Change OpenPGP Smartcard PIN retry counter

rodolfosilva2 at tutanota.com rodolfosilva2 at tutanota.com
Mon Nov 24 22:38:43 CET 2025 

In this case the OpenPGP Card Firmware needs to be extended.
Is there a dedicated BugTracker for OpenPGP Card?
-- 
 Secured with Tuta Mail: 
 https://tuta.com/free-email


Nov 24, 2025, 15:50 by wk at gnupg.org:

> On Sun, 23 Nov 2025 01:46, Rodolfo Silva said:
>
>> gpg-connect-agent --hex "scd apdu 00 DA 00 C4 07 00404040100303" /bye
>>
>
> Let's see using a Gnuk token:
>
>  $ gpg-connect-agent
>  > /hex
>  > scd apdu  00ca00c400factory r
>  D[0000]  01 7F 7F 7F 03 03 03 90  00 
>
> This returns: 01 = PW1 valid for several commands
>  7F = UTF PW1 with a max length of 127
>  7F = Reset Code with a max length of 127
>  7F = UTF PW3 with a max length of 127
>  03 - Current error counter for PW1
>  03 - Current error counter for the Reset Code
>  03 - Current error counter for PW3
>  90 00 - Success
>
> You sent:     00 = PW1 valid for one command
>  40 = UTF PW1 with a max length of 64
>  40 = Reset Code with a max length of 64
>  40 = UTF PW3 with a max length of 64
>  10 = Not specified in 3.4.1 (4.4.2 DOs for PUT DATA)
>  03 = Not specified in 3.4.1
>  03 = Not specified in 3.4.1
>
> Thus there is no way in the OpenPGP specs to change the max. retry.  For
> Yubikeys you may use a proprietary APDU, though.  Simon already
> mentioned this.  Let's do this using the gpg-card command:
>
>  $ gpg-card
>  Reader ...........: 1050:0407:X:0
>  Card type ........: yubikey
>  Card firmware ....: 5.4.3
>  Serial number ....: D2760001240100000006154932830000
>  Application type .: OpenPGP
>  Version ..........: 3.4
>  # [...]
>  Max. PIN lengths .: 127 127 127
>  PIN retry counter : 3 0 3
>  Signature counter : 0
>  Capabilities .....: key-import algo-change button priv-data
>  # [...]
>  
>  gpg/card> verify D2760001240100000006154932830000[CHV3]
>  # shows listing again
>  
>  gpg/card> apdu 00 f2 00 00 03 05 00 07
>  Statusword: 0x9000 (success)
>
>  gpg/card> l
>  # shows listing again
>
>  gpg/card> reset 
>  gpg/card> l
>  # [...]
>  Max. PIN lengths .: 127 127 127
>  PIN retry counter : 5 0 7
>  Signature counter : 0
>
> Et voila, PIN retry counter set to 5 and Admin retry counter set to 7.
> The important thing here is that you use the s/n with "[CHV3] appended
> as argument to the verify command.  This will only work if the retry
> counter is above 2.
>
>
> Salam-Shalom,
>
>  Werner
>
> -- 
> The pioneers of a warless world are the youth that
> refuse military service.             - A. Einstein
>

More information about the Gnupg-users mailing list