On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
Hi, Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?
If the card is following NIST 800-73-3 The piv-tool can do it. 800-73 leaves a lot of card management commands up to the vendor, so check the vendor docs on this and what is the initial PUK. The PUK is not used be the end user, and some commands to the card may require the global pin vs the PIV application PIN or PUK as defined in 800-73-3. piv-tool -s 00:2C:00:81:10:$OLDPUK:$NEWPUK Where $OLDPUK is the current and $NEWPUK is the new one Both are hex representation of the numbers padded to 8 with FF So to change from 1234567 to 112233 piv-tool -s 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff On some cards the previous PUK may have been all hex zeros. The attached script could be used. It is assuming a $1 parameter that is a card number ($CARDN) that is used to look up information about the card, such as the previous PUK in ./cards/$CARDN/
Thanks. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
-- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
#!/bin/sh # # change a pin or puk or using the old pin or puk # # parms # <card number> # c - change a pin, will prompt for oldpin and newpin # puk - change the puk using old puk will prompt for newpuk # r - reset pin using puk prompt for new pin # If using puk get from database, # cards/$CARDN.puk # if changing puk save to database # save previous as cards/$CARDN.puk.prev # new as cards/$CARDN.puk PATH=/opt/smartcard/bin:$PATH #################### ConvertPin() { # $1 is string of hex digits with : or decimal digits # hh:hh:hh:hh:hh:hh:hh:hh # 0 meaning 00:00:00:00:00:00:00:00 # place output in CONVERTEDPIN if [ "X$1" = "X0" ] ; then CONVERTEDPIN="00:00:00:00:00:00:00:00" return fi XTEST=`echo "$1" | tr "0123456789abcdefABCDEF" "0000000000000000000000" ` DTEST=`echo "$1" | tr "0123456789" "0000000000" ` if [ "X$XTEST" = "X00:00:00:00:00:00:00:00" ] ; then CONVERTEDPIN="$1" return fi case $DTEST in 000000) CONVERTEDPIN=`echo "${1}FF:FF" | sed -e 's/[0-9]/3&:/g'` ;; 0000000) CONVERTEDPIN=`echo "${1}FF" | sed -e 's/[0-9]/3&:/g'` ;; 00000000) CONVERTEDPIN=`echo "${1}" | sed -e 's/[0-9]/3&:/g' -e 's/:$//'` ;; *) echo "invalid format of pin=\"$1\"" echo " pin must be 6, 7 or 8 digits or" echo " hex string like hh:hh:hh:hh:hh:hh:hh:hh" echo " \"0\" for 00:00:00:00:00:00:00:00" CONVERTEDPIN="" ;; esac set +x } ################## GetPin() { # $1 is number of times to prompt, 1 for now # $2 is the prompt # CONVERTEDPIN="" until [ "X$CONVERTEDPIN" != "X" ] do # echo without the cr, works on Solaris and Linux printf "%s:" "$2" read ANS ConvertPin "$ANS" done READPIN=$CONVERTEDPIN } ################## # mian ################## # Change pin using pin: # 00 24 00 80 10 oldpin newpin # Change pin using puk # 00 2C 00 80 10 oldpuk newpin # Change puk using puk # 00 2C 00 81 10 oldpuk newpuk # case "X$2" in Xc*|Xpuk|Xr*) ;; *) echo "card number and operation required" echo " operations are:" echo " c - change a user pin using the old user pin" echo " puk - change the puk to new puk" echo " r - reset the user pin using the puk" exit 1 ;; esac CARDN="$1" OPT="$2" # # make sure we have an old puk and it is valid format # if [ ! -f cards/$CARDN.puk ] ; then echo "cards/$CARDN.puk" not found exit 1 fi OLDPUK=`cat cards/$CARDN.puk` ConvertPin $OLDPUK if [ "X$CONVERTEDPIN" = "X" ] ; then echo "old puk from \"cards/$CARDN.puk\" is not valid" exit 1 fi OLDPUK="$CONVERTEDPIN" case $OPT in c*) GetPin 1 "Old User Pin" OLDPIN="$READPIN" GetPin 1 "New User Pin" NEWPIN="$READPIN" piv-tool -s 00:24:00:80:10:$OLDPIN:$NEWPIN ;; puk) GetPin 1 "New Puk" NEWPUK="$READPIN" mv cards/$CARDN.puk cards/$CARDN.puk.prev if [ $? -ne 0 ] ; then echo "failed to move cards/$CARDN.puk cards/$CARDN.puk.prev" exit 2 fi echo "$NEWPUK" > cards/$CARDN.puk.new if [ ! -f cards/$CARDN.puk.new ] ; then echo "failed to save new puk to cards/$CARDN.puk.new" exit 1 fi piv-tool -s 00:2C:00:81:10:$OLDPUK:$NEWPUK if [ $? -eq 0 ] ; then mv cards/$CARDN.puk.new cards/$CARDN.puk if [ ! -f cards/$CARDN.puk ] ; then echo "failed to save new puk to cards/$CARDN.puk" exit 3 fi else echo "piv-tool failed to set puk" echo " see cards/$CARDN.puk.new and cards/$CARDN.puk.prev" echo " one of these should have the current puk" exit 4 fi ;; r*) GetPin 1 "New User Pin" NEWPIN="$READPIN" piv-tool -v -s 00:2C:00:80:10:$OLDPUK:$NEWPIN ;; *) echo "Invalid operation" exit 2 ;; esac
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel