Yubico Forum
https://forum.yubico.com/

Changing user PIN using GPG
https://forum.yubico.com/viewtopic.php?f=26&t=1056		 Page 1 of 1
Author:  Borealid [ Sun May 05, 2013 4:20 am ]
Post subject:  Changing user PIN using GPG
I appear to be unable to either reset the user PIN or regenerate the GPG key without entering it.

I'd love to be able to reset this NEO to "factory". I do know (and did enter) the correct *admin* PIN.

Code:
$ gpg --version
gpg (GnuPG) 2.0.19
libgcrypt 1.5.0
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ gpg --card-edit

scdaemon[20583]: updating slot 0 status: 0x0000->0x0007 (0->1)
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 2 3
Signature counter : 5
Signature key ....: 4FE2 94B5 4F09 D6F9 DA2F  42B5 6CA8 5536 A7C3 08D6
      created ....: 2013-02-10 19:46:03
Encryption key....: CA53 7394 CB9C 08F9 AA09  23AD 0985 71BC BC97 27BA
      created ....: 2013-02-10 19:46:03
Authentication key: 94B5 51E6 D68B 8D83 BAC7  A735 A63C B5C9 B28A ABBB
      created ....: 2013-02-10 19:46:03
General key info..:
pub  2048R/A7C308D6 2013-02-10 ********* (Hardware Token) <***@**.***>
sec>  2048R/A7C308D6  created: 2013-02-10  expires: never     
                      card-no: 0000 00000001
ssb>  2048R/B28AABBB  created: 2013-02-10  expires: never     
                      card-no: 0000 00000001
ssb>  2048R/BC9727BA  created: 2013-02-10  expires: never     
                      card-no: 0000 00000001

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: OpenPGP card no. D2760001240102000000000000010000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2
scdaemon[20583]: 3 Admin PIN attempts remaining before card is permanently locked
scdaemon[20583]: DBG: asking for PIN '|A|Please enter the Admin PIN'
scdaemon[20583]: DBG: asking for PIN '|N|New PIN'
PIN unblocked and new PIN set.

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? Q

gpg/card> verify
scdaemon[20583]: DBG: asking for PIN '||Please enter the PIN'
scdaemon[20583]: verify CHV2 failed: Card error
scdaemon[20583]: app_check_pin failed: Card error

Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 2 3
Signature counter : 5
Signature key ....: 4FE2 94B5 4F09 D6F9 DA2F  42B5 6CA8 5536 A7C3 08D6
      created ....: 2013-02-10 19:46:03
Encryption key....: CA53 7394 CB9C 08F9 AA09  23AD 0985 71BC BC97 27BA
      created ....: 2013-02-10 19:46:03
Authentication key: 94B5 51E6 D68B 8D83 BAC7  A735 A63C B5C9 B28A ABBB
      created ....: 2013-02-10 19:46:03
General key info..:
pub  2048R/A7C308D6 2013-02-10 ********* (Hardware Token) <***@**.***>
sec>  2048R/A7C308D6  created: 2013-02-10  expires: never     
                      card-no: 0000 00000001
ssb>  2048R/B28AABBB  created: 2013-02-10  expires: never     
                      card-no: 0000 00000001
ssb>  2048R/BC9727BA  created: 2013-02-10  expires: never     
                      card-no: 0000 00000001
Author:  Borealid [ Fri Jun 14, 2013 11:26 pm ]
Post subject:  Re: Changing user PIN using GPG
After reading another thread on these forums (at viewtopic.php?f=26&t=1074 ), I was able to reset the PIN.

First, I had to compile a whole stack of software to get gpshell working and connect the Yubikey as an OpenSC reader. This required an *old* version of the OpenSC plugin, before they transitioned from autotools to CMake.

After I had gpshell up, I sent a new version of the GPG applet to the card. The updated GPG applet wiped the PIN and keys, allowing me to recreate them.

After installing the updated applet, I am able to change the PIN with gpg --card-edit without problems.

Long story short, if you have problems changing the user PIN in GPG, it is likely due to an older (but shipped!) version of the GPG applet.
Author:  spmadden [ Sun Jun 16, 2013 1:29 pm ]
Post subject:  Re: Changing user PIN using GPG
I'm having similar problems. What version of the opensc plugin did you have to roll back to get gpshell working?
Author:  Borealid [ Mon Jun 17, 2013 12:32 am ]
Post subject:  Re: Changing user PIN using GPG
spmadden wrote:
I'm having similar problems. What version of the opensc plugin did you have to roll back to get gpshell working?


Sorry, it was the PC/SC connection plugin. My mistake. OpenSC is not involved here.

I used revision 351 from SVN ( http://sourceforge.net/p/globalplatform/code/351/ ). I believe this is the only version that will work with the applet posted in the other Yubico linked thread, as it is looking for version 1.0.0 of the library.

I use Linux. Building opensc itself was not an issue, but everything involved feels pretty crusty. I ended up using libglobalplatform.so.6+7.0.0 and gpshell 6.0.0, with the above-mentioned gppcscconnectionplugin 1.0.0.

EDIT: As an addendum, I had to upgrade my PC/SC (to 1.8.8) to get the Yubikey recognized. Just because it's usable as a USB keyboard (or even as a GPG smartcard!) doesn't mean gpshell can connect to it. You have to be able to see the card when you run pcsc_scan for the gpshell upload to work. I tried using an old OmniKey CardMan reader I've got floating around (which I know has contactless smartcard capabilities), but it didn't seem to see the Neo.
Author:  hiviah [ Wed Jul 10, 2013 4:41 pm ]
Post subject:  Re: Changing user PIN using GPG
Borealid wrote:
I tried using an old OmniKey CardMan reader I've got floating around (which I know has contactless smartcard capabilities), but it didn't seem to see the Neo.


A note on Cardman reader, since it also took me a while to get it running - for NFC it requires binary driver blob to be downloaded from https://www.hidglobal.com/drivers. The driver library .so needs then to be placed in /usr/lib64/pcsc/drivers (or /usr/lib/ for x86), the driver zip contains readme file.

With that driver blob Neo is recognized fine, also any operation that works via USB CCID also works over NFC.
Author:  dreamss [ Tue Aug 06, 2013 8:12 pm ]
Post subject:  Re: Changing user PIN using GPG
nm, after I restarted the daemon it works fine. seems i have to kill the dameon if i wanna eject my yubikey. or else it wont ask for a pin when i insert the key
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/