect_readers: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1399:pcsc_detect_readers: Probing PC/SC readers
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1568:pcsc_detect_readers: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:497:C_GetSlotList: VSS C_GetSlotList after ctx_detect_readers
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:391:card_detect_all: Detect all cards
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:217:card_detect: Nitrokey Nitrokey HSM: Detecting smart card
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: Nitrokey Nitrokey HSM check
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:407:refresh_attributes: current state: 0x00000122
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:408:refresh_attributes: previous state: 0x00000022
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:464:refresh_attributes: card present
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.164 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:533:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:536:C_GetSlotList: was only a size inquiry (1)
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:490:C_GetSlotList: C_GetSlotList(token=1, refresh)
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:491:C_GetSlotList: VSS C_GetSlotList before ctx_detect_detect
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:497:C_GetSlotList: VSS C_GetSlotList after ctx_detect_readers
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] slot.c:391:card_detect_all: Detect all cards
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] slot.c:217:card_detect: Nitrokey Nitrokey HSM: Detecting smart card
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: Nitrokey Nitrokey HSM check
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] reader-pcsc.c:385:refresh_attributes: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:533:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:541:C_GetSlotList: VSS C_GetSlotList after slot->id reassigned
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:554:C_GetSlotList: returned 1 slots
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:555:C_GetSlotList: VSS Returning a new slot list
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] framework-pkcs15.c:552:C_GetTokenInfo: C_GetTokenInfo(0)
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:470:slot_get_token: Slot(id=0x0): get token
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] slot.c:488:slot_get_token: Slot-get-token returns OK
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] framework-pkcs15.c:591:C_GetTokenInfo: C_GetTokenInfo() auth. object 0x580fa00, token-info flags 0x40D
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] pkcs15-pin.c:707:sc_pkcs15_get_pin_info: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:473:sc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] reader-pcsc.c:685:pcsc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:844:sc_select_file: called; type=0, path=e82b0601040181c31f0201::
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:879:sc_select_file: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] sec.c:200:sc_pin_cmd: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:548:sc_transmit_apdu: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:473:sc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:515:sc_transmit: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:363:sc_single_transmit: called
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] apdu.c:370:sc_single_transmit: CLA:0, INS:20, P1:0, P2:81, data(0) 0x700009d28620
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:323:pcsc_transmit: reader ‘Nitrokey Nitrokey HSM’
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit:
Outgoing APDU (4 bytes):
00 20 00 81 . …

P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
63 C3 c�

P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] apdu.c:537:sc_transmit: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card.c:523:sc_unlock: called
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] iso7816.c:123:iso7816_check_sw: PIN not verified (remaining tries: 3)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card-sc-hsm.c:768:sc_hsm_pin_cmd: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] sec.c:256:sc_pin_cmd: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card.c:523:sc_unlock: called
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] reader-pcsc.c:737:pcsc_unlock: called
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] pkcs15-pin.c:742:sc_pkcs15_get_pin_info: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] framework-pkcs15.c:609:C_GetTokenInfo: C_GetTokenInfo(0) returns CKR_OK
2022/05/02 10:31:48 [DEBUG] Closing server DBs
Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

1 answers

solution1
 0  2022-05-02 07:20:30

On debugging the fabric-ca (refer - https://github.com/hyperledger/fabric-ca ), it was found that hsm's token label was different than what was supplied initially via command line, as HSM suffix added extra string to the label, which made the label to non-existing one so fabric-ca didn't work with NitroyKey HSM:

使用 pkcs11 调试 fabric-ca

During the init phase, the label was given as ' test ', but it got stored to NitroKey as test (UserPIN)

Init phase:

NHSM pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --init-pin --so-pin=0123456789012345 --new-pin=123456 --label=“test” --pin=648219 --slot-index 0
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
➜ NHSM
➜ NHSM pkcs11-tool -O
Using slot 0 with a present token (0x0)
Profile object 1849802432
profile_id: ‘4’
➜ NHSM

Given the label as test, but stored as test (UserPIN)

➜  NHSM pkcs11-tool -L 
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM
  token label        : test (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.4
  serial num         : DENK0106167
  pin min/max        : 6/15

changed bccsp config ( label: test (UserPIN) instead of label:test)

bccsp:
  default: PKCS11
  pkcs11:
    library: /usr/local/lib/opensc-pkcs11.so
    pin: "123456"
    hash: SHA2
    security: 256
    label: test (UserPIN)
    Immutable: false

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Fabric-CA with SoftHSM: Could not initialize BCCSP PKCS11: Invalid config. It must not be nil Running Fabric CA natively - Could not find default `PKCS11` BCCSP Initialise fabric ca with modified fabric-server-config Could not start orderer with ca file generated by ca server in fabric hyperledger fabric CA and Softhsm Fabric CA Server DB in the Client Health Check on Fabric CA Use Cryptogen to generate intermediate CA and start an intermediate fabric CA server Hyperledger Fabric-ca connection to a LDAP directory Cannot find specific SDK function for Fabric CA
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM