Can not unlock user PIN on HSM key

jules · March 21, 2017, 9:50am

For a reason I haven’t yet been able to determine, the user PIN code has been blocked. At least, that’s what I think. Running the command underneath gives an error suggesting the PIN is locked.

pkcs11-tool -lt --module opensc-pkcs11.so

Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
error: PKCS11 function C_Login failed: rv = CKR_PIN_LOCKED (0xa4)

Aborting.

Question is: How to unlock it ? Preferably using opensc or pkcs11-tool. I’ve been trying lots of things, but I’m unable to unlock it. Luckily this is a key from a test environment. But I really don’t want to get this in the production environment !

THX !

jan · March 22, 2017, 8:36am

Please try to reinitialize the device as described here. It requires a valid and unblocked SO-PIN.

jules · March 22, 2017, 8:58am

Well, yes, that works of course. But then the key’s content is gone too. I’d rather not do that !

If I’m not mistaken pkcs11-tool provides the following:

pkcs11-tool --login --login-type so --so-pin ... --change-pin --new-pin ...

It should reset the user pin code. However, the key replies with an error:

Using slot 0 with a present token (0x0)
error: PKCS11 function C_SetPIN failed: rv = CKR_PIN_LEN_RANGE (0xa2)

Aborting.

It looks like the key/pkcs11-tool/… thinks the SO pin should be changed instead of the User pin.

pkcs11-tool also provides the command --unlock-pin. But I have not been able to make it work.

Is there a way to unlock the User pin w/o erasing the key ?

jan · March 22, 2017, 9:16am

Use --init-pin instead of --change-pin:
pkcs11-tool --login --login-type so --so-pin ${SO_PIN} --init-pin --new-pin ${NEW_USER_PIN}

jules · March 22, 2017, 3:48pm

That did it ! Thank you very much indeed !

jplevyak · June 23, 2021, 3:33pm

Unfortunately that solution no longer seems to work:

% pkcs11-tool --login --login-type so --so-pin ${SO_PIN} --init-pin --new-pin ${NEW_USER_PIN}
Using slot 0 with a present token (0x0)
error: PKCS11 function C_InitPIN failed: rv = CKR_PIN_LOCKED (0xa4)
Aborting.

szszszsz · June 24, 2021, 11:46am

Hi @jplevyak ,

It seems that you have used up the attempts counter for the SO. If so, then device cannot be used anymore, as it does not offer any reset procedures by design.
Could you paste the sc-hsm-tool output with the exact numbers to confirm?

jplevyak · June 25, 2021, 3:48am

Using reader with a card: Nitrokey Nitrokey HSM
Version : 3.4
Config options :
User PIN reset with SO-PIN enabled
SO-PIN locked
User PIN locked

jplevyak · June 25, 2021, 3:52am

Yep. looks like the SO-PIN is locked. Can’t imagine how that happened as last time I checked it was at 6/15. I got it right many times, but I was trying to unlock the user pin and probably used the wrong syntax. When does it reset the OS-PIN tries count? Just when a command is successful or if the SO-PIN is correct even if the command fails for some other reason? I can’t imagine that I gave it the wrong SO-PIN 15 times in a row. I ran many commands most of which worked fine.

saper · June 27, 2021, 10:45pm

Wouldn’t --login and --init-pin try to login twice therefore reducing the number of attempts?

szszszsz · June 29, 2021, 3:20pm

@saper
Each such call decreases the counter only by 1 on my setup.

@jplevyak
The attempt counter should be reset on each successful attempt. No potential explanations for the quick attempt counter use up are coming to my mind at this point unfortunately.