How to get user pin retry count from NitroKey on Linux?

pkcs15-tool --list-pins always shows Tries left : 3 regardless of how many times I enter a wrong pin using pkcs11-tool --login --list-objects. Is there another command line to get a correct retry count?

Perhaps wrong counter is shown - for OpenPGP smart card there are User and Admin PINs.

You can try to cross-confirm that reading with GnuPG:

$ gpg2 --card-status

Using pkcs11 api C_GetTokenInfo(slot, &info) where info is a CK_TOKEN_INFO and checking info.flags

CKF_USER_PIN_LOCKED - means 0 retries
CKF_USER_PIN_FINAL_TRY - means 1 retry
CKF_USER_PIN_COUNT_LOW - means 2 reties
and none of these flags means 3 retries

is about the best I can get.

1 Like

Indeed, it looks like it is the only way to get the count:

Maybe the number is accurate. The PINs have a certain minimum length and maybe it does not get sent to the card so that the retries are not exhausted. Fell for this as I created a script to block a PIN with a script and it needed 8 chars minimum for the admin PIN.

1 Like