Hi,
Trying to connect to PKIAAS, my HSM2 got blocked after wrong PIN attempts.
As HSM2 was initialized with Smartcard Shell, I tried to use the same software to unlock the user PIN. I could not find a way to do that without reinitializing the whole device.
So I tried to use the CLI instead. Sc-hsm-tool doesn’t seem to allow unlocking pin, according to the help. It gives the following info:
$ sc-hsm-tool
Using reader with a card: Nitrokey Nitrokey HSM (DENK03013430000 ) 00 00
Version : 4.0
SO-PIN tries left : 15
User PIN locked
I went for using pkcs11-tool then, but it systematically fails:
$ pkcs11-tool --login --login-type so --init-pin
Using slot 0 with a present token (0x0)
Logging in to "hsm_test (UserPIN)".
Please enter SO PIN:
Please enter the new PIN:
Please enter the new PIN again:
error: PKCS11 function C_InitPIN failed: rv = CKR_PIN_LOCKED (0xa4)
Aborting.
I took advice of my pillow, which remembered me I used the following setting to initialize the HSM:
Allow RESET RETRY COUNTER: Resetting and unblocking PIN with SO-PIN not allowed
However, I wonder if this counter is actually reset after a successful pin authentication ? I am asking because I am unsure of how many attempts failed before the PIN got locked. I was with a colleague when that happened, he said he did only one wrong attempt.
We can’t, which is expected because we explicitly forbid it while initializing it. That’s what I tried to explain in the previous message. (In our use case, this HSM is used both for m-of-n authentication on a separate HSM which hosts our CA, and for authentication to PKIAAS)
So we just reinitialized the device. I still have to figure out if I can regain access to my PKI in PKIAAS using a new authentication key.
I think your device will retain its identity and this should be all that is needed. You can log in there with an empty device with no keys, only device certificate should be needed.
(This certificate and a serial number changes if the firmware is updated though).
