Page MenuHome GnuPG
Create Task
Maniphest T4710

Cannot use Secure PIN Entry for Reset Code
Open, NormalPublic
Actions

Description

Operating system: Ubuntu 18.04.3 LTS
Smart card reader: Cherry ST-2000
Smart card: OpenPGP Smart Card V3.3

Secure PIN entry works fine for the normal PIN and the admin PIN (both for signing/encryption and in gpg --card-edit), but not for the Reset Code:

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D276000124010303000500007D9B0000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 4

This will first prompt me for my admin PIN via the card reader pin pad (as expected), but then it'll prompt me for the new Reset Code on my computer (not as expected).

Similarly, when attempting to use the Reset Code to unblock the PIN:

gpg/card> unblock
gpg: OpenPGP card no. D276000124010303000500007D9B0000 detected

it'll prompt me both for the Reset Code and the new PIN on my computer. The card reader pin pad isn't used at all here.

scdaemon.log73 KBDownload

Details

Version
2.2.4

Event Timeline

martin.von.wittich created this task.Sep 24 2019, 3:12 PM
werner triaged this task as Normal priority.Sep 25 2019, 9:23 AM
werner added projects: scd, OpenPGP.
gniibe claimed this task.EditedSep 25 2019, 12:09 PM
gniibe added a subscriber: gniibe.

It is not supported, by CCID protocol itself. So, it is not supported by scdaemon, and by any of card readers (which I know of), either.

Pininput is only supported for VERIFY (0x20) and CHANGE_REFERENCE_DATA (0x24) commands.

In my Gnuk project, I have a script:
https://git.gniibe.org/gitweb/?p=gnuk/gnuk.git;a=blob;f=tool/pinpadtest.py;h=99b1326360838dd735ffda69423592353f13cfa4;hb=HEAD

Experience shows that no readers support reset code change using pinpad.

Only my own implementation, Gnuk, somehow support the feature.

martin.von.wittich added a comment.Sep 25 2019, 1:26 PM

It is not supported, by CCID protocol itself. So, it is not supported by scdaemon, and by any of card readers (which I know of), either.

Oh, OK, didn't know that. This should probably be documented somewhere.

In my Gnuk project, I have a script:
https://git.gniibe.org/gitweb/?p=gnuk/gnuk.git;a=blob;f=tool/pinpadtest.py;h=99b1326360838dd735ffda69423592353f13cfa4;hb=HEAD

Hm, I'm unfortunately not getting very far with it:

martin@dogmeat ~ % ./pinpadtest.py
Reader/Token: Cherry GmbH SmartTerminal ST-2xxx [Vendor Interface] (21121616195723) 00 00
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C
Please input User's PIN
Traceback (most recent call last):
  File "./pinpadtest.py", line 378, in <module>
    main(who, method, add_a_byte, pinmin, pinmax, change_by_two_steps, fixed)
  File "./pinpadtest.py", line 242, in main
    card.cmd_verify_pinpad(who)
  File "./pinpadtest.py", line 138, in cmd_verify_pinpad
    raise ValueError, ("cmd_verify_pinpad %02x %02x" % (sw1, sw2))
ValueError: cmd_verify_pinpad 63 c3

63c3 sounds like "Verify fail, 3 tries left" if I'm googling this right, but the same PIN works fine in gpg --card-edit and verify. Also, the amount of available retries does not decrease, regardless how often I repeat this or whether I input the correct or a false PIN. Same thing with the Admin PIN with --admin or --put.

gniibe added a comment.Sep 25 2019, 1:39 PM

For pinpadtest.py, you need to offer an option --add (adding dummy byte), when you are using Cherry ST-2xxx.

martin.von.wittich added a comment.Sep 25 2019, 2:55 PM

For pinpadtest.py, you need to offer an option --add (adding dummy byte), when you are using Cherry ST-2xxx.

Ah, yes. I probably should have read the comments at the end, it says so there ^^

I can confirm that pinpadtest.py will verify the PIN and the admin PIN, but it'll throw an exception for the reset code:

martin@dogmeat ~ % ./pinpadtest.py --add
Reader/Token: Cherry GmbH SmartTerminal ST-2xxx [Vendor Interface] (21121616195723) 00 00
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C
Please input User's PIN
OK.
martin@dogmeat ~ % ./pinpadtest.py --add --admin
Reader/Token: Cherry GmbH SmartTerminal ST-2xxx [Vendor Interface] (21121616195723) 00 00
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C
Please input Admin's PIN
OK.
martin@dogmeat ~ % ./pinpadtest.py --put --admin
Reader/Token: Cherry GmbH SmartTerminal ST-2xxx [Vendor Interface] (21121616195723) 00 00
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C
Please input Admin's PIN
Traceback (most recent call last):
  File "./pinpadtest.py", line 378, in <module>
    main(who, method, add_a_byte, pinmin, pinmax, change_by_two_steps, fixed)
  File "./pinpadtest.py", line 293, in main
    card.cmd_verify_pinpad(BY_ADMIN)
  File "./pinpadtest.py", line 138, in cmd_verify_pinpad
    raise ValueError, ("cmd_verify_pinpad %02x %02x" % (sw1, sw2))
ValueError: cmd_verify_pinpad 63 c3

That probably makes this a documentation issue, not a code issue.

gniibe added projects: Documentation, Not A Bug.Aug 28 2020, 6:48 AM