Using XCA to change SO-PIN

Hi,

the SO-PIN on the token must have exactly 16 digits, but XCA only allows a maximum of 15 digits when changing the SO-PIN.

What needs to be done so that the SO PIN can be changed with XCA?

Thanks
Hans

(I guess you are asking about Nitrokey HSM 2, if not please ignore)

The token I have says that it needs 16 digits for SOPIN:

> pkcs15-tool -D 
Using reader with a card: Nitrokey Nitrokey HSM (DENK01099990000         ) 00 00
PKCS#15 Card [SmartCard-HSM]:
	Version        : 0
	Serial number  : DENK0109999
	Manufacturer ID: www.CardContact.de
	Flags    
PIN [UserPIN]
	Object Flags   : [0x03], private, modifiable
	Auth ID        : 02
	ID             : 01
	Flags          : [0x812], local, initialized, exchangeRefData
	Length         : min_len:6, max_len:15, stored_len:0
	Pad char       : 0x00
	Reference      : 129 (0x81)
	Type           : ascii-numeric
	Path           : e82b0601040181c31f0201::
	Tries left     : 3

PIN [SOPIN]
	Object Flags   : [0x01], private
	ID             : 02
	Flags          : [0x9A], local, unblock-disabled, initialized, soPin
	Length         : min_len:16, max_len:16, stored_len:0
	Pad char       : 0x00
	Reference      : 136 (0x88)
	Type           : bcd
	Path           : e82b0601040181c31f0201::
	Tries left     : 15

To get it right, you might want to change the PKCS#11 driver you are using:

providers

The OpenSC provider says it is going to change UserPIN really, that is why it can be at most 15 characters:

opensc_new_pin

I personally wouldn’t bother and use Smart Card Shell (scsh3) for this one…

here’s where XCA takes its min/max parameters from:

With OpenSC:

> /usr/local/bin/pkcs11-tool -T --module /usr/local/lib/pkcs11/opensc-pkcs11.so 
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (DENK01099990000         ) 00 00
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized, user PIN locked
  hardware version   : 24.13
  firmware version   : 3.5
  serial num         : DENK0109999
  pin min/max        : 6/15

With GitHub - CardContact/sc-hsm-embedded: PKCS#11 and CSP-Minidriver library for the SmartCard-HSM and STARCOS based signature cards one gets:

> /usr/local/bin/pkcs11-tool -T --module /usr/local/lib/libsc-hsm-pkcs11.so    
Available slots:
Slot 0 (0x1): Nitrokey Nitrokey HSM (DENK01099990000         ) 00 00
  token label        : SmartCard-HSM
  token manufacturer : CardContact (www.cardcontact.de)
  token model        : SmartCard-HSM
  token flags        : login required, rng, token initialized, PIN initialized, user PIN locked
  hardware version   : 5.0
  firmware version   : 3.5
  serial num         : DENK0109999
  pin min/max        : 6/16

hi,
Thanks for response, clear the problem.

We use XCA in Windows, so we need the dll-library of /usr/local/lib/libsc-hsm-pkcs11.so

Where can we find it?

Thanks
Hans

I tried XCA and I have managed to change SO-PIN to something that Smartcard Shell would not accept :confused: fortunately it was possible to change it back with XCA to the numeric value that worked with the SmartCard Shell.

You might want to download the starter kit

https://www.smartcard-hsm.com/opensource.html#starterkit

It contains (slightly outdated cc @sc-hsm ) instructions to use XCA. sc-hsm-pkcs11 is not read-only anymore. This package also contains sc-hsm-middleware-x64-2.12.msi and sc-hsm-middleware-x86-2.12.msi files that probably contain required DLL’s (it will be called sc-hms-pkcs11.dll or something like that).

For advanced card management and unleashing fur power of that module I’d recommend using scsh3:

https://www.openscdp.org/scsh3/index.html

This is written in Java (and JavaScript) and does not need such DLLs.