pkcs15-tool --list-pins always shows
Tries left : 3 regardless of how many times I enter a wrong pin using
pkcs11-tool --login --list-objects. Is there another command line to get a correct retry count?
Perhaps wrong counter is shown - for OpenPGP smart card there are User and Admin PINs.
You can try to cross-confirm that reading with GnuPG:
$ gpg2 --card-status
Using pkcs11 api C_GetTokenInfo(slot, &info) where info is a CK_TOKEN_INFO and checking info.flags
CKF_USER_PIN_LOCKED - means 0 retries
CKF_USER_PIN_FINAL_TRY - means 1 retry
CKF_USER_PIN_COUNT_LOW - means 2 reties
and none of these flags means 3 retries
is about the best I can get.
Indeed, it looks like it is the only way to get the count:
Maybe the number is accurate. The PINs have a certain minimum length and maybe it does not get sent to the card so that the retries are not exhausted. Fell for this as I created a script to block a PIN with a script and it needed 8 chars minimum for the admin PIN.