Menu
▾
▴
Re: [Opensc-devel] PIN-counter
|
From: Douglas E E. <dee...@gm...> - 2023-04-21 20:16:50
|
Frank is correct. But I did find out why PIV card does not handle this and have a patch. But NIST 800-74-4 says: "the number of successive failures (retries) before the retry counter associated with the key reference reaches zero, are issuer dependent." For most cards you could at least see what current retries are: opensc-tool -s "00:20:00:KR" #where KR is key reference. opensc-tool -s "00:20:00:80" Using reader with a card: Identiv SCR3500 A Contact Reader [CCID Interface] (54302140601312) 00 00 Sending: 00 20 00 80 Received (SW1=0x63, SW2=0xC3)" In this case it is 3. But if user is logged in it will return: " Received (SW1=0x90, SW2=0x00)" On 4/21/2023 5:44 AM, Frank Morgner wrote: > > sc_pkcs15_get_pin_info is currently only called from some card drivers and the PKCS#11 layer. Unfortunately, the PIN counter is not directly visible for the user. You can get request the retry > counter (if the card supports it) with the following command: > > pkcs11-tool -T > > Depending on pkcs11-tool's output message the retry counter is as follows: > > * "final user PIN try" -> counter=1 > * "user PIN count low" -> 1<counter<maximum > * "user PIN locked" -> counter=0 > > Regards, Frank. > > > Am 18.04.23 um 17:36 schrieb Douglas E Engert: >> `pkcs15-tool -s --list-pins` might work. >> >> https://github.com/OpenSC/OpenSC/blob/master/src/tools/pkcs15-tool.c#L1529-L1530 >> >> But it does not look like it will force the query of the token ans id not working for PIV card. May work for others. >> >> On 4/18/2023 8:44 AM, Hans via Opensc-devel wrote: >>> >>> Thanks Frank, >>> >>> A dedicated CLI wouldn’t be needed, >>> >>> I hoped that it would be visible via pkcs11-tool –T >>> >>> Regards, Hans >>> >>> *From:*Frank Morgner <fra...@gm...> >>> *Sent:* Tuesday, April 18, 2023 3:09 PM >>> *To:* ope...@li... >>> *Subject:* Re: [Opensc-devel] PIN-counter >>> >>> Depending on the card you can send an empty VERIFY command (without PIN) and it will return the tries left. However, I don't think we have a dedicated CLI for this. >>> >>> Regards, Frank. >>> >>> Am 18.04.23 um 14:49 schrieb Hans via Opensc-devel: >>> >>> Hi all, >>> >>> Excuse me for troubling with a trivial question… >>> >>> I remember seeing many months ago in the release notes that it was possible to check the PIN-retry count. >>> >>> But, looking for it, (man-pages google) I fail to find it. (pkcs11-tools / pkcs15-tools / opensc) >>> >>> Is my mind playing tricks with me. >>> >>> From very long time ago, I remember when doing a PIN-verification by sending an APDU, you get the PIN-count (and tries-left) back. >>> >>> Though that seems a very crude way to do it. >>> >>> Met vriendelijke groet, >>> >>> *Hans Witvliet, J, Ing., DMO/OPS/I&S/APH, Kennis Team Opensource >>> Coldenhovelaan 1 Maasland 3531RC Coldehovelaan 1, kamer B213* >>> >>> >>> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te >>> melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van >>> berichten. >>> >>> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete >>> the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. >>> >>> >>> _______________________________________________ >>> >>> Opensc-devel mailing list >>> >>> Ope...@li... >>> >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >>> >>> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden >>> en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. >>> >>> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the >>> message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. >>> >>> >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> -- >> >> Douglas E. Engert<DEE...@gm...> >> >> >> >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel -- Douglas E. Engert<DEE...@gm...> |
