通过脚本更改金雅拓智能卡的 PIN

Question

我们必须使用 Gemalto IDPrime .Net 卡 Smartcard。我们得到了这些 USB Dongles 并且必须更改 PIN。

金雅拓通过 windows 说：

From the Start menu, choose Run and type PINTool.
Insert a IDPrime .Net card in the reader as prompted, and click OK. The change PIN interface appears
Enter the old PIN (the default PIN value is 0000), the new PIN and confirm the new PIN.
Click on Change Pin

http://support.gemalto.com/index.php?id=how_to_change_pin_in_a_idprime#.VWYTWUa8rV8

这有效，但我想通过 powershell 或 c# 设置一个新的 PIN/password，我。 e.在一个程序的控制下。怎么做或不可能？

Answer 1

您应该能够通过非托管 PKCS#11 API 更改 PIN，可以使用名为 Pkcs11Interop 的托管 .NET 包装器从 C# 轻松访问，我是其作者。

下面是可以帮助您入门的代码示例：

using Net.Pkcs11Interop.Common;
using Net.Pkcs11Interop.HighLevelAPI;

namespace ConsoleApplication
{
    class Program
    {
        static void Main(string[] args)
        {
            // Load PKCS#11 library provided by Gemalto
            using (Pkcs11 pkcs11 = new Pkcs11("gtop11dotnet.dll", true))
            {
                // Find first slot/reader with token/card present
                Slot slot = pkcs11.GetSlotList(true)[0];

                // Open RW session
                using (Session session = slot.OpenSession(false))
                {
                    // Login as normal user with current PIN
                    session.Login(CKU.CKU_USER, "0000");

                    // Set the new pin for the logged in user
                    session.SetPin("0000", "1111");

                    session.Logout();
                }
            }
        }
    }
}

Answer 2

使用@jariq 为 C# 发布的答案，我能够在 PowerShell 中使用以下内容来更改 Admin PIN.

Note: this is specifically for Gemalto IDPrime .NET cards which are being replaced by the IDPrime MD product line. See the end of this post for more info.

# www.pkcs11interop.net
Add-Type -Path "C:\Somepath\Pkcs11Interop.4.0.0\lib\net45\Pkcs11Interop.dll"

# Gemalto PKCS11 driver
# 1 = single threaded
$pkcs11 = New-Object Net.Pkcs11Interop.HighLevelAPI.Pkcs11("C:\somepath\gtop11dotnet64.dll",1)

# 0 = SlotsType.WithTokenPresent
$slots = $pkcs11.GetSlotList(0)

$slot = $slots[0] # often its the first

# create session
# 1 = SessionType.ReadWrite
$session = $slot.OpenSession(1)

[byte[]]$defaultPIN = 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00

# 000000000000000000000001
[byte[]]$newPIN = 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x31

# 0 = Security Officer a.k.a. Admin
$session.Login(0, $defaultPIN)

$session.SetPin($defaultPIN, $newPIN)

$session.Dispose()
$slot.CloseAllSessions()
$pkcs11.Dispose()

我发现最成功的方法是将每个 PIN 转换为字节数组以用于登录和更改 PIN。为了将 48 位管理员 PIN 转换为 24 字节，创建了以下函数。

Function Convert-AdminPinToByteArray([Validatepattern("^[0-9A-F]{48}$")][string]$AdminPIN)
{
    $ReturnByte = New-Object byte[] 24

    $n = 0

    for($i=0;$i -lt $ReturnByte.Length;$i++)
    {
        $ReturnByte[$i] = [byte]"0x$($AdminPIN.SubString($n,2))"
        $n = $n + 2
    }

    return $ReturnByte

} # End Function Convert-AdminPinToByteArray

Gemalto 卡片类型

以上示例基于即将停用的 Gemalto IDPrime .NET 卡。 End of Sale (EOS) announcement is here.

IDPrime .Net
IDPrime .Net Bio

Key Dates: 
Milestone                  Date
Last-Time-Buy (LTB)        September 29, 2017
End-of-Sale (EOS)          September 30, 2017
End-of-Life (EOL)          September 30, 2018

替换

Per the EOS announcement PDF:

Products Gemalto’s family of IDPrime .NET 510/511 smart cards will be replaced by the IDPrime MD 83x and IDPrime MD 84x series of smart cards.

为替换卡编程

我已经包含了关于区分卡类型的信息，因为我有一个用于测试的 Gemalto IDPrime MD 830，并且上述技术不起作用。事实上，使用上述技术，卡片甚至不会显示在 reader 中。

通过脚本更改金雅拓智能卡的 PIN

Change PIN of a Gemalto Smartcard through a script

smartcard

gemalto

Gemalto 卡片类型

替换

为替换卡编程