Re: [opensc-devel] Changing Admin PIN on PIV card

2012-12-13 Thread Douglas E. Engert 


On 12/12/2012 8:01 PM, Ravneet Singh Khalsa wrote:
 Hi Douglas,

 Thanks for your suggestion. I tried the following command.

 piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF
 (changing Admin Pin from 1234 to )

 It didn't work for me. The output of the command above is attached. See if
 there is something that you can figure out.

That looks very strange, almost like it never ran the command.

What would help more would be to turn on debugging in the opensc.conf,
debug = 7; and change the debug_file = some.out.out.file;

This would show that OpenSC found that this was a PIV card, and
any other commands sent to the card to test what type of card
it is.

If you could send The debug output from opensc-tool -n


You say these are Gemalto PIV cards.

Do they have actual data on the cards, even demo data?

Are they Global Platform cards?

What is the ATR?

Do you have the Gemalto manual?

Do they say anything about how to change the admin PIN?

Did they say anything about unlocking the card before
doing anything with the card?

NIST requires blank cards with the PIV application
on the card to be transported locked with the unlocking
keys send in some other way. The locking may be
done using GP.

Did they send any pins or keys with the cards?
(They must have, otherwise you would not know what was
 the admin PIN.)


 Thanks.


 -Original Message-
 From: opensc-devel-boun...@lists.opensc-project.org
 [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas
 E. Engert
 Sent: Wednesday, December 12, 2012 7:31 AM
 To: opensc-devel@lists.opensc-project.org
 Subject: Re: [opensc-devel] Changing Admin PIN on PIV card



 On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
 Hi,

 Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards
 ?

 If the card is following NIST 800-73-3 The piv-tool can do it.

 800-73 leaves a lot of card management commands up to the vendor, so check
 the vendor docs on this and what is the initial PUK. The PUK is not used be
 the end user, and some commands to the card may require the global pin vs
 the PIV application PIN or PUK as defined in 800-73-3.


piv-tool  -s 00:2C:00:81:10:$OLDPUK:$NEWPUK

 Where $OLDPUK is the current and $NEWPUK is the new one Both are hex
 representation of the numbers padded to 8 with FF

 So to change from 1234567 to 112233
piv-tool  -s
 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff

 On some cards the previous PUK may have been all hex zeros.

 The attached  script could be used. It is assuming a $1 parameter that is a
 card number ($CARDN) that is used to look up information about the card,
 such as the previous PUK in ./cards/$CARDN/



 Thanks.



 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel



-- 

  Douglas E. Engert  deeng...@anl.gov
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Changing Admin PIN on PIV card

2012-12-13 Thread Douglas E. Engert 
Two more things:

The command should be 24 not 2C. 2C is to reset the user pin if the pin
is locked. 24 is to reset one of the pins if the pin is known.
The script I sent you has an error. Sorry about that.

piv-tool -s 00:24:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF

BUT: NIST 800-73-2 part 2 Section 3.2.2 says:

The ability to change reference data associated with key references '81' and
'00' using the PIV Card Application CHANGE REFERENCE DATA command is optional.

Thus you need to consult the Gemalto manuals to see if this is implemented



On 12/12/2012 8:01 PM, Ravneet Singh Khalsa wrote:
 Hi Douglas,

 Thanks for your suggestion. I tried the following command.

 piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF
 (changing Admin Pin from 1234 to )

 It didn't work for me. The output of the command above is attached. See if
 there is something that you can figure out.

 Thanks.


 -Original Message-
 From: opensc-devel-boun...@lists.opensc-project.org
 [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas
 E. Engert
 Sent: Wednesday, December 12, 2012 7:31 AM
 To: opensc-devel@lists.opensc-project.org
 Subject: Re: [opensc-devel] Changing Admin PIN on PIV card



 On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
 Hi,

 Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards
 ?

 If the card is following NIST 800-73-3 The piv-tool can do it.

 800-73 leaves a lot of card management commands up to the vendor, so check
 the vendor docs on this and what is the initial PUK. The PUK is not used be
 the end user, and some commands to the card may require the global pin vs
 the PIV application PIN or PUK as defined in 800-73-3.


piv-tool  -s 00:2C:00:81:10:$OLDPUK:$NEWPUK

 Where $OLDPUK is the current and $NEWPUK is the new one Both are hex
 representation of the numbers padded to 8 with FF

 So to change from 1234567 to 112233
piv-tool  -s
 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff

 On some cards the previous PUK may have been all hex zeros.

 The attached  script could be used. It is assuming a $1 parameter that is a
 card number ($CARDN) that is used to look up information about the card,
 such as the previous PUK in ./cards/$CARDN/



 Thanks.



 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel



-- 

  Douglas E. Engert  deeng...@anl.gov
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Changing Admin PIN on PIV card

2012-12-12 Thread Ravneet Singh Khalsa 
C_SetPIN does not change Admin PIN.

-Original Message-
From: helpcrypto helpcrypto helpcry...@gmail.com
Sent: ‎12/‎11/‎2012 11:43 PM
To: Ravneet Singh Khalsa rsi...@quantumsecure.com
Cc: opensc-devel@lists.opensc-project.org 
opensc-devel@lists.opensc-project.org
Subject: Re: [opensc-devel] Changing Admin PIN on PIV card

pkcs11's C_SetPin ?

On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa
rsi...@quantumsecure.com wrote:
 Hi,



 Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?



 Thanks.




 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Changing Admin PIN on PIV card

2012-12-12 Thread helpcrypto helpcrypto 
According to PKCS#11 standard, C_SetPIN modifies the PIN of the user
that is currently logged in, or the CKU_USER PIN if the session is not
logged in.


On Wed, Dec 12, 2012 at 2:26 PM, Ravneet Singh Khalsa
rsi...@quantumsecure.com wrote:
 C_SetPIN does not change Admin PIN.
 
 From: helpcrypto helpcrypto
 Sent: ‎12/‎11/‎2012 11:43 PM
 To: Ravneet Singh Khalsa
 Cc: opensc-devel@lists.opensc-project.org
 Subject: Re: [opensc-devel] Changing Admin PIN on PIV card

 pkcs11's C_SetPin ?

 On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa
 rsi...@quantumsecure.com wrote:
 Hi,



 Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards
 ?



 Thanks.




 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Changing Admin PIN on PIV card

2012-12-12 Thread Douglas E. Engert 



On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:

Hi,

Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?


If the card is following NIST 800-73-3 The piv-tool can do it.

800-73 leaves a lot of card management commands up to the vendor,
so check the vendor docs on this and what is the initial PUK. The PUK
is not used be the end user, and some commands to the card may
require the global pin vs the PIV application PIN or PUK as defined
in 800-73-3.


 piv-tool  -s 00:2C:00:81:10:$OLDPUK:$NEWPUK

Where $OLDPUK is the current and $NEWPUK is the new one
Both are hex representation of the numbers padded to 8 with FF

So to change from 1234567 to 112233
 piv-tool  -s 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff

On some cards the previous PUK may have been all hex zeros.

The attached  script could be used. It is assuming a $1 parameter that is a
card number ($CARDN) that is used to look up information about the card,
such as the previous PUK in ./cards/$CARDN/




Thanks.



___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel



--

 Douglas E. Engert  deeng...@anl.gov
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
#!/bin/sh
#
# change a pin or puk or using the old pin or puk
#
# parms
# card number
# c- change a pin, will prompt for oldpin and newpin 
# puk  - change the puk using old puk will prompt for newpuk 
# r- reset pin using puk prompt for new pin

# If using puk get from database,  
# cards/$CARDN.puk
# if changing puk save to database
# save previous as cards/$CARDN.puk.prev 
# new as cards/$CARDN.puk

PATH=/opt/smartcard/bin:$PATH


ConvertPin() 
{ 
# $1 is string of hex digits with : or decimal digits
# hh:hh:hh:hh:hh:hh:hh:hh
# 0 meaning 00:00:00:00:00:00:00:00
# place output in CONVERTEDPIN
if [ X$1 = X0 ] ; then
CONVERTEDPIN=00:00:00:00:00:00:00:00
return
fi
XTEST=`echo $1 | tr 0123456789abcdefABCDEF 00 `
DTEST=`echo $1 | tr 0123456789 00 `
if [ X$XTEST = X00:00:00:00:00:00:00:00 ] ; then
CONVERTEDPIN=$1
return
fi
case $DTEST in 
00)
CONVERTEDPIN=`echo ${1}FF:FF | sed -e 's/[0-9]/3:/g'`
;;
000)
CONVERTEDPIN=`echo ${1}FF | sed -e 's/[0-9]/3:/g'`
;;
)
CONVERTEDPIN=`echo ${1} | sed -e 's/[0-9]/3:/g' -e 's/:$//'`
;;
*)
echo invalid format of pin=\$1\
echopin must be 6, 7 or 8 digits or 
echohex string like hh:hh:hh:hh:hh:hh:hh:hh
echo\0\ for 00:00:00:00:00:00:00:00
CONVERTEDPIN=
;;
esac
set +x
}
##
GetPin()
{
# $1 is number of times to prompt, 1 for now
# $2 is the prompt
#

CONVERTEDPIN=
until [ X$CONVERTEDPIN != X ] 
do

# echo without the cr, works on Solaris and Linux
printf %s: $2
read ANS
ConvertPin $ANS
done
READPIN=$CONVERTEDPIN
}



##
# mian
##

# Change pin using pin:
#   00 24 00 80 10 oldpin newpin
# Change pin using puk
#   00 2C 00 80 10 oldpuk newpin
# Change puk using puk
#   00 2C 00 81 10 oldpuk newpuk 
#
case X$2 in 
Xc*|Xpuk|Xr*)
;;
*)
echo card number and operation required
echo  operations are:
echo c - change a user pin using the old user pin
echo puk   - change the puk to new puk
echo r - reset the user pin using the puk
exit 1
;;
esac

CARDN=$1
OPT=$2 

#
# make sure we have an old puk and it is valid format
#
if [ ! -f cards/$CARDN.puk ] ; then
echo cards/$CARDN.puk not found
exit 1
fi
OLDPUK=`cat cards/$CARDN.puk`
ConvertPin $OLDPUK
if [ X$CONVERTEDPIN = X ] ; then
echo old puk from \cards/$CARDN.puk\ is not valid
exit 1
fi
OLDPUK=$CONVERTEDPIN

case $OPT in
c*)
GetPin 1 Old User Pin
OLDPIN=$READPIN
GetPin 1 New User Pin
NEWPIN=$READPIN
piv-tool  -s 00:24:00:80:10:$OLDPIN:$NEWPIN
;;
puk)
GetPin 1 New Puk
NEWPUK=$READPIN
mv cards/$CARDN.puk cards/$CARDN.puk.prev
if [ $? -ne 0 ] ; then
echo failed to move cards/$CARDN.puk 
cards/$CARDN.puk.prev
exit 2
fi
echo $NEWPUK  cards/$CARDN.puk.new
if [ ! -f cards/$CARDN.puk.new ] ; then
echo failed to save new puk to cards/$CARDN.puk.new
exit 1
fi
piv-tool  -s

Re: [opensc-devel] Changing Admin PIN on PIV card

2012-12-12 Thread Ravneet Singh Khalsa 
Hi Douglas,

Thanks for your suggestion. I tried the following command.

piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF
(changing Admin Pin from 1234 to )

It didn't work for me. The output of the command above is attached. See if
there is something that you can figure out.

Thanks.


-Original Message-
From: opensc-devel-boun...@lists.opensc-project.org
[mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas
E. Engert
Sent: Wednesday, December 12, 2012 7:31 AM
To: opensc-devel@lists.opensc-project.org
Subject: Re: [opensc-devel] Changing Admin PIN on PIV card



On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote:
 Hi,

 Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards
?

If the card is following NIST 800-73-3 The piv-tool can do it.

800-73 leaves a lot of card management commands up to the vendor, so check
the vendor docs on this and what is the initial PUK. The PUK is not used be
the end user, and some commands to the card may require the global pin vs
the PIV application PIN or PUK as defined in 800-73-3.


  piv-tool  -s 00:2C:00:81:10:$OLDPUK:$NEWPUK

Where $OLDPUK is the current and $NEWPUK is the new one Both are hex
representation of the numbers padded to 8 with FF

So to change from 1234567 to 112233
  piv-tool  -s
00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff

On some cards the previous PUK may have been all hex zeros.

The attached  script could be used. It is assuming a $1 parameter that is a
card number ($CARDN) that is used to look up information about the card,
such as the previous PUK in ./cards/$CARDN/



 Thanks.



 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel


-- 

  Douglas E. Engert  deeng...@anl.gov
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
Received (SW1=0x00, SW2=0x00):
90 22 D2 FA FE 07 00 00 58 01 48 00 00 00 00 00 ...X.H.
00 00 00 00 00 00 00 00 30 02 48 00 00 00 00 00 0.H.
B0 C0 74 FE FE 07 00 00 A0 C3 74 FE FE 07 00 00 ..t...t.
D0 C1 74 FE FE 07 00 00 00 00 49 00 00 00 00 00 ..t...I.
70 CD 74 FE FE 07 00 00 30 02 48 00 00 00 00 00 p.t.0.H.
00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 D0 DC 22 00 00 00 00 00 ...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
D0 DD 22 00 00 00 00 00 1B 00 00 00 00 00 00 00 ...
B8 DC 22 00 00 00 00 00 00 01 00 00 00 00 00 00 ...
80 4F 76 FE FE 07 00 00 00 6B 51 00 00 00 00 00 .Ov..kQ.
B0 DB 22 00 00 00 00 00 F0 DC 22 00 00 00 00 00 ..
00 00 00 00 00 00 00 00 68 02 48 00 00 00 00 00 h.H.
00 00 00 00 00 00 00 00 70 02 48 00 00 00 00 00 p.H.
B0 4D 50 00 00 00 00 00 3C 33 D1 FA FE 07 00 00 .MP.3..
00 00 00 00 00 00 00 00 30 02 48 00 00 00 00 00 0.H.
E0 7C 30 00 00 00 00 00 80 00 49 00 00 00 00 00 .|0...I.
30 02 48 00 00 00 00 00 74 02 49 00 00 00 00 00 0.H.t.I.
60 05 49 00 00 00 00 00 10 37 D2 FA FE 07 00 00 `.I..7..
00 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 1B 00 00 00 00 00 00 00 
4D 00 00 4D 00 00 4D 00 00 00 02 00 00 00 4D 00 M..M..M...M.
20 00 00 00 00 00 00 00 4D 00 48 00 00 00 00 00  ...M.H.
00 6B 51 00 00 00 00 00 16 00 00 00 00 00 00 00 .kQ.
00 00 00 00 00 00 00 00 03 00 00 00 4D 00 00 00 M...
00 00 00 00 00 00 00 00 1B 00 00 00 00 00 00 00 
06 00 DA 00 33 00 00 00 70 04 49 00 00 00 00 00 3...p.I.
00 00 00 00 00 00 00 00 01 01 51 00 00 00 00 00 ..Q.
00 00 00 00 00 00 00 00 2C 00 00 00 00 00 00 00 ,...
02 00 00 02 00 00 4D 00 00 00 02 00 00 00 4D 00 ..M...M.
00 6B 51 00 00 00 00 00 4D 00 00 0B 00 00 00 00 .kQ.M...
00 6B 51 00 00 00 00 00 F0 76 50 00 00 00 00 00 .kQ..vP.
00 00 00 00 00 00 00 00 03 00 00 00 4D 00 00 00 M...
F0 4B 30 00 00 00 00 00 2C 00 00 00 00 00 00 00 .K0.,...
4D 00 00 00 1B 00 00 00 32 F3 6B FE FE 07 00 00 M...2.k.
80 00 00 00 00 00 00 00 00 6B 51 00 00 00 00 00 .kQ.
30 02 48 00 00 00 00 00 30 02 48 00 00 00 00 00 0.H.0.H.
78 03 48 00 00 00 00 00 70 02 48 00 00 00 00 00 x.H.p.H.
B0 9B 30 00 00 00 00 00 1B 00 00 1B 00 00 00 00 ..0.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
9F DF A4 E6 D3 D8 00 00 6A EF 6B FE FE 07 00 00 j.k.
00 00 00 00 26 00 00 00 10 E2 22 00 00 00 00 00 ..
00 00 00 00 00 00 00 40 00 00 67 FE FE 07 00 00 ...@..g.
B0 4B 30 00 00 00 00 00 50 DF 22 00 00 00 00 00 .K0.P..
D8 9C 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ..0.
B0

Re: [opensc-devel] Changing Admin PIN on PIV card

2012-12-11 Thread helpcrypto helpcrypto 
pkcs11's C_SetPin ?

On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa
rsi...@quantumsecure.com wrote:
 Hi,



 Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?



 Thanks.




 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel