-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Given an SO-PIN, how do you change the PIN? #2867
Comments
This will likely depend on the card type. The SO-pin is usually part of the card management, which is out of scope of pkcs11 (or is not implemented in the drivers). Again, depending on the card, the SO pin can be either used to change the PIN or reset the card or neither of these. |
On the SmartCard-HSM you can change the SO-PIN using
|
MyEID card, the above procedure also works
but the question concerns something else, how to use SO-PIN to reset the user PIN. MyEID supports the so-called global unblocker and global admin flags, which must be assigned for a specific PIN during card initialization. Currently, OpenSC /MyEID driver - src/pkcs15init/pkcs15-myeid.c/, sets the flags during SO-PIN initialization so that not a single PIN has support for global unblocker or admin status. Therefore, if the user PIN is lost, it is not possible to unblock it via SO-PIN. |
Yes, you are right, the question was different. Resetting the user PIN is:
In the SmartCard-HSM you need to have set the "User PIN reset with SO-PIN enabled" option set during initialization. That is the default when using sc-hsm-tool and can be selected when using the Smart Card Shell. |
Problem Description
I have a smartcard where the PIN and PUK have been lost. I have the SO-PIN, and would like to re-set the PIN. There does not seem to be a way to do this.
Steps to reproduce
Test is good:
Change PIN is no good, asks for the existing PIN:
Init PIN no good, fails complaining about the PIN length (with no way to indicate which PIN, I'm assuming this might be trying to change the SO PIN, which I do not want to do):
The pkcs15-tool also appears to not work, we try change the PIN, and the SO-PIN is being changed (no):
Try change the PIN by specifying the auth-id, we're asked for the old PIN we don't have:
Is this even possible?
The text was updated successfully, but these errors were encountered: