If VERIFY returns 6D00, then the applet/application is not yet or no longer selected. This can happen, if the device is accessed by more than one process, i.e. your application accesses the device and the browser has an open connection via PKCS#11.
The normal sequence is:
- Cold or warm reset
- Do somethings with the keys
When you issue a SELECT(AID), then a currently verified PIN is reset, so a subsequent SELECT requires a fresh authentication.
In our middleware we typically use the following sequence:
- Connect to card, but skip reset
- Issue a VERIFY without pin to query the authentication state
- If 9000 is returned, then the application is selected and the PIN verified
- If no 9000 is returned issue SELECT(AID) and query user to enter the PIN
- Do something with the keys
When accessing the device via PC/SC, then an explicit reset is usually not required. The PC/SC daemon will activate (and thus reset) the device to obtain the ATR. Then applications can access the device in exclusive or shared mode. When all applications close their sessions, then PC/SC will deactivate the device. Care should be taken if power management deactivates the device, in that case application selection and PIN authentication state is lost.