Change OpenPGP Smartcard PIN retry counter

Werner Koch wk at gnupg.org
Mon Nov 24 16:52:29 CET 2025 

On Sun, 23 Nov 2025 01:46, Rodolfo Silva said:

> gpg-connect-agent --hex "scd apdu 00 DA 00 C4 07 00404040100303" /bye

Let's see using a Gnuk token:

  $ gpg-connect-agent
  > /hex
  > scd apdu  00ca00c400factory r
  D[0000]  01 7F 7F 7F 03 03 03 90  00     

This returns: 01 = PW1 valid for several commands
              7F = UTF PW1 with a max length of 127
              7F = Reset Code with a max length of 127
              7F = UTF PW3 with a max length of 127
              03 - Current error counter for PW1
              03 - Current error counter for the Reset Code
              03 - Current error counter for PW3
           90 00 - Success

You sent:     00 = PW1 valid for one command
              40 = UTF PW1 with a max length of 64
              40 = Reset Code with a max length of 64
              40 = UTF PW3 with a max length of 64
              10 = Not specified in 3.4.1 (4.4.2 DOs for PUT DATA)
              03 = Not specified in 3.4.1
              03 = Not specified in 3.4.1

Thus there is no way in the OpenPGP specs to change the max. retry.  For
Yubikeys you may use a proprietary APDU, though.  Simon already
mentioned this.  Let's do this using the gpg-card command:

  $ gpg-card
  Reader ...........: 1050:0407:X:0
  Card type ........: yubikey
  Card firmware ....: 5.4.3
  Serial number ....: D2760001240100000006154932830000
  Application type .: OpenPGP
  Version ..........: 3.4
  # [...]
  Max. PIN lengths .: 127 127 127
  PIN retry counter : 3 0 3
  Signature counter : 0
  Capabilities .....: key-import algo-change button priv-data
  # [...]
  
  gpg/card> verify D2760001240100000006154932830000[CHV3]
  # shows listing again
  
  gpg/card> apdu 00 f2 00 00 03 05 00 07
  Statusword: 0x9000 (success)

  gpg/card> l
  # shows listing again

  gpg/card> reset 
  gpg/card> l
  # [...]
  Max. PIN lengths .: 127 127 127
  PIN retry counter : 5 0 7
  Signature counter : 0

Et voila, PIN retry counter set to 5 and Admin retry counter set to 7.
The important thing here is that you use the s/n with "[CHV3] appended
as argument to the verify command.  This will only work if the retry
counter is above 2.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251124/91081af5/attachment.sig>

More information about the Gnupg-users mailing list