Hello,

I upgraded my signing server to Debian 13, but I have a problem with my HSM :

Oct 15 21:09:18 arrakeen knotd[29552]: error: [durel.org.] zone event 'load' failed (PKCS #11 token not available)
Oct 15 21:09:18 arrakeen knotd[29552]: error: [geekwu.org.] zone event 'load' failed (PKCS #11 token not available)


keymgr gives me the same error :

# keymgr geekwu.org list
error: failed to initialize KASP (PKCS #11 token not available)

despite hsmwiz being able to access the key :

# hsmwiz identify
Using reader with a card: Nitrokey Nitrokey HSM (DENK01067960000         ) 00 00
Version              : 3.4
Config options       :
  User PIN reset with SO-PIN enabled
SO-PIN tries left    : 15
User PIN tries left  : 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Default SO-PIN: 3537363231383830    Default PIN: 648219
Now executing: pkcs15-tool --dump
Using reader with a card: Nitrokey Nitrokey HSM (DENK01067960000         ) 00 00
PKCS#15 Card [knot]:
Version        : 0
Serial number  : DENK0106796
Manufacturer ID: www.CardContact.de
Flags          : PRN generation
[...]
Public EC Key [Private Key]
Object Flags   : [0x00]
Usage          : [0x140], verify, derive
Access Flags   : [0x02], extract
FieldLength    : 384
Key ref        : 0 (0x00)
Native         : no
ID             : 74f59bc17317bfccc5806108d84df1abd275faef
DirectValue    : <present>

Knot is using this keystore :

keystore:
  - id: nitrokey
    backend: pkcs11
    config: "pkcs11:pin-value=*** /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"

I verified /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so still exists, and ldd doesn't report any missing dependency 

strace let me see communication with pcscd, whose logs have these :

Oct 15 21:20:14 arrakeen systemd[1]: Started pcscd.service - PC/SC Smart Card Daemon.
Oct 15 21:20:20 arrakeen pcscd[33186]: 00000000 ../src/auth.c:166:IsClientAuthorized() Process 33204 (user: 134) is NOT authorized for action: access_pcsc
Oct 15 21:20:20 arrakeen pcscd[33186]: 00000071 ../src/winscard_svc.c:357:ContextThread() Rejected unauthorized PC/SC client

After a bit of digging, I found it's controlled by polkit, and added a brutal rule :

cat /etc/polkit-1/rules.d/pcsc.rules
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
polkit.addRule(function(action, subject) { if (subject.isInGroup("pcsc")) { return polkit.Result.YES; } })

with knot added to the pcsc group, it can access the HSM again.

Do you know of a better way to configure ?

NB: I'm using another account, as I began to write this with no DNS server running

Regards,

-- 
Bastien Durel