Support PIN unblocking in minidriver via PUK as response to challenge

Minidriver currently has basic support for unblocking card PIN by providing PUK as an administrator password to CardUnblockPin() function. However, this doesn't work for example when trying to unblock PIN via system smartcard PIN unblock screen accessible after pressing Ctrl+Alt+Del as it wants to use challenge / response authentication. MS Smart Card Minidriver specification (version 7.07) explicitly says that challenge / response is the only authentication mode that Windows uses to authenticate an administrator. Unfortunately, this way of unblocking PIN seems to not be widely supported by cards. However, we can simply treat the provided response to challenge as PUK. Because (at least) Ctrl+Alt+Del PIN unblock screen accepts only hex string, every PUK digit X has to be input as '3X' (without quotes) there. Also the response string is not hidden behind asterisks on this screen as it should been. Signed-off-by: Maciej S. Szmigiero <[email protected]>
OpenSC · Oct 22, 2016 · 1acde82 · 1acde82
1 parent b34a34a
commit 1acde82
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
@@ -3311,16 +3311,30 @@ DWORD WINAPI CardUnblockPin(__in PCARD_DATA pCardData,
  logprintf(pCardData, 1, "\nP:%d T:%d pCardData:%p ",GetCurrentProcessId(), GetCurrentThreadId(), pCardData);
  logprintf(pCardData, 1, "CardUnblockPin\n");
 
- if (pwszUserId == NULL)
+ if (pwszUserId == NULL) {
+ logprintf(pCardData, 1, "no user ID\n");
  return SCARD_E_INVALID_PARAMETER;
- if (wcscmp(wszCARD_USER_USER, pwszUserId) != 0 && wcscmp(wszCARD_USER_ADMIN,pwszUserId) != 0)
+ }
+ if (wcscmp(wszCARD_USER_USER, pwszUserId) != 0 && wcscmp(wszCARD_USER_ADMIN,pwszUserId) != 0) {
+ logprintf(pCardData, 1, "unknown user ID %S\n", pwszUserId);
  return SCARD_E_INVALID_PARAMETER;
- if (wcscmp(wszCARD_USER_ADMIN, pwszUserId) == 0)
-  return SCARD_E_UNSUPPORTED_FEATURE;
- if (dwFlags & CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE)
+ }
+ if (wcscmp(wszCARD_USER_ADMIN, pwszUserId) == 0) {
+  logprintf(pCardData, 1, "unlocking admin not supported\n");
  return SCARD_E_UNSUPPORTED_FEATURE;
- if (dwFlags)
+ }
+ if (dwFlags & CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE) {
+ logprintf(pCardData, 1,
+ "challenge / response not supported, we'll treat response as a PUK\n");
+ logprintf(pCardData, 1,
+ "note that you'll need to type PUK in hex (replace every PUK digit X with '3X') in Win CAD unblock dialog response field\n");
+ dwFlags &= ~CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE;
+ }
+ if (dwFlags) {
+ logprintf(pCardData, 1, "flags of %x not supported\n",
+ (unsigned int)dwFlags);
  return SCARD_E_INVALID_PARAMETER;
+ }
 
  logprintf(pCardData, 1, "UserID('%S'), AuthData(%p, %u), NewPIN(%p, %u), Retry(%u), dwFlags(0x%X)\n",
  pwszUserId, pbAuthenticationData, cbAuthenticationData, pbNewPinData, cbNewPinData,