[Gnuk-users] Gnuk 1.2.3 passwords and counters

[NIIBE Yutaka]

Ineiev <ineiev at gnu.org> wrote:
> Now, the next question. I attached my pinpad [0] to the token,
> the bPinSupport value in usb_des.c is 3 (verify, modify).
> The requests to enter and modify PIN and Admin PIN are served
> with the pinpad, but whenever the Reset Code is needed, pinentry
> is launched instead.
>
> Is this expected? do other pinpads work with Reset Codes?

It is expected.  I don't think any other pinpads work for the Reset
Code.

According to the CCID protocol, pinpad input is only valid for VERIFY
(verification of admin/user PIN) and CHANGE_REFERENCE_DATA (modification
of admin/user PIN).

While Gnuk itself supports use of pinpad for the Reset Code (violating
the CCID protocol), scdaemon of GnuPG does not support this use cases.

Specifically, scdaemon only has two functions of:

	iso7816_verify_kp
	iso7816_change_reference_data_kp

in gnupg/scd/iso7816.c, where kp stands for "key pad".  We would need
iso7816_reset_retry_counter_kp (for resetting counter) and
iso7816_put_data (for setting the Reset Code).

In gnuk/src/openpgp.c, the function openpgp_card_thread handles like
that:

	  if (INS (apdu) != INS_VERIFY)
	    {
	      GPG_CONDITION_NOT_SATISFIED ();
	      goto done;
	    }
[...]
	  if (INS (apdu) != INS_CHANGE_REFERENCE_DATA
	      && INS (apdu) != INS_RESET_RETRY_COUNTER
	      && INS (apdu) != INS_PUT_DATA)
	    {
	      GPG_CONDITION_NOT_SATISFIED ();
	      goto done;
	    }
--