Closed hayashida-katsutoshi closed 4 years ago
Correct, 12345678
is the PUK and only used to unblock the PIN. The SO PIN is the management key which defaults to 010203040506070801020304050607080102030405060708
.
Thank you, a-dma. I now understand that SO PIN is the management key. However I'm still having a trouble because p11tool accepts SO PIN up to 31 letters. Is there any workaround?
I haven't used p11tool much, but you're right, I've had a quick look at the source code and they define GNUTLS_PKCS11_MAX_PIN_LEN
to 32
, which is incorrect.
The right way would be to look at what the Token reports through the module when GetTokenInfo is called. Unfortunately that is also incorrectly reported by ykcs11 :upside_down_face:.
If you're fine with using pkcs11-tool
that supports longer PINs.
For test purpose, I hardcoded 48 letters SO PIN an I was able to log in to the device as SO. However it turned out some facts.
We are using a 3rd party tool chain to implement secure boot system for our products. Since we don't have a time to investigate inside of 3rd party tool, and we are not professional on cryptography, we need to use a HSM token fully compatible with PKCS#11, and I concluded YubiKey and ykcs11 are not ready for PKCS#11. We will purchase another HSMs. I returned all YubiKeys yesterday and I am no longer able to help for yubico_piv_tool.
However thank you for your support.
I'm trying to write a private key to a YubiKey FIPS, and I'm getting an error. User PIN and SO PIN are not changed from default for now.
In C_Login function, I found this code.
It sounds strange because it says SO PIN must be 48 letters.
Then I took off this 'if' block, but I get another error as below.
Does it mean the default SO PIN is not 12345678 but something else in 48 letters?