Re: [opensc-devel] Changing Admin PIN on PIV card
On 12/12/2012 8:01 PM, Ravneet Singh Khalsa wrote: Hi Douglas, Thanks for your suggestion. I tried the following command. piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF (changing Admin Pin from 1234 to ) It didn't work for me. The output of the command above is attached. See if there is something that you can figure out. That looks very strange, almost like it never ran the command. What would help more would be to turn on debugging in the opensc.conf, debug = 7; and change the debug_file = some.out.out.file; This would show that OpenSC found that this was a PIV card, and any other commands sent to the card to test what type of card it is. If you could send The debug output from opensc-tool -n You say these are Gemalto PIV cards. Do they have actual data on the cards, even demo data? Are they Global Platform cards? What is the ATR? Do you have the Gemalto manual? Do they say anything about how to change the admin PIN? Did they say anything about unlocking the card before doing anything with the card? NIST requires blank cards with the PIV application on the card to be transported locked with the unlocking keys send in some other way. The locking may be done using GP. Did they send any pins or keys with the cards? (They must have, otherwise you would not know what was the admin PIN.) Thanks. -Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas E. Engert Sent: Wednesday, December 12, 2012 7:31 AM To: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] Changing Admin PIN on PIV card On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote: Hi, Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ? If the card is following NIST 800-73-3 The piv-tool can do it. 800-73 leaves a lot of card management commands up to the vendor, so check the vendor docs on this and what is the initial PUK. The PUK is not used be the end user, and some commands to the card may require the global pin vs the PIV application PIN or PUK as defined in 800-73-3. piv-tool -s 00:2C:00:81:10:$OLDPUK:$NEWPUK Where $OLDPUK is the current and $NEWPUK is the new one Both are hex representation of the numbers padded to 8 with FF So to change from 1234567 to 112233 piv-tool -s 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff On some cards the previous PUK may have been all hex zeros. The attached script could be used. It is assuming a $1 parameter that is a card number ($CARDN) that is used to look up information about the card, such as the previous PUK in ./cards/$CARDN/ Thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Changing Admin PIN on PIV card
Two more things: The command should be 24 not 2C. 2C is to reset the user pin if the pin is locked. 24 is to reset one of the pins if the pin is known. The script I sent you has an error. Sorry about that. piv-tool -s 00:24:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF BUT: NIST 800-73-2 part 2 Section 3.2.2 says: The ability to change reference data associated with key references '81' and '00' using the PIV Card Application CHANGE REFERENCE DATA command is optional. Thus you need to consult the Gemalto manuals to see if this is implemented On 12/12/2012 8:01 PM, Ravneet Singh Khalsa wrote: Hi Douglas, Thanks for your suggestion. I tried the following command. piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF (changing Admin Pin from 1234 to ) It didn't work for me. The output of the command above is attached. See if there is something that you can figure out. Thanks. -Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas E. Engert Sent: Wednesday, December 12, 2012 7:31 AM To: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] Changing Admin PIN on PIV card On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote: Hi, Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ? If the card is following NIST 800-73-3 The piv-tool can do it. 800-73 leaves a lot of card management commands up to the vendor, so check the vendor docs on this and what is the initial PUK. The PUK is not used be the end user, and some commands to the card may require the global pin vs the PIV application PIN or PUK as defined in 800-73-3. piv-tool -s 00:2C:00:81:10:$OLDPUK:$NEWPUK Where $OLDPUK is the current and $NEWPUK is the new one Both are hex representation of the numbers padded to 8 with FF So to change from 1234567 to 112233 piv-tool -s 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff On some cards the previous PUK may have been all hex zeros. The attached script could be used. It is assuming a $1 parameter that is a card number ($CARDN) that is used to look up information about the card, such as the previous PUK in ./cards/$CARDN/ Thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Changing Admin PIN on PIV card
C_SetPIN does not change Admin PIN. -Original Message- From: helpcrypto helpcrypto helpcry...@gmail.com Sent: 12/11/2012 11:43 PM To: Ravneet Singh Khalsa rsi...@quantumsecure.com Cc: opensc-devel@lists.opensc-project.org opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] Changing Admin PIN on PIV card pkcs11's C_SetPin ? On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa rsi...@quantumsecure.com wrote: Hi, Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ? Thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Changing Admin PIN on PIV card
According to PKCS#11 standard, C_SetPIN modifies the PIN of the user that is currently logged in, or the CKU_USER PIN if the session is not logged in. On Wed, Dec 12, 2012 at 2:26 PM, Ravneet Singh Khalsa rsi...@quantumsecure.com wrote: C_SetPIN does not change Admin PIN. From: helpcrypto helpcrypto Sent: 12/11/2012 11:43 PM To: Ravneet Singh Khalsa Cc: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] Changing Admin PIN on PIV card pkcs11's C_SetPin ? On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa rsi...@quantumsecure.com wrote: Hi, Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ? Thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Changing Admin PIN on PIV card
On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote: Hi, Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ? If the card is following NIST 800-73-3 The piv-tool can do it. 800-73 leaves a lot of card management commands up to the vendor, so check the vendor docs on this and what is the initial PUK. The PUK is not used be the end user, and some commands to the card may require the global pin vs the PIV application PIN or PUK as defined in 800-73-3. piv-tool -s 00:2C:00:81:10:$OLDPUK:$NEWPUK Where $OLDPUK is the current and $NEWPUK is the new one Both are hex representation of the numbers padded to 8 with FF So to change from 1234567 to 112233 piv-tool -s 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff On some cards the previous PUK may have been all hex zeros. The attached script could be used. It is assuming a $1 parameter that is a card number ($CARDN) that is used to look up information about the card, such as the previous PUK in ./cards/$CARDN/ Thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 #!/bin/sh # # change a pin or puk or using the old pin or puk # # parms # card number # c- change a pin, will prompt for oldpin and newpin # puk - change the puk using old puk will prompt for newpuk # r- reset pin using puk prompt for new pin # If using puk get from database, # cards/$CARDN.puk # if changing puk save to database # save previous as cards/$CARDN.puk.prev # new as cards/$CARDN.puk PATH=/opt/smartcard/bin:$PATH ConvertPin() { # $1 is string of hex digits with : or decimal digits # hh:hh:hh:hh:hh:hh:hh:hh # 0 meaning 00:00:00:00:00:00:00:00 # place output in CONVERTEDPIN if [ X$1 = X0 ] ; then CONVERTEDPIN=00:00:00:00:00:00:00:00 return fi XTEST=`echo $1 | tr 0123456789abcdefABCDEF 00 ` DTEST=`echo $1 | tr 0123456789 00 ` if [ X$XTEST = X00:00:00:00:00:00:00:00 ] ; then CONVERTEDPIN=$1 return fi case $DTEST in 00) CONVERTEDPIN=`echo ${1}FF:FF | sed -e 's/[0-9]/3:/g'` ;; 000) CONVERTEDPIN=`echo ${1}FF | sed -e 's/[0-9]/3:/g'` ;; ) CONVERTEDPIN=`echo ${1} | sed -e 's/[0-9]/3:/g' -e 's/:$//'` ;; *) echo invalid format of pin=\$1\ echopin must be 6, 7 or 8 digits or echohex string like hh:hh:hh:hh:hh:hh:hh:hh echo\0\ for 00:00:00:00:00:00:00:00 CONVERTEDPIN= ;; esac set +x } ## GetPin() { # $1 is number of times to prompt, 1 for now # $2 is the prompt # CONVERTEDPIN= until [ X$CONVERTEDPIN != X ] do # echo without the cr, works on Solaris and Linux printf %s: $2 read ANS ConvertPin $ANS done READPIN=$CONVERTEDPIN } ## # mian ## # Change pin using pin: # 00 24 00 80 10 oldpin newpin # Change pin using puk # 00 2C 00 80 10 oldpuk newpin # Change puk using puk # 00 2C 00 81 10 oldpuk newpuk # case X$2 in Xc*|Xpuk|Xr*) ;; *) echo card number and operation required echo operations are: echo c - change a user pin using the old user pin echo puk - change the puk to new puk echo r - reset the user pin using the puk exit 1 ;; esac CARDN=$1 OPT=$2 # # make sure we have an old puk and it is valid format # if [ ! -f cards/$CARDN.puk ] ; then echo cards/$CARDN.puk not found exit 1 fi OLDPUK=`cat cards/$CARDN.puk` ConvertPin $OLDPUK if [ X$CONVERTEDPIN = X ] ; then echo old puk from \cards/$CARDN.puk\ is not valid exit 1 fi OLDPUK=$CONVERTEDPIN case $OPT in c*) GetPin 1 Old User Pin OLDPIN=$READPIN GetPin 1 New User Pin NEWPIN=$READPIN piv-tool -s 00:24:00:80:10:$OLDPIN:$NEWPIN ;; puk) GetPin 1 New Puk NEWPUK=$READPIN mv cards/$CARDN.puk cards/$CARDN.puk.prev if [ $? -ne 0 ] ; then echo failed to move cards/$CARDN.puk cards/$CARDN.puk.prev exit 2 fi echo $NEWPUK cards/$CARDN.puk.new if [ ! -f cards/$CARDN.puk.new ] ; then echo failed to save new puk to cards/$CARDN.puk.new exit 1 fi piv-tool -s
Re: [opensc-devel] Changing Admin PIN on PIV card
Hi Douglas, Thanks for your suggestion. I tried the following command. piv-tool -s 00:2C:00:81:10:31:32:33:34:FF:FF:FF:FF:31:31:31:31:FF:FF:FF:FF (changing Admin Pin from 1234 to ) It didn't work for me. The output of the command above is attached. See if there is something that you can figure out. Thanks. -Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas E. Engert Sent: Wednesday, December 12, 2012 7:31 AM To: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] Changing Admin PIN on PIV card On 12/11/2012 8:06 PM, Ravneet Singh Khalsa wrote: Hi, Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ? If the card is following NIST 800-73-3 The piv-tool can do it. 800-73 leaves a lot of card management commands up to the vendor, so check the vendor docs on this and what is the initial PUK. The PUK is not used be the end user, and some commands to the card may require the global pin vs the PIV application PIN or PUK as defined in 800-73-3. piv-tool -s 00:2C:00:81:10:$OLDPUK:$NEWPUK Where $OLDPUK is the current and $NEWPUK is the new one Both are hex representation of the numbers padded to 8 with FF So to change from 1234567 to 112233 piv-tool -s 00:2C:00:81:10:31:32:33:34:35:36:37:ff:31:31:32:32:33:33:ff:ff On some cards the previous PUK may have been all hex zeros. The attached script could be used. It is assuming a $1 parameter that is a card number ($CARDN) that is used to look up information about the card, such as the previous PUK in ./cards/$CARDN/ Thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Received (SW1=0x00, SW2=0x00): 90 22 D2 FA FE 07 00 00 58 01 48 00 00 00 00 00 ...X.H. 00 00 00 00 00 00 00 00 30 02 48 00 00 00 00 00 0.H. B0 C0 74 FE FE 07 00 00 A0 C3 74 FE FE 07 00 00 ..t...t. D0 C1 74 FE FE 07 00 00 00 00 49 00 00 00 00 00 ..t...I. 70 CD 74 FE FE 07 00 00 30 02 48 00 00 00 00 00 p.t.0.H. 00 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 DC 22 00 00 00 00 00 ... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 DD 22 00 00 00 00 00 1B 00 00 00 00 00 00 00 ... B8 DC 22 00 00 00 00 00 00 01 00 00 00 00 00 00 ... 80 4F 76 FE FE 07 00 00 00 6B 51 00 00 00 00 00 .Ov..kQ. B0 DB 22 00 00 00 00 00 F0 DC 22 00 00 00 00 00 .. 00 00 00 00 00 00 00 00 68 02 48 00 00 00 00 00 h.H. 00 00 00 00 00 00 00 00 70 02 48 00 00 00 00 00 p.H. B0 4D 50 00 00 00 00 00 3C 33 D1 FA FE 07 00 00 .MP.3.. 00 00 00 00 00 00 00 00 30 02 48 00 00 00 00 00 0.H. E0 7C 30 00 00 00 00 00 80 00 49 00 00 00 00 00 .|0...I. 30 02 48 00 00 00 00 00 74 02 49 00 00 00 00 00 0.H.t.I. 60 05 49 00 00 00 00 00 10 37 D2 FA FE 07 00 00 `.I..7.. 00 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1B 00 00 00 00 00 00 00 4D 00 00 4D 00 00 4D 00 00 00 02 00 00 00 4D 00 M..M..M...M. 20 00 00 00 00 00 00 00 4D 00 48 00 00 00 00 00 ...M.H. 00 6B 51 00 00 00 00 00 16 00 00 00 00 00 00 00 .kQ. 00 00 00 00 00 00 00 00 03 00 00 00 4D 00 00 00 M... 00 00 00 00 00 00 00 00 1B 00 00 00 00 00 00 00 06 00 DA 00 33 00 00 00 70 04 49 00 00 00 00 00 3...p.I. 00 00 00 00 00 00 00 00 01 01 51 00 00 00 00 00 ..Q. 00 00 00 00 00 00 00 00 2C 00 00 00 00 00 00 00 ,... 02 00 00 02 00 00 4D 00 00 00 02 00 00 00 4D 00 ..M...M. 00 6B 51 00 00 00 00 00 4D 00 00 0B 00 00 00 00 .kQ.M... 00 6B 51 00 00 00 00 00 F0 76 50 00 00 00 00 00 .kQ..vP. 00 00 00 00 00 00 00 00 03 00 00 00 4D 00 00 00 M... F0 4B 30 00 00 00 00 00 2C 00 00 00 00 00 00 00 .K0.,... 4D 00 00 00 1B 00 00 00 32 F3 6B FE FE 07 00 00 M...2.k. 80 00 00 00 00 00 00 00 00 6B 51 00 00 00 00 00 .kQ. 30 02 48 00 00 00 00 00 30 02 48 00 00 00 00 00 0.H.0.H. 78 03 48 00 00 00 00 00 70 02 48 00 00 00 00 00 x.H.p.H. B0 9B 30 00 00 00 00 00 1B 00 00 1B 00 00 00 00 ..0. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9F DF A4 E6 D3 D8 00 00 6A EF 6B FE FE 07 00 00 j.k. 00 00 00 00 26 00 00 00 10 E2 22 00 00 00 00 00 .. 00 00 00 00 00 00 00 40 00 00 67 FE FE 07 00 00 ...@..g. B0 4B 30 00 00 00 00 00 50 DF 22 00 00 00 00 00 .K0.P.. D8 9C 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ..0. B0
Re: [opensc-devel] Changing Admin PIN on PIV card
pkcs11's C_SetPin ? On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa rsi...@quantumsecure.com wrote: Hi, Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ? Thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel