Page MenuHome GnuPG

gpg-card: "Unblock and set new a PIN" asks for Admin PIN instead of Reset Code
Closed, InvalidPublic

Description

I'm using a Yubikey (OpenPGP v2.1 card).

$ gpg-card
Reader ...........: 1050:0407:X:0
Card type ........: yubikey
Card firmware ....: 5.1.2
Serial number ....: D2760001240100000006090745820000
Application type .: OpenPGP
Version ..........: 2.1
Displayed s/n ....: 9 074 582
Manufacturer .....: Yubico (6)
Name of cardholder: Otto Example
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 42
Capabilities .....: key-import algo-change button priv-data
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: 930509C5F5BD42B2ABCB4C7BDC2FD64BE59086CE
      keyref .....: OPENPGP.1  (sign,cert)
      algorithm ..: rsa2048
      stored fpr .: AF440A8368A6C258DB22AC2C06B697821DAABF4B
      created ....: 2020-12-04 09:33:03
Encryption key....: AEA62514505EBDDB4C2FF8AF27B02F221ECAFBCE
      keyref .....: OPENPGP.2  (encr)
      algorithm ..: rsa2048
      stored fpr .: 9E81894389EE38719E8467530426BF61A5CD515C
      created ....: 2020-12-04 09:33:03
Authentication key: 56EBCBEEA72DBF1BFAFE583F7FF36CBCB895C265
      keyref .....: OPENPGP.3  (sign,auth)
      algorithm ..: rsa2048
      stored fpr .: A81859F68ADB4CA16DBB71C3312145CAE3019B42
      created ....: 2020-12-04 09:33:03

gpg/card> passwd
OpenPGP card no. 9 074 582 detected

1 - change the PIN
2 - unblock and set new a PIN
3 - change the Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2

At this point a PIN entry dialog pops up asking for the Admin PIN. It should ask for the Reset Code.

The reason seems to be that gpg-card calls SCD PASSWD --reset OPENPGP.1, but according to the table before do_change_pin() ([[https://dev.gnupg.org/source/gnupg/browse/master/scd/app-openpgp.c;355e2992c043dd3241a9e838255f01418490ef33$3142 | app-openpgp.c:3142]]) and according to the actual code it should call SCD PASSWD OPENPGP.2. At least for OpenPGP v2+ cards. I don't know whether gpg-card is supposed to support also OpenPGP v1 cards.

Event Timeline

"unblock and set a new PIN" might not be the best description given that we have an "unblock" command to let the user unblock the own PIN using hist reset code. But yes, it is expected that it asks for the Admin PIN.

"change PIN" and "change Admin PIN" both require that you know the respective PIN.

Menu option 1 requires the PIN, all other menu options require the Admin PIN.

Ahh, there's a separate unblock command for the non-admin.