On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
Hi,
Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?
If the card is following NIST 800-73-3 The piv-tool can do it.
800-73 leaves a lot of card management commands up to the vendor,
so check the vendor docs on this and what is the initial PUK. The PUK
is not used be the end user, and some commands to the card may
require the global pin vs the PIV application PIN or PUK as defined
in 800-73-3.
piv-tool -s 00:2C:00:81:10:$OLDPUK:$NEWPUK
Where $OLDPUK is the current and $NEWPUK is the new one
Both are hex representation of the numbers padded to 8 with FF
So to change from 1234567 to 112233
piv-tool -s 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff
On some cards the previous PUK may have been all hex zeros.
The attached script could be used. It is assuming a $1 parameter that is a
card number ($CARDN) that is used to look up information about the card,
such as the previous PUK in ./cards/$CARDN/
Thanks.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
#!/bin/sh
#
# change a pin or puk or using the old pin or puk
#
# parms
# <card number>
# c - change a pin, will prompt for oldpin and newpin
# puk - change the puk using old puk will prompt for newpuk
# r - reset pin using puk prompt for new pin
# If using puk get from database,
# cards/$CARDN.puk
# if changing puk save to database
# save previous as cards/$CARDN.puk.prev
# new as cards/$CARDN.puk
PATH=/opt/smartcard/bin:$PATH
####################
ConvertPin()
{
# $1 is string of hex digits with : or decimal digits
# hh:hh:hh:hh:hh:hh:hh:hh
# 0 meaning 00:00:00:00:00:00:00:00
# place output in CONVERTEDPIN
if [ "X$1" = "X0" ] ; then
CONVERTEDPIN="00:00:00:00:00:00:00:00"
return
fi
XTEST=`echo "$1" | tr "0123456789abcdefABCDEF" "0000000000000000000000" `
DTEST=`echo "$1" | tr "0123456789" "0000000000" `
if [ "X$XTEST" = "X00:00:00:00:00:00:00:00" ] ; then
CONVERTEDPIN="$1"
return
fi
case $DTEST in
000000)
CONVERTEDPIN=`echo "${1}FF:FF" | sed -e 's/[0-9]/3&:/g'`
;;
0000000)
CONVERTEDPIN=`echo "${1}FF" | sed -e 's/[0-9]/3&:/g'`
;;
00000000)
CONVERTEDPIN=`echo "${1}" | sed -e 's/[0-9]/3&:/g' -e 's/:$//'`
;;
*)
echo "invalid format of pin=\"$1\""
echo " pin must be 6, 7 or 8 digits or"
echo " hex string like hh:hh:hh:hh:hh:hh:hh:hh"
echo " \"0\" for 00:00:00:00:00:00:00:00"
CONVERTEDPIN=""
;;
esac
set +x
}
##################
GetPin()
{
# $1 is number of times to prompt, 1 for now
# $2 is the prompt
#
CONVERTEDPIN=""
until [ "X$CONVERTEDPIN" != "X" ]
do
# echo without the cr, works on Solaris and Linux
printf "%s:" "$2"
read ANS
ConvertPin "$ANS"
done
READPIN=$CONVERTEDPIN
}
##################
# mian
##################
# Change pin using pin:
# 00 24 00 80 10 oldpin newpin
# Change pin using puk
# 00 2C 00 80 10 oldpuk newpin
# Change puk using puk
# 00 2C 00 81 10 oldpuk newpuk
#
case "X$2" in
Xc*|Xpuk|Xr*)
;;
*)
echo "card number and operation required"
echo " operations are:"
echo " c - change a user pin using the old user pin"
echo " puk - change the puk to new puk"
echo " r - reset the user pin using the puk"
exit 1
;;
esac
CARDN="$1"
OPT="$2"
#
# make sure we have an old puk and it is valid format
#
if [ ! -f cards/$CARDN.puk ] ; then
echo "cards/$CARDN.puk" not found
exit 1
fi
OLDPUK=`cat cards/$CARDN.puk`
ConvertPin $OLDPUK
if [ "X$CONVERTEDPIN" = "X" ] ; then
echo "old puk from \"cards/$CARDN.puk\" is not valid"
exit 1
fi
OLDPUK="$CONVERTEDPIN"
case $OPT in
c*)
GetPin 1 "Old User Pin"
OLDPIN="$READPIN"
GetPin 1 "New User Pin"
NEWPIN="$READPIN"
piv-tool -s 00:24:00:80:10:$OLDPIN:$NEWPIN
;;
puk)
GetPin 1 "New Puk"
NEWPUK="$READPIN"
mv cards/$CARDN.puk cards/$CARDN.puk.prev
if [ $? -ne 0 ] ; then
echo "failed to move cards/$CARDN.puk
cards/$CARDN.puk.prev"
exit 2
fi
echo "$NEWPUK" > cards/$CARDN.puk.new
if [ ! -f cards/$CARDN.puk.new ] ; then
echo "failed to save new puk to cards/$CARDN.puk.new"
exit 1
fi
piv-tool -s 00:2C:00:81:10:$OLDPUK:$NEWPUK
if [ $? -eq 0 ] ; then
mv cards/$CARDN.puk.new cards/$CARDN.puk
if [ ! -f cards/$CARDN.puk ] ; then
echo "failed to save new puk to
cards/$CARDN.puk"
exit 3
fi
else
echo "piv-tool failed to set puk"
echo " see cards/$CARDN.puk.new and
cards/$CARDN.puk.prev"
echo " one of these should have the current puk"
exit 4
fi
;;
r*)
GetPin 1 "New User Pin"
NEWPIN="$READPIN"
piv-tool -v -s 00:2C:00:80:10:$OLDPUK:$NEWPIN
;;
*)
echo "Invalid operation"
exit 2
;;
esac
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
