Page MenuHome GnuPG
Create Task
Maniphest T821

cannot change PIN of OpenPGP SmartCard with secure PIN entry (SPE) enabled
Closed, ResolvedPublic
Actions

Description

changing the PIN of an OpenPGP SmartCard using Cherry SmartBoard G83-6744
(xx44) and GnuPG 2.0.5 with secure PIN entry (SPE) enabled does not work:

scdaemon[7661.0] DBG: <- SERIALNO
scdaemon[7661.0] DBG: -> S SERIALNO D276000124010101000100000DA40000 0
scdaemon[7661.0] DBG: -> OK
scdaemon[7661.0] DBG: <- LEARN --force
scdaemon[7661.0] DBG: -> S SERIALNO D276000124010101000100000DA40000 0
scdaemon[7661.0] DBG: -> S APPTYPE OPENPGP
scdaemon[7661.0] DBG: -> S EXTCAP gc=1+ki=1+fc=1+pd=1
scdaemon[7661.0] DBG: -> S DISP-NAME
scdaemon[7661.0] DBG: -> S DISP-LANG de
scdaemon[7661.0] DBG: -> S DISP-SEX 9
2007-08-02 19:19:12 scdaemon[7661] DBG: send apdu: c=00 i=CA p0=00 p1=6E lc=-1
le=256
2007-08-02 19:19:12 scdaemon[7661] DBG: APDU_data: 00 CA 00 6E 00
2007-08-02 19:19:13 scdaemon[7661] DBG: response: sw=9000 datalen=194
2007-08-02 19:19:13 scdaemon[7661] DBG: dump: 4F 10 D2 76 00 01 24 01 01
01 00 01 00 00 0D A4 00 00 73 81 9D C0 01 78 C1 05 01 04 00 00 20 C2 05 01 04
00 00 20 C3 05 01 04 00 00 20 C4 07 00 FE FE FE 03 02 03 C5 3C 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00
00 5E 00
2007-08-02 19:19:13 scdaemon[7661] DBG: send apdu: c=00 i=CA p0=00 p1=C4 lc=-1
le=256
2007-08-02 19:19:13 scdaemon[7661] DBG: APDU_data: 00 CA 00 C4 00
2007-08-02 19:19:13 scdaemon[7661] DBG: response: sw=9000 datalen=7
2007-08-02 19:19:13 scdaemon[7661] DBG: dump: 00 FE FE FE 03 02 03
scdaemon[7661.0] DBG: -> S CHV-STATUS +0+254+254+254+3+2+3
2007-08-02 19:19:13 scdaemon[7661] DBG: send apdu: c=00 i=CA p0=00 p1=7A lc=-1
le=256
2007-08-02 19:19:13 scdaemon[7661] DBG: APDU_data: 00 CA 00 7A 00
2007-08-02 19:19:13 scdaemon[7661] DBG: response: sw=9000 datalen=5
2007-08-02 19:19:13 scdaemon[7661] DBG: dump: 93 03 00 00 00
scdaemon[7661.0] DBG: -> S SIG-COUNTER 0
scdaemon[7661.0] DBG: -> OK
scdaemon[7661.0] DBG: <- PASSWD 1
2007-08-02 19:19:16 scdaemon[7661] DBG: prompting for keypad entry '||Bitte die
PIN auf der Tastatur des Kartenleser eingeben'
scdaemon[7661.0] DBG: -> INQUIRE POPUPKEYPADPROMPT ||Bitte die PIN auf der
Tastatur des Kartenleser eingeben
scdaemon[7661.0] DBG: <- END
2007-08-02 19:19:16 scdaemon[7661] DBG: send apdu: c=00 i=20 p0=00 p1=82 lc=0
le=-1
2007-08-02 19:19:16 scdaemon[7661] DBG: APDU_data: 00 20 00 82 00
2007-08-02 19:19:19 scdaemon[7661] DBG: response: sw=9000 datalen=0
2007-08-02 19:19:19 scdaemon[7661] DBG: dump:
2007-08-02 19:19:19 scdaemon[7661] DBG: dismiss keypad entry prompt
scdaemon[7661.0] DBG: -> INQUIRE DISMISSKEYPADPROMPT
scdaemon[7661.0] DBG: <- END
2007-08-02 19:19:19 scdaemon[7661] DBG: asking for PIN '|N|Neue PIN'
scdaemon[7661.0] DBG: -> INQUIRE NEEDPIN |N|Neue PIN
scdaemon[7661.0] DBG: <- [ 44 20 31 32 33 34 35 36 00 00 00 00 ...(80 bytes
skipped) ]
scdaemon[7661.0] DBG: <- END
2007-08-02 19:19:26 scdaemon[7661] DBG: send apdu: c=00 i=24 p0=01 p1=81 lc=6
le=-1
2007-08-02 19:19:26 scdaemon[7661] DBG: APDU_data: 00 24 01 81 06 31 32 33 34
35 36
2007-08-02 19:19:26 scdaemon[7661] DBG: response: sw=6982 datalen=0
2007-08-02 19:19:26 scdaemon[7661] operation change_pin result: Falsche PIN
2007-08-02 19:19:26 scdaemon[7661] command passwd failed: Falsche PIN
scdaemon[7661.0] DBG: -> ERR 100663383 Falsche PIN <SCD>
scdaemon[7661.0] DBG: <- RESTART
scdaemon[7661.0] DBG: -> OK

The old PIN is accepted correctly (PIN-counter is not decremented or reset if
it was < 3), but when asked to enter the new one, SPE is deactivated (read
light on keyboard (signalizing that SPE is used) is no longer flashing and the
dialog window for the new PIN has a textbox to enter the PIN) and changing
ultimately fails.

However, if I put "disable-keypad" into my scdaemon.conf everything is working
fine:

scdaemon[8804.0] DBG: <- SERIALNO
scdaemon[8804.0] DBG: -> S SERIALNO D276000124010101000100000DA40000 0
scdaemon[8804.0] DBG: -> OK
scdaemon[8804.0] DBG: <- LEARN --force
scdaemon[8804.0] DBG: -> S SERIALNO D276000124010101000100000DA40000 0
scdaemon[8804.0] DBG: -> S APPTYPE OPENPGP
scdaemon[8804.0] DBG: -> S EXTCAP gc=1+ki=1+fc=1+pd=1
scdaemon[8804.0] DBG: -> S DISP-NAME
scdaemon[8804.0] DBG: -> S DISP-LANG de
scdaemon[8804.0] DBG: -> S DISP-SEX 9
2007-08-02 19:36:19 scdaemon[8804] DBG: send apdu: c=00 i=CA p0=00 p1=C4 lc=-1
le=256
2007-08-02 19:36:19 scdaemon[8804] DBG: APDU_data: 00 CA 00 C4 00
2007-08-02 19:36:19 scdaemon[8804] DBG: response: sw=9000 datalen=7
2007-08-02 19:36:19 scdaemon[8804] DBG: dump: 00 FE FE FE 03 03 03
scdaemon[8804.0] DBG: -> S CHV-STATUS +0+254+254+254+3+3+3
2007-08-02 19:36:19 scdaemon[8804] DBG: send apdu: c=00 i=CA p0=00 p1=7A lc=-1
le=256
2007-08-02 19:36:19 scdaemon[8804] DBG: APDU_data: 00 CA 00 7A 00
2007-08-02 19:36:19 scdaemon[8804] DBG: response: sw=9000 datalen=5
2007-08-02 19:36:19 scdaemon[8804] DBG: dump: 93 03 00 00 00
scdaemon[8804.0] DBG: -> S SIG-COUNTER 0
scdaemon[8804.0] DBG: -> OK
scdaemon[8804.0] DBG: <- PASSWD 1
2007-08-02 19:36:22 scdaemon[8804] DBG: asking for PIN 'PIN'
scdaemon[8804.0] DBG: -> INQUIRE NEEDPIN PIN
scdaemon[8804.0] DBG: <- [ 44 20 31 32 33 34 35 36 00 00 00 00 ...(80 bytes
skipped) ]
scdaemon[8804.0] DBG: <- END
2007-08-02 19:36:25 scdaemon[8804] DBG: send apdu: c=00 i=20 p0=00 p1=82 lc=6
le=-1
2007-08-02 19:36:25 scdaemon[8804] DBG: APDU_data: 00 20 00 82 06 31 32 33 34
35 36
2007-08-02 19:36:25 scdaemon[8804] DBG: response: sw=9000 datalen=0
2007-08-02 19:36:25 scdaemon[8804] DBG: dump:
2007-08-02 19:36:25 scdaemon[8804] DBG: send apdu: c=00 i=20 p0=00 p1=81 lc=6
le=-1
2007-08-02 19:36:25 scdaemon[8804] DBG: APDU_data: 00 20 00 81 06 31 32 33 34
35 36
2007-08-02 19:36:25 scdaemon[8804] DBG: response: sw=9000 datalen=0
2007-08-02 19:36:25 scdaemon[8804] DBG: dump:
2007-08-02 19:36:25 scdaemon[8804] DBG: asking for PIN '|N|Neue PIN'
scdaemon[8804.0] DBG: -> INQUIRE NEEDPIN |N|Neue PIN
scdaemon[8804.0] DBG: <- [ 44 20 31 32 33 34 35 36 00 00 00 00 ...(80 bytes
skipped) ]
scdaemon[8804.0] DBG: <- END
2007-08-02 19:36:30 scdaemon[8804] DBG: send apdu: c=00 i=24 p0=01 p1=81 lc=6
le=-1
2007-08-02 19:36:30 scdaemon[8804] DBG: APDU_data: 00 24 01 81 06 31 32 33 34
35 36
2007-08-02 19:36:30 scdaemon[8804] DBG: response: sw=9000 datalen=0
2007-08-02 19:36:30 scdaemon[8804] DBG: dump:
2007-08-02 19:36:30 scdaemon[8804] DBG: send apdu: c=00 i=24 p0=01 p1=82 lc=6
le=-1
2007-08-02 19:36:30 scdaemon[8804] DBG: APDU_data: 00 24 01 82 06 31 32 33 34
35 36
2007-08-02 19:36:30 scdaemon[8804] DBG: response: sw=9000 datalen=0
2007-08-02 19:36:30 scdaemon[8804] DBG: dump:
2007-08-02 19:36:30 scdaemon[8804] operation change_pin result: Erfolg
scdaemon[8804.0] DBG: -> OK
scdaemon[8804.0] DBG: <- RESTART
scdaemon[8804.0] DBG: -> OK

Of course, the old PIN is also entered without SPE if "disable-keypad" is set.

Event Timeline

andreas added projects: gnupg, Bug Report.Aug 2 2007, 7:52 PM
andreas added a subscriber: andreas.
werner lowered the priority of this task from High to Wishlist.Nov 15 2007, 4:07 PM
werner removed a project: Bug Report.
werner added a project: Feature Request.
werner added a subscriber: werner.

Changing the Admin PIN using the keypad as not been enabled on purpose. In case
soemthing goes wrong you may easily brick the card. It will be enabled as soon
as we have more experience with the keypad readers.

werner closed this task as Resolved.Oct 28 2008, 5:13 PM
werner claimed this task.

Admin PIN via pinpad are enabled since 2.0.9.