无法使用 HSM 在 Fabric CA 中初始化 BCCSP PKCS11

Question

在我的一个项目中，我使用 Fabric CA 作为根证书颁发机构，通过以下方式使用 NitroKey2 HSM：

对于 Fabric CA： https://hyperledger-fabric.readthedocs.io/en/release-2.2/hsm.html

对于 NitroKey： https://docs.nitrokey.com/hsm/linux/certificate-authority.html

下面提到的一些主要步骤，以及它显示的日志中的结尾：

 Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test 

问题：有没有人在类似的设置上工作过并且对此有任何评论？

一些主要步骤的日志：

第 1 步：使用测试 label 初始化插槽

➜ NHSM pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --init-pin --so-pin=0123456789012345 --new-pin=123456 --label=“test” --pin=648219 --slot-index 0
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
➜ NHSM
➜ NHSM pkcs11-tool -O
Using slot 0 with a present token (0x0)
Profile object 1849802432
profile_id: ‘4’
➜ NHSM

下一步：

遵循 Fabric CA 文档，例如使用 pkcs11 选项编译 fabric-ca-server，设置 bccsp：

bccsp:
  default: PKCS11
  pkcs11:
    library: /usr/local/lib/opensc-pkcs11.so
    pin: "123456"
    hash: SHA2
    security: 256
    label: test
    Immutable: false

本机启动 Fabric CA Server，但它在日志中显示以下内容：

2022/05/02 10:41:32 [DEBUG] Initializing BCCSP with PKCS11 options {SecLevel:256 HashFamily:SHA2 Ephemeral:false FileKeystore: DummyKeystore: Library:/usr/local/lib/opensc-pkcs11.so Label:****** Pin:****** SoftVerify:false Immutable:false AltId:}
2022/05/02 10:41:32 [DEBUG] Closing server DBs
Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

OpenSC 日志显示以下内容：

P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] slot.c:448:slot_allocate: Allocated slot 0x0 for card in reader Nitrokey Nitrokey HSM
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1124:pkcs15_init_slot: Called
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1216:pkcs15_init_slot: Initialized slot 0x0 with token test (UserPIN) www.CardContact.de PKCS#15 emulatedDENK0106167
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1450:_add_pin_related_objects: Add objects related to PIN(‘UserPIN’,ID:01)
P:17405; T:0x123145467105280 10:31:48.160 [opensc-pkcs11] framework-pkcs15.c:1668:pkcs15_create_tokens: Add public objects to slot 0x9f04290
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1514:_add_public_objects: 0 public objects to process
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1067:pkcs15_add_object: Slot:0 Setting object handle of 0x0 to 0x8d1cdf0
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] framework-pkcs15.c:1672:pkcs15_create_tokens: All tokens created
P:17405; T:0x123145467105280 10:31:48.161 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:352:C_Initialize: C_Initialize() = CKR_OK
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:490:C_GetSlotList: C_GetSlotList(token=1, plug-n-play)
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:491:C_GetSlotList: VSS C_GetSlotList before ctx_detect_detect
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1386:pcsc_detect_readers: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1399:pcsc_detect_readers: Probing PC/SC readers
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:1568:pcsc_detect_readers: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] pkcs11-global.c:497:C_GetSlotList: VSS C_GetSlotList after ctx_detect_readers
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:391:card_detect_all: Detect all cards
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] slot.c:217:card_detect: Nitrokey Nitrokey HSM: Detecting smart card
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.162 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: Nitrokey Nitrokey HSM check
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:407:refresh_attributes: current state: 0x00000122
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:408:refresh_attributes: previous state: 0x00000022
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:464:refresh_attributes: card present
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.163 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.164 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:533:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:536:C_GetSlotList: was only a size inquiry (1)
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:490:C_GetSlotList: C_GetSlotList(token=1, refresh)
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:491:C_GetSlotList: VSS C_GetSlotList before ctx_detect_detect
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] pkcs11-global.c:497:C_GetSlotList: VSS C_GetSlotList after ctx_detect_readers
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] slot.c:391:card_detect_all: Detect all cards
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] slot.c:217:card_detect: Nitrokey Nitrokey HSM: Detecting smart card
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] sc.c:335:sc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] reader-pcsc.c:472:pcsc_detect_card_presence: called
P:17405; T:0x123145467105280 10:31:48.165 [opensc-pkcs11] reader-pcsc.c:360:refresh_attributes: Nitrokey Nitrokey HSM check
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] reader-pcsc.c:385:refresh_attributes: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] reader-pcsc.c:477:pcsc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] sc.c:340:sc_detect_card_presence: returning with: 5
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:374:card_detect: Nitrokey Nitrokey HSM: Detection ended
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:430:card_detect_all: All cards detected
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:533:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:541:C_GetSlotList: VSS C_GetSlotList after slot->id reassigned
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:554:C_GetSlotList: returned 1 slots
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] pkcs11-global.c:555:C_GetSlotList: VSS Returning a new slot list
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] framework-pkcs15.c:552:C_GetTokenInfo: C_GetTokenInfo(0)
P:17405; T:0x123145467105280 10:31:48.166 [opensc-pkcs11] slot.c:470:slot_get_token: Slot(id=0x0): get token
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] slot.c:488:slot_get_token: Slot-get-token returns OK
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] framework-pkcs15.c:591:C_GetTokenInfo: C_GetTokenInfo() auth. object 0x580fa00, token-info flags 0x40D
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] pkcs15-pin.c:707:sc_pkcs15_get_pin_info: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:473:sc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] reader-pcsc.c:685:pcsc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:844:sc_select_file: called; type=0, path=e82b0601040181c31f0201::
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:879:sc_select_file: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] sec.c:200:sc_pin_cmd: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:548:sc_transmit_apdu: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:473:sc_lock: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] card.c:513:sc_lock: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:515:sc_transmit: called
P:17405; T:0x123145467105280 10:31:48.167 [opensc-pkcs11] apdu.c:363:sc_single_transmit: called
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] apdu.c:370:sc_single_transmit: CLA:0, INS:20, P1:0, P2:81, data(0) 0x700009d28620
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:323:pcsc_transmit: reader ‘Nitrokey Nitrokey HSM’
P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:324:pcsc_transmit:
Outgoing APDU (4 bytes):
00 20 00 81 . …

P:17405; T:0x123145467105280 10:31:48.168 [opensc-pkcs11] reader-pcsc.c:242:pcsc_internal_transmit: called
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] reader-pcsc.c:333:pcsc_transmit:
Incoming APDU (2 bytes):
63 C3 c�

P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] apdu.c:537:sc_transmit: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card.c:523:sc_unlock: called
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] iso7816.c:123:iso7816_check_sw: PIN not verified (remaining tries: 3)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card-sc-hsm.c:768:sc_hsm_pin_cmd: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] sec.c:256:sc_pin_cmd: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.200 [opensc-pkcs11] card.c:523:sc_unlock: called
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] reader-pcsc.c:737:pcsc_unlock: called
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] pkcs15-pin.c:742:sc_pkcs15_get_pin_info: returning with: 0 (Success)
P:17405; T:0x123145467105280 10:31:48.201 [opensc-pkcs11] framework-pkcs15.c:609:C_GetTokenInfo: C_GetTokenInfo(0) returns CKR_OK
2022/05/02 10:31:48 [DEBUG] Closing server DBs
Error: Failed to get BCCSP with opts: Could not initialize BCCSP PKCS11: pkcs11: could not find token with label test

Answer 1

在调试 fabric-ca（参考 - https://github.com/hyperledger/fabric-ca ）时，发现 hsm 的令牌 label 与最初通过命令行提供的不同，因为 HSM 后缀向label，这使得 label 变为不存在的，因此 fabric-ca 无法与 NitroyKey HSM 一起使用：

在初始化阶段，label 被指定为“测试”，但它作为测试（用户密码）存储到 NitroKey

初始阶段：

NHSM pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --init-pin --so-pin=0123456789012345 --new-pin=123456 --label=“test” --pin=648219 --slot-index 0
Using slot with index 0 (0x0)
Token successfully initialized
User PIN successfully initialized
➜ NHSM
➜ NHSM pkcs11-tool -O
Using slot 0 with a present token (0x0)
Profile object 1849802432
profile_id: ‘4’
➜ NHSM

给定 label 作为测试，但存储为测试 (UserPIN)

➜  NHSM pkcs11-tool -L 
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM
  token label        : test (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 3.4
  serial num         : DENK0106167
  pin min/max        : 6/15

更改了 bccsp 配置（label：测试（用户密码）而不是 label：测试）

bccsp:
  default: PKCS11
  pkcs11:
    library: /usr/local/lib/opensc-pkcs11.so
    pin: "123456"
    hash: SHA2
    security: 256
    label: test (UserPIN)
    Immutable: false