How to get number of password retries in eToken SafeNet by IAIK PKCS#11

Question

I use Java and IAIK to read eToken info.

Module pkcs11Module = Module.getInstance("PKCS11.dll");
    pkcs11Module.initialize(null);
    Slot[] slotsWithToken = pkcs11Module.getSlotList(Module.SlotRequirement.TOKEN_PRESENT);
    log.info("number of slots: {}", slotsWithToken.length);
    Token[] tokens = new Token[slotsWithToken.length];
    for (int i = 0; i < slotsWithToken.length; i++) {
        Session session = null;
        TokenInfo tokenInfo = null;
        try {
            tokens[i] = slotsWithToken[i].getToken();
            tokenInfo = tokens[i].getTokenInfo();

This is the information I took out:

Information returned only 'Security Officer PIN final Try' true of false. However I need to know how many times I have to re-enter the password so that I can notify the user. I've searched online but there's no positive result.

Answer 1

Using standard pkcs#11 calls, there is no way to get the actual number of (possible) retries.

For the user's pin, there are the flags:

• CKF_USER_PIN_COUNT_LOW and
• CKF_USER_PIN_FINAL_TRY

For the SO pin, there are the flags:

• CKF_SO_PIN_COUNT_LOW and
• CKF_SO_PIN_FINAL_TRY

Which you can check on the TokenInfo class. So you can 'only' display a warning on the final try. Please also refer to the pkcs#11 specification.

However, as Alexander mentioned in another answer there might be a vendor defined api for this.

Answer 2

There are exist Supplementary API (SAPI) for eToken located inside of eTSAPI.dll.

The method you need to call is:

CK_RV SAPI_GetSlotInfo(
  CK_SLOT_ID slotId, 
  CK_ATTRIBUTE_PTR pTemplate,
  CK_ULONG ulCount);

You must query this four attributes (values are DWORD types):

#define CKA_SAPI_RETRY_USER                  0x80001110
#define CKA_SAPI_RETRY_SO                    0x80001111
#define CKA_SAPI_RETRY_USER_MAX              0x80001112
#define CKA_SAPI_RETRY_SO_MAX                0x80001113

Documentation link.

C# prototype can look like

[DllImport("eTSAPI.dll", CallingConvention=CallingConvention.Cdecl, CharSet = CharSet.Ansi)]
static extern UInt32 SAPI_GetSlotInfo(UInt32 slotId, [In, Out] CK_ATTRIBUTE[] template, UInt32 count);

Have a look how Pkcs11Interop implement C_GetAttributeValue method.