Check if PIN is locked and hint CKF_USER_PIN_TO_BE_CHANGED

metsma · metsma · commit bacab1ac6f25 · 2025-11-18T09:14:37.000+02:00
Signed-off-by: Raul Metsma &lt;raul@metsma.ee&gt;
diff --git a/src/libopensc/card-esteid2025.c b/src/libopensc/card-esteid2025.c
@@ -157,9 +157,9 @@ esteid_compute_signature(sc_card_t *card, const u8 *data, size_t datalen, u8 *ou
 }
 
 static int
-esteid_get_pin_remaining_tries(sc_card_t *card, int pin_reference)
+esteid_get_pin_info(sc_card_t *card, struct sc_pin_cmd_data *data)
 {
-	const u8 get_pin_info[] = {0xA0, 0x03, 0x83, 0x01, pin_reference};
+	const u8 get_pin_info[] = {0xA0, 0x03, 0x83, 0x01, data->pin_reference};
 	struct sc_apdu apdu;
 	u8 apdu_resp[SC_MAX_APDU_RESP_SIZE];
 	size_t taglen;
@@ -173,26 +173,26 @@ esteid_get_pin_remaining_tries(sc_card_t *card, int pin_reference)
 	const u8 *tag = sc_asn1_find_tag(card->ctx, apdu_resp + 2, apdu.resplen - 2, 0xDF21, &taglen);
 	if (tag == NULL || taglen == 0)
 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_INTERNAL);
-	return tag[0];
+	data->pin1.tries_left = tag[0];
+	data->pin1.max_tries = -1; // "no support, which means the one set in PKCS#15 emulation sticks
+	data->pin1.logged_in = SC_PIN_STATE_UNKNOWN;
+	tag += taglen;
+	tag = sc_asn1_find_tag(card->ctx, tag, apdu.resplen - (tag - apdu_resp), 0xDF2F, &taglen);
+	if (tag != NULL && taglen == 1 && tag[0] == 0x00) {
+		data->pin1.logged_in |= SC_PIN_STATE_NEEDS_CHANGE;
+	}
+	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
 }
 
 static int
 esteid_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left)
 {
-	int r;
 	LOG_FUNC_CALLED(card->ctx);
 	sc_log(card->ctx, "PIN CMD is %d", data->cmd);
 	if (data->cmd == SC_PIN_CMD_GET_INFO) {
 		sc_log(card->ctx, "SC_PIN_CMD_GET_INFO for %d", data->pin_reference);
-		r = esteid_get_pin_remaining_tries(card, data->pin_reference);
-		LOG_TEST_RET(card->ctx, r, "GET DATA(pin info) failed");
-
-		data->pin1.tries_left = r;
-		data->pin1.max_tries = -1; // "no support, which means the one set in PKCS#15 emulation sticks
-		data->pin1.logged_in = SC_PIN_STATE_UNKNOWN;
-		LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+		LOG_FUNC_RETURN(card->ctx, esteid_get_pin_info(card, data));
 	}
-
 	LOG_FUNC_RETURN(card->ctx, iso_ops->pin_cmd(card, data, tries_left));
 }
 
diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
@@ -433,10 +433,11 @@ typedef struct sc_reader {
 #define SC_PIN_ENCODING_BCD	1
 #define SC_PIN_ENCODING_GLP	2 /* Global Platform - Card Specification v2.0.1 */
 
-/** Values for sc_pin_cmd_pin.logged_in */
+/** Values for sc_pin_cmd_pin.logged_in, can be ored together */
 #define SC_PIN_STATE_UNKNOWN	-1
 #define SC_PIN_STATE_LOGGED_OUT 0
 #define SC_PIN_STATE_LOGGED_IN  1
+#define SC_PIN_STATE_NEEDS_CHANGE 2
 
 /* A card driver receives the sc_pin_cmd_data and sc_pin_cmd_pin structures filled in by the
  * caller, with the exception of the fields returned by the driver for SC_PIN_CMD_GET_INFO.
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
@@ -575,7 +575,7 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 		goto out;
 	}
 	/* User PIN flags are cleared before re-calculation */
-	slot->token_info.flags &= ~(CKF_USER_PIN_COUNT_LOW|CKF_USER_PIN_FINAL_TRY|CKF_USER_PIN_LOCKED);
+	slot->token_info.flags &= ~(CKF_USER_PIN_COUNT_LOW | CKF_USER_PIN_FINAL_TRY | CKF_USER_PIN_LOCKED | CKF_USER_PIN_TO_BE_CHANGED);
 	auth = slot_data_auth(slot->fw_data);
 	sc_log(context,
 		"C_GetTokenInfo() auth. object %p, token-info flags 0x%lX", auth,
@@ -602,6 +602,9 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
 			else if (pin_info->max_tries > 1 && pin_info->tries_left < pin_info->max_tries)
 				slot->token_info.flags |= CKF_USER_PIN_COUNT_LOW;
 		}
+		if (pin_info->logged_in & SC_PIN_STATE_NEEDS_CHANGE) {
+			slot->token_info.flags |= CKF_USER_PIN_TO_BE_CHANGED;
+		}
 	}
 	memcpy(pInfo, &slot->token_info, sizeof(CK_TOKEN_INFO));
 
@@ -1401,7 +1404,7 @@ int slot_get_logged_in_state(struct sc_pkcs11_slot *slot)
 	if (!pin_info)
 		goto out;
 	sc_pkcs15_get_pin_info(p15card, pin_obj);
-	logged_in = pin_info->logged_in;
+	logged_in = pin_info->logged_in & ~SC_PIN_STATE_NEEDS_CHANGE;
 out:
 	return logged_in;
 }
diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
@@ -4026,7 +4026,7 @@ sc_pkcs15init_verify_secret(struct sc_profile *profile, struct sc_pkcs15_card *p
 			/* update local copy of auth info */
 			memcpy(&auth_info, pin_obj->data, sizeof(auth_info));
 
-			if (r == SC_SUCCESS && auth_info.logged_in == SC_PIN_STATE_LOGGED_IN)
+			if (r == SC_SUCCESS && auth_info.logged_in & SC_PIN_STATE_LOGGED_IN)
 				LOG_FUNC_RETURN(ctx, r);
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -4026,7 +4026,7 @@ sc_pkcs15init_verify_secret(struct sc_profile profile, struct sc_pkcs15_card p`
`4026`	`4026`	`/* update local copy of auth info */`
`4027`	`4027`	`memcpy(&auth_info, pin_obj->data, sizeof(auth_info));`
`4028`	`4028`
`4029`		`- if (r == SC_SUCCESS && auth_info.logged_in == SC_PIN_STATE_LOGGED_IN)`
	`4029`	`+ if (r == SC_SUCCESS && auth_info.logged_in & SC_PIN_STATE_LOGGED_IN)`
`4030`	`4030`	`LOG_FUNC_RETURN(ctx, r);`
`4031`	`4031`	`}`
`4032`	`4032`