Hello William,
Le 30/09/2011 15:42, HOURY William a écrit : > I have noticed a strange behavior when trying to unblock the user PIN using > PKCS#11 on a Athena ASEPCOS card configured with 2 PIN & 2PUK as follow : > > PKCS#15 Card [OpenSC Card]: > > Version : 0 > > Serial number : 0106535458140F10 > > Manufacturer ID: OpenSC Project > > Last update : 20110727143948Z > > Flags : EID compliant > > PIN [Security Officer PIN] > > Object Flags : [0x3], private, modifiable > > ID : ff > > Flags : [0x92], local, initialized, soPin > > Length : min_len:4, max_len:16, stored_len:8 > > Pad char : 0x00 > > Reference : 2 > > Type : ascii-numeric > > Path : 3f005015 > > PIN [] > > Object Flags : [0x3], private, modifiable > > ID : 01 > > Flags : [0x12], local, initialized > > Length : min_len:4, max_len:16, stored_len:8 > > Pad char : 0x00 > > Reference : 4 > > Type : ascii-numeric > > Path : 3f005015 > > Using PKCS#11, if I perform a C_Login() with the CKU_SO user type, I must > enter the Security officer PIN if I want the operation to succeed. > Afaik, for the Athena ASEPCOS card the SoPIN and UserPUK are different codes, and so you should not use CKU_SO login to unlock User PIN. (PUK code have no associated PKCS#15 authentication object). You can use the 'C_SetPIN in unlogged session' mode of the unblock procedure. For this you have to set 'user_pin_unblock_style = set_pin_in_unlogged_session' in the pkcs#11 section of your opensc.conf. With this setting the following 'works-for-me': #./build/bin/pkcs11-tool --module ./build/lib/opensc-pkcs11.so --slot 1 --unlock-pin --puk "8888" Please enter the new PIN: Please enter the new PIN again: PIN successfully changed Normally you should be able to use CKU_CONTEXT_SPECIFIC login type, but actually something is rotten in it's implementation -- will see it later. > It would make more sense to enter the user PUK since the main goal of this > operation is to be able to unblock the user PIN code… > > Thanks > > > William > Kind regards, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
