OpenPGP card: verify or set a PIN -> "Conditions of use not satisfied" (69 85)

Martin Paljak martin at
Sat Aug 27 19:41:34 CEST 2011


On Aug 26, 2011, at 4:45 , Achim Pietig wrote:
> I just checked your reader, it is a PIN-PAD. These devices may have a mode that they trace the APDUs for a PIN command
> and try to redirect it to the keyboard and display.
> It is possible that this reader recognizes the 0020 command, but cannot interprete the data (no banking format e.g.).
> In that case the error 6985 comes from the reader itself…
I *hope* not (but as I don't have the reader I can't confirm it)

Readers are not supposed to interpret plain VRIFY commands unless they implement "firewalling", which forbids host-provided PIN related commands and requires the use of the pin pad.
To enable pinpad, a special block is needed which enables the secure PIN entry.

Even if it was interpreting VERIFY commands, I wish it did not return this SW … (something from the related PC/SC spec SW range 0x64XX should be used instead)

You can try by sending an otherwise invalid VERIFY command to the card or some other card and see if it returns something different. Try for example the same command with a VISA card, you can then see if it comes from the reader or card.

More information about the Gnupg-devel mailing list