SmartCard-HSM: How to unblock user pin from SO-PIN ?

[scottthomas007]

I personalize the SC-HSM card with command
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 12345678 --pin-retry 3 --reader 0
Let's suppose i have forgot the PIN, so after 3 tries, the user PIN will be blocked.
What's the way to set a new PIN with the help of SO PIN?

[CardContact]

As explained here [1], you can use

pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 123456

[1] https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#initialize-the-device

[scottthomas007]

Thanks, It worked

[iComputerfreak]

@CardContact Isn't the command you provided used to change the SO pin? When I run your command, I get the following error:

Using slot 0 with a present token (0x0)
error: PKCS11 function C_SetPIN failed: rv = CKR_PIN_LEN_RANGE (0xa2)
Aborting.

And the link you provided explains how to re-initialize the stick (and thereby erasing all data) using

pkcs11-tool --module opensc-pkcs11.so --init-token --init-pin --so-pin=3537363231383830 --new-pin=648219 --label="test" --pin=648219

It also shows how to change the so pin and how to change the user pin (using the old user pin) using

pkcs11-tool --module opensc-pkcs11.so --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345

and

pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456

So If I see this correctly, you always change the level of pin (SO or user) with which you logged in, correct?

So the question remains, how to I change the user pin, using the SO pin?

[CardContact]

You can use

pkcs11-tool --login --login-type so --so-pin=3537363231383830 --init-pin --new-pin=648219

to unblock and set the pin using the SO pin.

I've updated the wiki accordingly.

[iComputerfreak]

Okay. Thank you very much :)