Hi,
the SO-PIN on the token must have exactly 16 digits, but XCA only allows a maximum of 15 digits when changing the SO-PIN.
What needs to be done so that the SO PIN can be changed with XCA?
Thanks
Hans
(I guess you are asking about Nitrokey HSM 2, if not please ignore)
The token I have says that it needs 16 digits for SOPIN:
> pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey HSM (DENK01099990000 ) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : DENK0109999
Manufacturer ID: www.CardContact.de
Flags
PIN [UserPIN]
Object Flags : [0x03], private, modifiable
Auth ID : 02
ID : 01
Flags : [0x812], local, initialized, exchangeRefData
Length : min_len:6, max_len:15, stored_len:0
Pad char : 0x00
Reference : 129 (0x81)
Type : ascii-numeric
Path : e82b0601040181c31f0201::
Tries left : 3
PIN [SOPIN]
Object Flags : [0x01], private
ID : 02
Flags : [0x9A], local, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0x00
Reference : 136 (0x88)
Type : bcd
Path : e82b0601040181c31f0201::
Tries left : 15
To get it right, you might want to change the PKCS#11 driver you are using:
The OpenSC provider says it is going to change UserPIN really, that is why it can be at most 15 characters:
I personally wouldn’t bother and use Smart Card Shell (scsh3) for this one…
here’s where XCA takes its min/max parameters from:
With OpenSC:
> /usr/local/bin/pkcs11-tool -T --module /usr/local/lib/pkcs11/opensc-pkcs11.so
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK01099990000 ) 00 00
token label : SmartCard-HSM (UserPIN)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized, user PIN locked
hardware version : 24.13
firmware version : 3.5
serial num : DENK0109999
pin min/max : 6/15
With GitHub - CardContact/sc-hsm-embedded: PKCS#11 and CSP-Minidriver library for the SmartCard-HSM and STARCOS based signature cards one gets:
> /usr/local/bin/pkcs11-tool -T --module /usr/local/lib/libsc-hsm-pkcs11.so
Available slots:
Slot 0 (0x1): Nitrokey Nitrokey HSM (DENK01099990000 ) 00 00
token label : SmartCard-HSM
token manufacturer : CardContact (www.cardcontact.de)
token model : SmartCard-HSM
token flags : login required, rng, token initialized, PIN initialized, user PIN locked
hardware version : 5.0
firmware version : 3.5
serial num : DENK0109999
pin min/max : 6/16
hi,
Thanks for response, clear the problem.
We use XCA in Windows, so we need the dll-library of /usr/local/lib/libsc-hsm-pkcs11.so
Where can we find it?
Thanks
Hans
I tried XCA and I have managed to change SO-PIN to something that Smartcard Shell would not accept 
fortunately it was possible to change it back with XCA to the numeric value that worked with the SmartCard Shell.
You might want to download the starter kit
https://www.smartcard-hsm.com/opensource.html#starterkit
It contains (slightly outdated cc @sc-hsm ) instructions to use XCA. sc-hsm-pkcs11 is not read-only anymore. This package also contains sc-hsm-middleware-x64-2.12.msi and sc-hsm-middleware-x86-2.12.msi files that probably contain required DLL’s (it will be called sc-hms-pkcs11.dll or something like that).
For advanced card management and unleashing fur power of that module I’d recommend using scsh3:
https://www.openscdp.org/scsh3/index.html
This is written in Java (and JavaScript) and does not need such DLLs.