Change PIN of a Gemalto Smartcard through a script

Question

We have to use the Gemalto IDPrime .Net card Smartcard. We get these USB Dongles and have to change the PIN.

Gemalto says via windows:

From the Start menu, choose Run and type PINTool.
Insert a IDPrime .Net card in the reader as prompted, and click OK. The change PIN interface appears
Enter the old PIN (the default PIN value is 0000), the new PIN and confirm the new PIN.
Click on Change Pin

http://support.gemalto.com/index.php?id=how_to_change_pin_in_a_idprime#.VWYTWUa8rV8

This works, but I want to set a new PIN/password via powershell or c#, i. e. under control of a program. How to do that or is impossible?

Answer 1

You should be able to change PIN via unmanaged PKCS#11 API that can be easily accessed from C# with a managed .NET wrapper called Pkcs11Interop which I am the author of.

Here is the code sample that may help you get started:

using Net.Pkcs11Interop.Common;
using Net.Pkcs11Interop.HighLevelAPI;

namespace ConsoleApplication
{
    class Program
    {
        static void Main(string[] args)
        {
            // Load PKCS#11 library provided by Gemalto
            using (Pkcs11 pkcs11 = new Pkcs11("gtop11dotnet.dll", true))
            {
                // Find first slot/reader with token/card present
                Slot slot = pkcs11.GetSlotList(true)[0];

                // Open RW session
                using (Session session = slot.OpenSession(false))
                {
                    // Login as normal user with current PIN
                    session.Login(CKU.CKU_USER, "0000");

                    // Set the new pin for the logged in user
                    session.SetPin("0000", "1111");

                    session.Logout();
                }
            }
        }
    }
}

Answer 2

Using the answer @jariq posted for C# I was able to get the following to work in PowerShell for changing the Admin PIN.

Note: this is specifically for Gemalto IDPrime .NET cards which are being replaced by the IDPrime MD product line. See the end of this post for more info.

# www.pkcs11interop.net
Add-Type -Path "C:\Somepath\Pkcs11Interop.4.0.0\lib\net45\Pkcs11Interop.dll"

# Gemalto PKCS11 driver
# 1 = single threaded
$pkcs11 = New-Object Net.Pkcs11Interop.HighLevelAPI.Pkcs11("C:\somepath\gtop11dotnet64.dll",1)

# 0 = SlotsType.WithTokenPresent
$slots = $pkcs11.GetSlotList(0)

$slot = $slots[0] # often its the first

# create session
# 1 = SessionType.ReadWrite
$session = $slot.OpenSession(1)

[byte[]]$defaultPIN = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00

# 000000000000000000000001
[byte[]]$newPIN = 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x31

# 0 = Security Officer a.k.a. Admin
$session.Login(0, $defaultPIN)

$session.SetPin($defaultPIN, $newPIN)

$session.Dispose()
$slot.CloseAllSessions()
$pkcs11.Dispose()

I found the most success converting each PIN to a byte array for use with logging in and changing the PIN. To convert the 48 digit Admin PIN to 24 bytes, the following function was created.

Function Convert-AdminPinToByteArray([Validatepattern("^[0-9A-F]{48}$")][string]$AdminPIN)
{
    $ReturnByte = New-Object byte[] 24

    $n = 0

    for($i=0;$i -lt $ReturnByte.Length;$i++)
    {
        $ReturnByte[$i] = [byte]"0x$($AdminPIN.SubString($n,2))"
        $n = $n + 2
    }

    return $ReturnByte

} # End Function Convert-AdminPinToByteArray

Gemalto Card Types

The above examples are based off Gemalto IDPrime .NET cards which are being retired. The End of Sale (EOS) announcement is here.

IDPrime .Net
IDPrime .Net Bio

Key Dates: 
Milestone                  Date
Last-Time-Buy (LTB)        September 29, 2017
End-of-Sale (EOS)          September 30, 2017
End-of-Life (EOL)          September 30, 2018

Replacement

Per the EOS announcement PDF:

Products Gemalto’s family of IDPrime .NET 510/511 smart cards will be replaced by the IDPrime MD 83x and IDPrime MD 84x series of smart cards.

Programming the Replacement cards

I've included the information about distinguishing card types because I have a Gemalto IDPrime MD 830 for testing and the above techniques do not work. In fact, the card doesn't even show as being present in the reader using the above techniques.