First set Admin PIN, then PIN to prevent Gnuk from going into 'admin less mode'

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/SecurityTokenConnection.java

@@ -209,6 +209,10 @@ public class SecurityTokenConnection {
         }
     }
 
+    public void resetPw3Validation() {
+        mPw3Validated = false;
+    }
+
     @VisibleForTesting
     void determineTokenType() throws IOException {
         tokenType = mTransport.getTokenTypeIfAvailable();

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/SecurityTokenOperationActivity.java

@@ -25,7 +25,6 @@ package org.sufficientlysecure.keychain.ui;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.Arrays;
-import java.util.Map;
 
 import android.content.Intent;
 import android.os.AsyncTask;
@@ -293,9 +292,12 @@ public class SecurityTokenOperationActivity extends BaseSecurityTokenActivity {
                     mInputParcel = mInputParcel.withCryptoData(subkeyBytes, tokenSerialNumber);
                 }
 
-                // change PINs afterwards
+                // First set Admin PIN, then PIN.
-                stConnection.resetPin(newPin, adminPin);
+                // Order is important for Gnuk, otherwise it will be set up in "admin less mode".
+                // http://www.fsij.org/doc-gnuk/gnuk-passphrase-setting.html#set-up-pw1-pw3-and-reset-code
                 stConnection.modifyPw3Pin(newAdminPin, adminPin);
+                stConnection.resetPw3Validation();
+                stConnection.resetPin(newPin, new Passphrase(new String(newAdminPin)));
 
                 break;
             }