From 2cf3e27e5135f033e6d0c5d0ed6238c04fdef710 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20Sch=C3=BCrmann?= <dominik@dominikschuermann.de>
Date: Fri, 3 Nov 2017 14:06:26 +0100
Subject: [PATCH] First set Admin PIN, then PIN to prevent Gnuk from going into
 'admin less mode'

---
 .../keychain/securitytoken/SecurityTokenConnection.java   | 4 ++++
 .../keychain/ui/SecurityTokenOperationActivity.java       | 8 +++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/SecurityTokenConnection.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/SecurityTokenConnection.java
index 19962b164..beed8a119 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/SecurityTokenConnection.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/SecurityTokenConnection.java
@@ -209,6 +209,10 @@ public class SecurityTokenConnection {
         }
     }
 
+    public void resetPw3Validation() {
+        mPw3Validated = false;
+    }
+
     @VisibleForTesting
     void determineTokenType() throws IOException {
         tokenType = mTransport.getTokenTypeIfAvailable();
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/SecurityTokenOperationActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/SecurityTokenOperationActivity.java
index 1834c2762..8b808266d 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/SecurityTokenOperationActivity.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/SecurityTokenOperationActivity.java
@@ -25,7 +25,6 @@ package org.sufficientlysecure.keychain.ui;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.Arrays;
-import java.util.Map;
 
 import android.content.Intent;
 import android.os.AsyncTask;
@@ -293,9 +292,12 @@ public class SecurityTokenOperationActivity extends BaseSecurityTokenActivity {
                     mInputParcel = mInputParcel.withCryptoData(subkeyBytes, tokenSerialNumber);
                 }
 
-                // change PINs afterwards
-                stConnection.resetPin(newPin, adminPin);
+                // First set Admin PIN, then PIN.
+                // Order is important for Gnuk, otherwise it will be set up in "admin less mode".
+                // http://www.fsij.org/doc-gnuk/gnuk-passphrase-setting.html#set-up-pw1-pw3-and-reset-code
                 stConnection.modifyPw3Pin(newAdminPin, adminPin);
+                stConnection.resetPw3Validation();
+                stConnection.resetPin(newPin, new Passphrase(new String(newAdminPin)));
 
                 break;
             }