Given an SO-PIN, how do you change the PIN?

[minfrin]

Problem Description

I have a smartcard where the PIN and PUK have been lost. I have the SO-PIN, and would like to re-set the PIN. There does not seem to be a way to do this.

Steps to reproduce

Test is good:

blackadder ~ # pkcs11-tool --login-type so --login --test
Using slot 0 with a present token (0x0)
Logging in to "xxx (Smartcard PIN)".
Please enter SO PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signature: not a R/W session, skipping signature tests
Verify: not a R/W session, skipping verify tests
Decryption: not a R/W session, skipping decryption tests
No errors

Change PIN is no good, asks for the existing PIN:

blackadder ~ # pkcs11-tool --login-type so --login --change-pin
Using slot 0 with a present token (0x0)
Logging in to "xxx (Smartcard PIN)".
Please enter SO PIN: 
Please enter the current PIN: 
^C

Init PIN no good, fails complaining about the PIN length (with no way to indicate which PIN, I'm assuming this might be trying to change the SO PIN, which I do not want to do):

blackadder ~ # pkcs11-tool --login-type so --login --init-pin
Using slot 0 with a present token (0x0)
Logging in to "xxx (Smartcard PIN)".
Please enter SO PIN: 
Please enter the new PIN: 
Please enter the new PIN again: 
error: PKCS11 function C_InitPIN failed: rv = CKR_PIN_LEN_RANGE (0xa2)
Aborting.

The pkcs15-tool also appears to not work, we try change the PIN, and the SO-PIN is being changed (no):

blackadder ~ # pkcs15-tool --change-pin
Using reader with a card: ACS ACR39U ICC Reader 00 00
Enter old PIN [Security Officer PIN]: 
^C

Try change the PIN by specifying the auth-id, we're asked for the old PIN we don't have:

blackadder ~ # pkcs15-tool --auth-id 01 --change-pin
Using reader with a card: ACS ACR39U ICC Reader 00 00
Enter old PIN [Smartcard PIN]: 
^C

Is this even possible?

[Jakuje]

This will likely depend on the card type. The SO-pin is usually part of the card management, which is out of scope of pkcs11 (or is not implemented in the drivers).

Again, depending on the card, the SO pin can be either used to change the PIN or reset the card or neither of these.

[CardContact]

On the SmartCard-HSM you can change the SO-PIN using

pkcs11-tool --login --login-type so --so-pin ${SOPIN} --change-pin --new-pin ${SOPIN2}

[popovec]

MyEID card, the above procedure also works

pkcs11-tool --login --login-type so --so-pin ${SOPIN} --change-pin --new-pin ${SOPIN2}

but the question concerns something else, how to use SO-PIN to reset the user PIN.

MyEID supports the so-called global unblocker and global admin flags, which must be assigned for a specific PIN during card initialization. Currently, OpenSC /MyEID driver - src/pkcs15init/pkcs15-myeid.c/, sets the flags during SO-PIN initialization so that not a single PIN has support for global unblocker or admin status. Therefore, if the user PIN is lost, it is not possible to unblock it via SO-PIN.

[CardContact]

Yes, you are right, the question was different. Resetting the user PIN is:

pkcs11-tool --login --login-type so --so-pin ${SOPIN} --init-pin --new-pin ${PIN}

In the SmartCard-HSM you need to have set the "User PIN reset with SO-PIN enabled" option set during initialization. That is the default when using sc-hsm-tool and can be selected when using the Smart Card Shell.