CKR_DEVICE_ERROR for Nitro HSM 2 on Sonoma

[pradig]

Problem Description

I am using a Nitrokey HSM 2. It used to work perfectly under MacOS 13 Ventura, but under Sonoma, the key is detected by the MacOS, but generates the following error:

~❯ /Library/OpenSC/bin/pkcs11-tool --show-info
Cryptoki version 3.0
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.23)
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_DEVICE_ERROR (0x30)
Aborting.

~❯ ioreg | grep -i Nitro
| | | | | | | | | +-o Nitrokey HSM@xxxxxxxx <class IOUSBHostDevice, id 0x100072258, registered, matched, active, busy 0 (17 ms), retain 35>

Proposed Resolution

Steps to reproduce

Logs

https://gist.github.com/pradig/c9bef153626030e7131f6fcafffe9174

[JLSNZ]

I have the same issue on Sonoma M1 Mac, however I have opensc installed via brew.

Mine can read slot 0, a yubikey 4 fine, but not slot 1 a Nitro HSM 2

/opt/homebrew/bin/pkcs11-tool --list-slots -v
Available slots:
Slot 0 (0x0): Yubico Yubikey 4 OTP+U2F+CCID
  manufacturer:
  hardware ver:  0.0
  firmware ver:  0.0
  flags:         token present, removable device, hardware slot
  token label        : PIV_II
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 00000000
  pin min/max        : 4/8
Slot 1 (0x4): (GetSlotInfo failed, CKR_DEVICE_ERROR)

/opt/homebrew/bin/pkcs11-tool --list-objects --verbose --slot 1
Using slot with ID 0x1
error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_NOT_PRESENT (0xe0)
Aborting.

Moving the Nitro HSM 2 to a Ventura Intel Mac does not exhibit this problem, or on the M1 Mac prior to Sonoma upgrade

[Jakuje]

Your log shows you are using version 0.23. Can you try the latest 0.24.0-rc1? We got reports for that rc too, but there might be some things fixed already.

Could it be an issue in the pcsc-lite or ccid?

[phafke]

I tried with the latest 0.24.0-rc1, but got the same issue...

$ pkcs11-tool --show-info
Cryptoki version 3.0
Manufacturer     OpenSC Project
Library          OpenSC smartcard framework (ver 0.24)
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_DEVICE_ERROR (0x30)
Aborting.

[pradig]

Same problem with 0.24.0-rc1

[dengert]

The card never gets past any attempt to connect to the card as seen in multiple lines in the log like this:
reader-pcsc.c:632:pcsc_connect: Nitrokey Nitrokey HSM:SCardConnect failed: 0x80100066

0x80100066 is SCARD_W_UNRESPONSIVE_CARD.

Other Sonoma users are having same problem with more then OpenSC: https://developer.apple.com/forums/thread/732091?page=2 which says: "I installed the CCID Drivers 1.5.2. Now it is working. https://www2.swift.com/3skey/help/mac_support.html "

[metsma]

Our testing team did some initial testing with estonian card and did not notice any issues. I still need upgrade my development mac to dig deeper. From comments it looks like low level issues, eg. ccid driver or usb.

[PCovesCentreon]

Still unable to use the Nitrokey Pro 2 .
CCID drivers 1.5.2 did nothing.

[dengert]

CCID drivers 1.5.2 did nothing.

In https://developer.apple.com/forums/thread/732091 update "CCID drivers 1.5.2" worked for some and not others.

The problem could be a USB timing, power or configuration issue that may cause the card to reset or USB to be powered off.

Have you tried some of the other "fixes":

• I have upgrade to Mac OS 14 and my smart card reader quit working. Works in safe mode and while booting up. Then stops functioning. Allow Accessories to connect is not visible.
• I passed this issue by switching the value "Allow accessories to access" to Automatically when unlocked or Always

(I don't have a Mac, but is sounds like the OS upgrade did something.)

[Jakuje]

Correct. I would propose to check the PCSC/CCID debug logs if there is a way to get them from Mac and report to the pcsc-lite. I do not think this there is anything we could fix in OpenSC.

[PCovesCentreon]

Have you tried some of the other "fixes":

Actually yes, I did this one first.
It did not work either.

[PCovesCentreon]

You know what, I did run the CCID 1.5.2 installer.
Twice

# grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist                                                                                                                                
        <key>CFBundleShortVersionString</key>
        <string>1.5.1</string>

But It appears I'm still using the 1.5.1 .

[dengert]

@alex-nitrokey Are you following this issue?
And the related https://developer.apple.com/forums/thread/732091 which was updated an hour ago.

This OpenSC issue is dealing with the Nitro HSM 2, whereas the apple issue is dealing with many different reader/tokens failing when upgrading the OS. The solutions are to update the MacOS CCID or use a different reader, all of which point at the CCID driver.

What reader chip is in Nitro HSM 2?
Do you provide a CCID driver for MacOS or use the default CCID driver?
Can you reproduce the problem?

[alex-nitrokey]

@dengert nope, not working for Nitrokey nor using HSM devices for 3 years, I am afraid...
Kind regards nonetheless!

[saper]

What reader chip is in Nitro HSM 2?

Nitrokey HSM 2 has the same reader chip as Nitrokey Pro - https://github.com/Nitrokey/nitrokey-pro-hardware

they just run different firmware branches

https://github.com/Nitrokey/nitrokey-pro-firmware/tree/master for Nitrokey Pro

https://github.com/Nitrokey/nitrokey-pro-firmware/tree/ci-hsm for Nitrokey HSM

cc @szszszsz

(I don't have a Mac either)

[szszszsz]

Hi! Thanks for the ping. I think that for the HSM the source code is actually under https://github.com/Nitrokey/nitrokey-pro-firmware/tree/hsm-3 As mentioned, both models share the card reader hardware, but use different smart cards and firmwares. wt., 10 paź 2023, 21:33 użytkownik Marcin Cieślak ***@***.***> napisał:

…

What reader chip is in Nitro HSM 2? Nitrokey HSM 2 has the same reader chip as Nitrokey Pro - https://github.com/Nitrokey/nitrokey-pro-hardware they just run different firmware branches https://github.com/Nitrokey/nitrokey-pro-firmware/tree/master for Nitrokey Pro https://github.com/Nitrokey/nitrokey-pro-firmware/tree/ci-hsm for Nitrokey HSM cc @szszszsz <https://github.com/szszszsz> (I don't have a Mac either) — Reply to this email directly, view it on GitHub <#2887 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEBXW4QWALJIEGUI73UCWZDX6WPJNAVCNFSM6AAAAAA5RLCLACVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONJWGEYDCNBTGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[saper]

Thanks - I think the question is rather, do you have any idea why it stopped working on the newest Mac operating system ...

[metsma]

It could be realated maybe with this
https://blog.apdu.fr/posts/2023/10/macos-sonoma-bug-race-condition-in-scardgetstatuschange/

[dengert]

(I don't have a Mac or a Nitro HSM 2.)

Can you capture USB traffic? For example using https://wiki.wireshark.org/CaptureSetup/USB See if it ever sends anything.

If you have a usb hub, try the HSM with the hub.

Does the HSM token have a light? does it ever go on?

https://developer.apple.com/forums/thread/732091 is very active, with some post yesterday.

[HarmElz]

I have the same problem, unfortunately this still exists with Sonoma 14.1
There is no light on the USB tokens from Nitrokey.
I have tried several "solutions" which seem to work for some users with different cards. I know macOS has made quite some changes on the SDK for smart cards, so probably it has something to do with that.
I do use a USB hub, that does not make any difference.
A USB log in wireshark can be found here: https://maarten.hemker.nl/XHC2.pcapng

[dengert]

The Wireshark trace does show USBCCID and USB bulk transfers Using a filter usb.addr=="2.9.2" shows 3 sets of transfers bases on the time. https://www.usb.org/sites/default/files/DWG_Smart-Card_CCID_Rev110.pdf defines the protocol used.

For example Frame 355:

0000   01 01 28 01 22 00 00 00 00 00 00 00 00 00 00 00   ..(."...........
0010   14 18 00 00 00 00 00 00 00 20 12 02 01 09 82 02   ......... ......
0020   0b 00 00 00 a0 20 30 42 80 18 00 00 00 00 01 00   ..... 0B........
0030   00 00 3b de 18 ff 81 91 fe 1f c3 80 31 81 54 48   ..;.........1.TH
0040   53 4d 31 73 80 21 40 81 07 1c                     SM1s.!@...

Shows the card ATR
https://smartcard-atr.apdu.fr/parse?ATR=+3b+de+18+ff+81+91+fe+1f+c3+80+31+81+54+48++53+4d+31+73+80+21+40+81+07+1c

"SmartCard-HSM 4K USB-Token (JavaCard)"

Between frames 305 and 419 it looks like the ATR and protocols are being setup between host and card reader.
Between frame 419 is at time 8.04391 and frame 718 time 15.8626639 is 7.82 seconds, most likely the OS is doing something.
then starts over.

Now what you need is someone to look at what is going on.

[HarmElz]

Thank you, this put me on the right path to find a solution, at least for me it seems to work (I have not done all tests).
Your comment, put me on the path that the CCID driver might be the problem. I updated this manually to the latest version from here: https://ccid.apdu.fr/files/ and that solved the problem. Currently version 1.5.4

The steps I took, come from this link: https://developer.apple.com/forums/thread/732091?page=2

But are as follows:

Make sure you have installed both libusb and pkg-config from brew. (brew install libusb)
Download the latest CCID driver from here https://ccid.apdu.fr/files/ and unzip it
In terminal, cd to where the libs from libusb are installed (mine was in /opt/homebrew/Cellar/libusb/1.0.26/lib) and run these 2 commands:
mv libusb-1.0.dylib libusb-1.0.lib
mv libusb-1.0.0.dylib libusb-1.0.0.lib
cd to where you the CCID stuff and run these 2 commands:
pkg-config --libs libusb-1.0
pkg-config --cflags libusb-1.0
Install the driver using these commands:
./MacOSX/configure
make
sudo make install
Assuming you've followed along correctly and everything ran without issues, you should now have a new CCID driver installed in /usr/local/libexec/SmartCardServices/drivers/ifd-ccid.bundle.
Once you have made all your changes, in order for this driver to take effect you have to reboot the system.

Hope this solves the problems for others as well.

[BenSartor]

Thanks everybody for finding a solution. After installing ccid 1.5.4 my Nitrokey Pro 2 now works again on macOS 14 Sonoma. However moving the libusb-files broke gpg --card-status for me. Even for the before working Nitrokey 3. However linking them works with both keys. This is what I did:

brew list libusb
cd /usr/local/Cellar/libusb/1.0.26/lib/

ln -s libusb-1.0.dylib libusb-1.0.lib
ln -s libusb-1.0.0.dylib libusb-1.0.0.lib

mkdir ~/Downloads/ccid
cd ~/Downloads/ccid
curl https://ccid.apdu.fr/files/ccid-1.5.4.tar.bz2 | tar -xj
cd ccid-1.5.4/

pkg-config --libs libusb-1.0
pkg-config --cflags libusb-1.0

./MacOSX/configure
make
sudo make install

[PCovesCentreon]

I yet have to find time to make this work as I'm using nix darwin which brings another layer of complexity on top of this already weird situation.

Thanks for the updates, I'll tell you how it goes.
In the mean time, I had to stop using the Nitrokey and have the keys on my machine which is a shame.

[metsma]

Our testing team discovered that copying system ccid driver to /usr/local also fixes the problem.

sudo mkdir -p /usr/local/libexec/SmartCardServices/drivers
sudo cp -a /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle /usr/local/libexec/SmartCardServices/drivers
sudo reboot

[sbamamoto]

Thank you all !! You have ended a sad time using a Linux VM to connect to my company. I followed @metsma last post, and its worked like a charm. Don't forget to reboot after copying the folder.
Thanks again !!!

[PCovesCentreon]

I can confirm copying files works on an up-to-date M2 MBP + nix darwin.

It feels a bit odd but it's better than no GPG right ?

[frankmorgner]

Apple seems to have heard the message and switches from their own implementation back to libccid as default driver with 14.1, see https://blog.apdu.fr/posts/2023/11/apple-own-ccid-driver-in-sonoma/

[Jakuje]

Given that this is resolved (outside of opensc), I think we can close this issue, correct?

[pradig]

Given that this is resolved (outside of opensc), I think we can close this issue, correct?

Works for me. Thanks!

[sbamamoto]

After a Sonoma update the libexec folder in /usr/local was deleted. You will need to copy the bundle again.

[MarsArtis]

Hi everybody,
first of all please forgive me but I'm not so into coding and I may write improper senteces.
As many here I'm suffering the Sonoma (14.1.2) issue with a SmartCard reader, marked as ChipNet and recognized by MacOS sysinfo as

EMV Smartcard Reader:
  ID prodotto:	0x9540
  ID fornitore:	0x058f  (Alcor Micro, Corp.)

have had no luck in finding out any specif and updated driver for the reader that obviously was smoothly workin before Sonoma and by chanche I landed here and on Ludovic Rousseau's blog.

first of all If I do try to check the status I get the following:

defaults read /Library/Preferences/com.apple.security.smartcard.plist useIFDCCID
2023-12-07 12:29:15.119 defaults[13901:617585] 
The domain/default pair of (/Library/Preferences/com.apple.security.smartcard.plist, useIFDCCID) does not exist

and if I use

defaults read /Library/Preferences/com.apple.security.smartcard.plist
{
    UserPairing = 0;
}

why?

This said could the Ludovic Rousseau's drivers suite for my specific kind of reader?
If so, what is the proper way of installing them?