[PUK] Is it a security issue or normal PIV spec

arekinath / PivApplet

PIV applet for JavaCard 2.2.2 and 3.0.4+ with full ECDSA/ECDH support

111 stars 37 forks source link

[PUK] Is it a security issue or normal PIV spec #67

Closed rayanboulares closed 2 years ago

rayanboulares commented 2 years ago

After issuing a first command for PIN change using PUK, we can then issue other requests with wrong PUKs and it will still change PIN.

Reproduce steps (with default values of PUK=12345678 and PIN=123456) :

APDU#1 00 2C 00 80 31 32 33 34 35 36 37 38 31 31 31 31 31 31 FF FF 90 00

==> PIN is now 111111

APDU#2 00 2C 00 80 FF FF FF FF FF FF FF FF 32 32 32 32 32 32 FF FF 90 00

==> PIN is now 222222 even with wrong PUK sent

If we disconnect and reconnect the card then APDU#2 won't change PIN.

dengert commented 2 years ago

Not being much of a Java programmer, it looks like: https://github.com/arekinath/PivApplet/blob/master/src/net/cooperi/pivapplet/PivApplet.java#L2554 should not be done, so pukpin.check is done for every processResetPin

arekinath commented 2 years ago

Yeah that's a mistake -- it should revalidate it every time and not cache state. It should also be returning SW 6983 if it's already blocked at the start of the command.