I am tasked with finding the maximum number of tries to enter a PKCS#11 smart card token PIN number. I'm already aware of the flags in CK_TOKEN_INFO/TokenInfo as mentioned here i.e. CKF_USER_PIN_COUNT_LOW, CKF_USER_PIN_FINAL_TRY, CKF_USER_PIN_LOCKED. But somehow my supervisor insists there is somewhere inside the smart card that contains the information on the maximum number of tries to enter the PIN.
Is it really somewhere in there?
Of course: each PIN object in the card has a respective error counter. Otherwise one could not ensure, that the PIN really blocks after the given number of erroneous attempts, as soon as several clients are involved.
(PKCS is simply an additional layer for translating generic commands into the the special ones for the corresponding card type.)
The problem is, that there are few to none ways to extract that error counter in a standardized way. This depends one the card type and its configuration. The best chance is to send a VERIFY command with wrong PIN data and look for a '63 Cn' status code, where n represents the number of attempts remaining. In worst case, however, the card responds with '63 00' if there is one or more attempt remaining and '69 83' if the PIN is blocked. For details you have to refer to the smart card operating system manual.
