Unblock PIN Support
Unblock PIN relies on proprietary mechanisms.
Mechanisms
The following table shows which Unblock PIN mechanisms are supported by different cryptographic operations.
| Functions | ||
|---|---|---|
| Mechanism | C_VerifyUnblockPINInit & C_VerifyUnblockPIN | UnlockPIN (legacy) |
| CKM_UNBLOCK_PIN_STATIC |
|
|
| CKM_UNBLOCK_PIN_DYNAMIC |
|
|
These proprietary mechanisms are defined as follows:
#define CKM_UNBLOCK_PIN_STATIC CKM_ACTI + 0x00000801 #define CKM_UNBLOCK_PIN_DYNAMIC CKM_ACTI + 0x00000802
Unblock PIN Object Definition
Unblock PIN object is defined as:
#define CKO_UNBLOCK_PIN CKO_VENDOR_DEFINED + 0x00000810
Object Attributes
| Attribute | Data Type | Meaning |
|---|---|---|
| CKA_UNBLOCK_PIN_CHALLENGE_REQUIREMENT | CK_ULONG | Parameter requirements when unblock PIN code values with challenge / response: CK_OTP_PARAM_MANDATORY = Challenge/Response unblock PIN. The challenge must be retrieved with C_GetAttributeValue on attribute CKA_UNBLOCK_PIN_CHALLENGE and encrypted using the unblock key before the response is send using C_VerifyUnblockPIN. CK_OTP_PARAM_OPTIONAL = RFU. CK_OTP_PARAM_IGNORED = Static unblock PIN. C_VerifyUnblockPIN should be called directly with the unlock code |
| CKA_UNBLOCK_PIN_CHALLENGE | Byte array | Only defined for challenge/response unblock. Value of the challenge to be encrypted using the unblock key. |
This proprietary attribute is defined as follows:
#define CKA_UNBLOCK_PIN_CHALLENGE_REQUIREMENT CKA_VENDOR_DEFINED + 0x00000340 #define CKA_UNBLOCK_PIN_CHALLENGE CKA_VENDOR_DEFINED + 0x00000341
Common Storage Object Attributes
| Attribute | Data Type | Meaning |
|---|---|---|
| CKA_TOKEN | CK_BBOOL | CK_TRUE |
| CKA_PRIVATE | CK_BBOOL | CK_FALSE |
| CKA_MODIFIABLE | CK_BBOOL | CK_FALSE |
| CKA_LABEL | RFC2279 string | Empty |
| CKA_CLASS | CK_OBJECT_CLASS | CKO_UNBLOCK_PIN |
Static Unlock Key Object Definition (Legacy)
For standalone cards that have a static unlock key that is still available to read, the following session object is returned.
Secret Key Attributes
| Attribute | Data Type | Meaning |
|---|---|---|
| CKA_SENSITIVE | CK_BBOOL | CK_FALSE |
| CKA_ENCRYPT | CK_BBOOL | CK_TRUE |
| CKA_DECRYPT | CK_BBOOL | CK_TRUE |
| CKA_WRAP | CK_BBOOL | CK_TRUE |
| CKA_UNWRAP | CK_BBOOL | CK_TRUE |
| CKA_EXTRACTABLE | CK_BBOOL | CK_TRUE |
| CKA_ALWAYS_SENSITIVE | CK_BBOOL | CK_FALSE |
| CKA_NEVER_EXTRACTABLE | CK_BBOOL | CK_FALSE |
| CKA_ALWAYS_AUTHENTICATE | CK_BBOOL | CK_FALSE |
| CKA_VALUE | Byte Array | Value of the unlock key |
Common Key Attributes
| Attribute | Data Type | Meaning |
|---|---|---|
| CKA_KEY_TYPE | CK_KEY_TYPE | CKK_GENERIC_SECRET. |
| CKA_ID | Byte array | empty |
| CKA_LOCAL | CK_BBOOL | CK_TRUE |
| CKA_KEY_GEN_MECHANISM | CK_MECHANISM_TYPE | CK_UNAVAILABLE_INFORMATION |
| CKA_ALLOWED_MECHANISMS | CK_MECHANISM_TYPE _PTR, pointer to a CK_MECHANISM_TYPE array | None |
Common Storage Object Attributes
| Attribute | Data Type | Meaning |
|---|---|---|
| CKA_TOKEN | CK_BBOOL | CK_FALSE |
| CKA_PRIVATE | CK_BBOOL | CK_TRUE |
| CKA_MODIFIABLE | CK_BBOOL | CK_FALSE |
| CKA_LABEL | RFC2279 string | “Unlock Key” |
| CKA_CLASS | CK_OBJECT_CLASS | CKO_SECRET_KEY |
