giomba/opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Support PIN unblocking in minidriver via PUK as response to challenge

Browse Source 
Minidriver currently has basic support for unblocking card PIN by providing
PUK as an administrator password to CardUnblockPin() function.

However, this doesn't work for example when trying to unblock PIN via
system smartcard PIN unblock screen accessible after pressing Ctrl+Alt+Del
as it wants to use challenge / response authentication.
MS Smart Card Minidriver specification (version 7.07) explicitly says that
challenge / response is the only authentication mode that Windows uses to
authenticate an administrator.
Unfortunately, this way of unblocking PIN seems to not be widely supported
by cards.

However, we can simply treat the provided response to challenge as PUK.
Because (at least) Ctrl+Alt+Del PIN unblock screen accepts only hex string,
every PUK digit X has to be input as '3X' (without quotes) there.
Also the response string is not hidden behind asterisks on this screen as
it should been.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
This commit is contained in:
Maciej S. Szmigiero 2016-08-25 22:41:58 +02:00 committed by Frank Morgner
parent f91fc3d338
commit 1c40426421
1 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/minidriver/minidriver.c
View File

@ -2945,16 +2945,30 @@ DWORD WINAPI CardUnblockPin(__in PCARD_DATA pCardData,
logprintf(pCardData, 1, "\nP:%d T:%d pCardData:%p ",GetCurrentProcessId(), GetCurrentThreadId(), pCardData);
logprintf(pCardData, 1, "CardUnblockPin\n");
if (pwszUserId == NULL)
if (pwszUserId == NULL) {
logprintf(pCardData, 1, "no user ID\n");
return SCARD_E_INVALID_PARAMETER;
if (wcscmp(wszCARD_USER_USER, pwszUserId) != 0 && wcscmp(wszCARD_USER_ADMIN,pwszUserId) != 0)
}
if (wcscmp(wszCARD_USER_USER, pwszUserId) != 0 && wcscmp(wszCARD_USER_ADMIN,pwszUserId) != 0) {
logprintf(pCardData, 1, "unknown user ID %S\n", pwszUserId);
return SCARD_E_INVALID_PARAMETER;
if (wcscmp(wszCARD_USER_ADMIN, pwszUserId) == 0)
}
if (wcscmp(wszCARD_USER_ADMIN, pwszUserId) == 0) {
logprintf(pCardData, 1, "unlocking admin not supported\n");
return SCARD_E_UNSUPPORTED_FEATURE;
if (dwFlags & CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE)
return SCARD_E_UNSUPPORTED_FEATURE;
if (dwFlags)
}
if (dwFlags & CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE) {
logprintf(pCardData, 1,
"challenge / response not supported, we'll treat response as a PUK\n");
logprintf(pCardData, 1,
"note that you'll need to type PUK in hex (replace every PUK digit X with '3X') in Win CAD unblock dialog response field\n");
dwFlags &= ~CARD_AUTHENTICATE_PIN_CHALLENGE_RESPONSE;
}
if (dwFlags) {
logprintf(pCardData, 1, "flags of %x not supported\n",
(unsigned int)dwFlags);
return SCARD_E_INVALID_PARAMETER;
}
logprintf(pCardData, 1, "UserID('%S'), AuthData(%p, %u), NewPIN(%p, %u), Retry(%u), dwFlags(0x%X)\n",
pwszUserId, pbAuthenticationData, cbAuthenticationData, pbNewPinData, cbNewPinData,