Bug 1830901

Summary: pkcs11-tool --login --change-pin gives error: PKCS11 function C_SetPIN failed: rv = CKR_USER_NOT_LOGGED_IN (0x101)
Product: Red Hat Enterprise Linux 8 Reporter: amitkuma
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: aakkiang, dwhitley, jjelen, msauton, sveerank, toneata
Target Milestone: rcKeywords: FutureFeature, Triaged, ZStream
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: opensc-0.20.0-3.el8 Doc Type: Enhancement
Doc Text:
Feature: Support for PIN change of CAC Alt tokens Reason: The new CAC Alt tokens require specific commands for PIN change. Result: The new commands for PIN change were implemented to support PIN change of some CAC Alt tokens.
 Story Points: ---
Clone Of:
: 1893325 (view as bug list) Environment:
Last Closed: 2021-05-18 14:46:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1893325    

Comment 3 Daniel Whitley 2020-05-05 19:35:32 UTC 
* Why does the customer need this? (List the business requirements here)

To facilitate ALT smart card PIN changes using OpenSC on our RHEL systems.

* For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

ALT PIN change is successful using pkcs11-tool --change-pin.

* Is there already an existing RFE upstream or in Red Hat Bugzilla(if you are aware)?

No.

* Does the customer have any specific timeline dependencies and which release would they like to target (RHEL7 or 8)?

RHEL 7.

* Is the sales team involved in this request and do they have any additional input?

No.

* Would the customer be able to assist in testing this functionality if implemented?

Yes.
Comment 15 Jakub Jelen 2020-10-05 15:52:26 UTC 
After some more search, I found the following:

https://eca.orc.com/wp-content/uploads/ECA_Docs/Change_SmartCard_PIN.pdf

I actually did not try this process through the "Unlock card" button, but if this is the process they are following (please, confirm), I can try that. I was hoping there will be some more direct way.

But in any case I am skeptical to this path as it does not sound like a standard way of changing pin, but more a proprietary card recovery, which communication will almost certainly be encrypted.
Comment 33 Sneha Veeranki 2020-10-29 18:16:02 UTC 
Verified using the official build of opensc with an HID Crescendo 144K smart card mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1612372

[root@client ~]# rpm -qa opensc
opensc-0.20.0-3.el8.x86_64

# pkcs11-tool --login --change-pin
Using slot 0 with a present token (0x0)
Logging in to "test admin (Privileged)".
Please enter User PIN: 
Please enter the current PIN: 
Please enter the new PIN: 
Please enter the new PIN again: 
PIN successfully changed
Comment 40 errata-xmlrpc 2021-05-18 14:46:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: opensc security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1600