For a reason I haven’t yet been able to determine, the user PIN code has been blocked. At least, that’s what I think. Running the command underneath gives an error suggesting the PIN is locked.
pkcs11-tool -lt --module opensc-pkcs11.so
Using slot 0 with a present token (0x0)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN:
error: PKCS11 function C_Login failed: rv = CKR_PIN_LOCKED (0xa4)
Aborting.
Question is: How to unlock it ? Preferably using opensc or pkcs11-tool. I’ve been trying lots of things, but I’m unable to unlock it. Luckily this is a key from a test environment. But I really don’t want to get this in the production environment !
It seems that you have used up the attempts counter for the SO. If so, then device cannot be used anymore, as it does not offer any reset procedures by design.
Could you paste the sc-hsm-tool output with the exact numbers to confirm?
Yep. looks like the SO-PIN is locked. Can’t imagine how that happened as last time I checked it was at 6/15. I got it right many times, but I was trying to unlock the user pin and probably used the wrong syntax. When does it reset the OS-PIN tries count? Just when a command is successful or if the SO-PIN is correct even if the command fails for some other reason? I can’t imagine that I gave it the wrong SO-PIN 15 times in a row. I ran many commands most of which worked fine.
@saper
Each such call decreases the counter only by 1 on my setup.
@jplevyak
The attempt counter should be reset on each successful attempt. No potential explanations for the quick attempt counter use up are coming to my mind at this point unfortunately.