Change your Gemalto smart card PIN via script
We have to use Gemalto IDPrime.Net smart card. We receive these USB keys and need to change the PIN.
Gemalto speaks through the windows:
From the Start menu, choose Run and type PINTool. Insert a IDPrime .Net card in the reader as prompted, and click OK. The change PIN interface appears Enter the old PIN (the default PIN value is 0000), the new PIN and confirm the new PIN. Click on Change Pin
http://support.gemalto.com/index.php?id=how_to_change_pin_in_a_idprime#.VWYTWUa8rV8
This works, but I want to set a new PIN / password via powershell or C #, i. e. under the control of the program. How can this be done or is it impossible?
source to share
You can change the PIN through the PKCS # 11 unmanaged API, which can be easily accessed from C # using a managed .NET wrapper called Pkcs11Interop which I author.
Here's some sample code to help you get started:
using Net.Pkcs11Interop.Common;
using Net.Pkcs11Interop.HighLevelAPI;
namespace ConsoleApplication
{
class Program
{
static void Main(string[] args)
{
// Load PKCS#11 library provided by Gemalto
using (Pkcs11 pkcs11 = new Pkcs11("gtop11dotnet.dll", true))
{
// Find first slot/reader with token/card present
Slot slot = pkcs11.GetSlotList(true)[0];
// Open RW session
using (Session session = slot.OpenSession(false))
{
// Login as normal user with current PIN
session.Login(CKU.CKU_USER, "0000");
// Set the new pin for the logged in user
session.SetPin("0000", "1111");
session.Logout();
}
}
}
}
}
source to share
Using @ jariq's answer posted for C #, I was able to get the following to work in PowerShell
for a change Admin PIN
.
Note. it is specifically for Gemalto IDPrime.NET cards which are being replaced by the IDPrime MD product line. See the end of this post for more information.
# www.pkcs11interop.net
Add-Type -Path "C:\Somepath\Pkcs11Interop.4.0.0\lib\net45\Pkcs11Interop.dll"
# Gemalto PKCS11 driver
# 1 = single threaded
$pkcs11 = New-Object Net.Pkcs11Interop.HighLevelAPI.Pkcs11("C:\somepath\gtop11dotnet64.dll",1)
# 0 = SlotsType.WithTokenPresent
$slots = $pkcs11.GetSlotList(0)
$slot = $slots[0] # often its the first
# create session
# 1 = SessionType.ReadWrite
$session = $slot.OpenSession(1)
[byte[]]$defaultPIN = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
# 000000000000000000000001
[byte[]]$newPIN = 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x31
# 0 = Security Officer a.k.a. Admin
$session.Login(0, $defaultPIN)
$session.SetPin($defaultPIN, $newPIN)
$session.Dispose()
$slot.CloseAllSessions()
$pkcs11.Dispose()
I found the most success converting each PIN
to a byte array for use with login and change PIN
. To convert the 48-digit administrator PIN to 24 bytes, the following function was created.
Function Convert-AdminPinToByteArray([Validatepattern("^[0-9A-F]{48}$")][string]$AdminPIN)
{
$ReturnByte = New-Object byte[] 24
$n = 0
for($i=0;$i -lt $ReturnByte.Length;$i++)
{
$ReturnByte[$i] = [byte]"0x$($AdminPIN.SubString($n,2))"
$n = $n + 2
}
return $ReturnByte
} # End Function Convert-AdminPinToByteArray
Gemalto card types
The above examples are based on Gemalto IDPrime.NET maps that are being removed. Announcement End of Sale Announcement (EOS) here .
IDPrime .Net IDPrime .Net Bio Key Dates: Milestone date Last-Time-Buy (LTB) September 29, 2017 End-of-Sale (EOS) September 30, 2017 End-of-Life (EOL) September 30, 2018
Replacement
Products The IDPrime.NET 510/511 family of Gemaltos smart cards will be replaced by IDPrime MD 83x and IDPrime MD 84x smart cards .
Plug-in card programming
I have included information on distinctive card types because I have a Gemalto IDPrime MD 830 to test and the above methods do not work. In fact, the card doesn't even show up as present in the reader using the aforementioned methods.
source to share