PIN handling improvements

* PIN reset (with PUK) and PIN change commands should ignore cached state * Command should return 6983 if PIN/PUK already blocked * 6A88 should be returned for invalid key ref numbers Closes #67
arekinath · Aug 22, 2022 · c1dbe2e · c1dbe2e
1 parent 60fc61a
commit c1dbe2e
Showing 1 changed file with 34 additions and 6 deletions.
diff --git a/src/net/cooperi/pivapplet/PivApplet.java b/src/net/cooperi/pivapplet/PivApplet.java
@@ -2407,6 +2407,15 @@ else if (key == (byte)0x81 && pukPinIsDefault)
 			return;
 		}
 
+		/*
+		 * According to the PIV spec, if the PIN is blocked we should
+		 * return 0x6983 here (SW_FILE_INVALID).
+		 */
+		if (pin.getTriesRemaining() == 0) {
+			ISOException.throwIt(ISO7816.SW_FILE_INVALID);
+			return;
+		}
+
 		if (!pin.check(buffer, pinOff, (byte)8)) {
 			if (pukPin.getTriesRemaining() == 0) {
 				for (idx = (short)0; idx < MAX_SLOTS; ++idx) {
@@ -2454,7 +2463,7 @@ else if (key == (byte)0x81 && pukPinIsDefault)
 			pin = pukPin;
 			break;
 		default:
-			ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2);
+			ISOException.throwIt((short)0x6A88);
 			return;
 		}
 
@@ -2479,8 +2488,16 @@ else if (key == (byte)0x81 && pukPinIsDefault)
 			return;
 		}
 
-		if (!pin.isValidated() &&
-		    !pin.check(buffer, oldPinOff, (byte)8)) {
+		/*
+		 * According to the PIV spec, if the PIN is blocked we should
+		 * return 0x6983 here (SW_FILE_INVALID).
+		 */
+		if (pin.getTriesRemaining() == 0) {
+			ISOException.throwIt(ISO7816.SW_FILE_INVALID);
+			return;
+		}
+
+		if (!pin.check(buffer, oldPinOff, (byte)8)) {
 			ISOException.throwIt((short)(
 			    (short)0x63C0 | pin.getTriesRemaining()));
 			return;
@@ -2526,7 +2543,10 @@ else if (key == (byte)0x81 && pukPinIsDefault)
 			pin = pivPin;
 			break;
 		default:
-			ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2);
+			/*
+			 * 800-73-4 part 2 3.2.3
+			 */
+			ISOException.throwIt((short)0x6A88);
 			return;
 		}
 
@@ -2551,8 +2571,16 @@ else if (key == (byte)0x81 && pukPinIsDefault)
 			return;
 		}
 
-		if (!pukPin.isValidated() &&
-		    !pukPin.check(buffer, pukOff, (byte)8)) {
+		/*
+		 * According to the PIV spec, if the PUK is blocked we should
+		 * return 0x6983 here (SW_FILE_INVALID).
+		 */
+		if (pukPin.getTriesRemaining() == 0) {
+			ISOException.throwIt(ISO7816.SW_FILE_INVALID);
+			return;
+		}
+
+		if (!pukPin.check(buffer, pukOff, (byte)8)) {
 			ISOException.throwIt((short)(
 			    (short)0x63C0 | pukPin.getTriesRemaining()));
 			return;