Hi Everyone,

I am writing a simple smart card PIN validation client.
I am reached upto PIN UI. CreateSignHash function displays the PIN and
after entering valid PIN for smart card it throws "an internal error
occured.

here are my steps for smart card validation.

1. loop through all smart card reader and select the one which has
card.
2. after finding the reader with card. get the certificate from the
card and then it generates the SHA1 hash from the certificate.
3. call CryptSignHash that displays the PIN UI from the provider.
4. enter the PIN to which will be validated and generate the
signature.

I appreciate if you someone can help me why CreateSignHash throws
"internal error" and how do i know whats wrong with card or reader or
code itself.

thanks,
MP

Adding a note. I have two personalize the card one with Cryptoflex
windows 2000 and other with Cryptoflex windows xp.
The card which was personolized using XP gives "internal error" when
calling CreateSignHash function.
and the card with Windows 2000 gives error 0x80100022 "This smart card
does not support the requested feature."

any one knows what could be wrong?

I am surprised no one knows about smart card and did not reply, not
even Microsoft certified people.
or may be this group is not related to smart card.

Mitesh wrote on 20/04/2008 00:07:
> I am surprised no one knows about smart card and did not reply, not
> even Microsoft certified people.
> or may be this group is not related to smart card.

alt.technology.smartcards is more dedicated to smartcards but your
issue seems related to axalto CSP, not to security on MS platforms.

may be your problem is also badly exposed; your issue seems to be:
when I "call CryptSignHash that displays the PIN UI from the provider",
it "throws 'internal error'".

from a CSP point of view, CryptSignHash is supposed to hash & sign,
an experienced CSP user is not necessary aware of axalto internal
choices regarding key policies and card specific issue.

at least you should explain how you acquire context on that CSP,
ie in 'silent' mode or not; which reader you are using, is there
an unique reader or several, does the card inserted in the first
(in PC/SC chain) or not, is it a basic reader or a PIN-pad one,
if a PIN-pad is connected to the computer, does the card inserted
in it, ..., you should also explained with hash & sign mechanisms
you are using, and obviously double-check that they are supported
by your card.

your second post is also confused ("I have two personalize" ?!)
you do not explain if the Cryptoflex package is supposed to be
different on W2k and on XP (it can be the same software or two
different that personalize the card with 2 different profiles)
you neither explained if the card personalized on W2k or XP is
working under W2k but not on XP, resp. on XP but not on W2k.

I think you could try to explain and summarize the different
cases and results, it will be useful for that newsgroup as
well as for a request to axalto's tech. support since it
appears it's a Cryptoflex card.


Sylvain.

Sylvain,

You may be right, may be i did not explain the problem. and sorry
about my bad english. I should have mentioned this but anyways. I am
glad that you replied to my post and mentioned a good points about my
post.

And, I am very much new to smart card and Crypto API. so please feel
free to ask any questions that you may think, which will help me to
find the problem.

Here is some information about my problem.

1. I am using Omnikey Smart Card Reader. Only one reader with two
smart cards.

2. I have two smart cards. Both are personalized with different
configuration but for same active directory user.
I am using "Schlumberger Personalization Tool" to personalize the
card. I have three different configurations A. Standard cryptoflex B.
CryptoFlex Windows 2K C.  Cryptoflex XP.
There are three XML files which is  used for personalizing the smart
card. I think these three xml files have commands like APDU for
configuring the cards. I don't know much detail about this. I think
they come with the personolization tool.
I am using the same Active Directory user profile to configure both
the card.


3. I am using B and C configuration files to peronolize the card.

4. In the C++ program, I am doing the following things.
  - Iterating all the readers and find the one which has card.
  - Once the reader with card found, I retrieve the ATR from the card.
  - Using the ATR finding the CSP provider.
  - using CryptAcquireContext, I am acquiring the context with the
card name, and CSP name which found in above step and In the last
parameter passing 0 so I can do KEYEXCHANGE and also provider will
display the PIN validation UI.
  - Retrieve the Certificate from the card and stored in the temporary
file.
  - Using CryptAcquireCertificatePrivateKey with
CRYPT_ACQUIRE_COMPARE_KEY_FLAG parameter I am initializing the
HCRYPTPROV.
  - Generate the SHA1 hash from the certificate. Here i initialize the
HCRYPTHASH object using HCRYPTPROV object i got from above step. I
call these methods.
   CryptCreateHash, CryptHashData, CryptGetHashParam (to find the
HP_HASHSIZE), CryptGetHashParam(To initialize the HP_HASHVAL).
  - Calling CryptSignHash with AT_KEYEXCHANGE to find the signature
length.
  - Calling CryptSignHash with AT_KEYEXCHANGE to get the signature
value. Now here PIN UI is being displayed from the CSP provider which
is Axalto in my case.
  - After entering valid PIN, I get the "An internal error occurred".
This error occured for card which was configured for Cryptoflex
Windows XP.
   And For the card with cryptoflex windows 2k. I get an error at the
"smart card does not support feature requested".


Let me know if you need further information for any step I described
above.

Both the card works fine, if i configure Active Directory user with
smart card logon. If I lock the computer and insert the smart card
with valid PIN entered for the card then i can login to the machine
without any problem.
So I am sure there is something wrong with either generating SHA1 hash
or configuring the card or calling the Crypt Functions.

Thanks,
Mitesh

Mitesh wrote on 20/04/2008 20:50:
> [far most comprehensive explanation]

well, your cards are so finely personalized for the OS specific features
(user logon) and the middleware (axalto CSP) manage these tasks rightly.
(and since MS itself use CryptoFlex cards, it's a good point).

but apparently, you want to use the card for something different
than logon process; note that the card profile can provide mechanisms
required for such logon without having the capability to manage non
repudiation or basic signature (you used the AT_KEYEXCHANGE key, does
the AT_SIGNATURE key also present ? if so, does it also fail to generate
the signature?)

if the first point is not the issue (meaning if the card does support
any signature), may be the issue comes from the PC/SC operations:
when you know that you want to work with the CryptoFlex CSP, you
should not iterate the readers list, check the ATR and so on, instead
you should simply open a context on that CSP, and the CSP itself will
verify card availability; of course your process is valid but only if
you don't lock the card resources - for instance with a PC/SC connexion
(even shared or exclusive) that stays alive when you are using the CSP.

third, according your explanation, you're asking the exchange key to
sign a hash of its own cert (I assume it's a sample case and you are
actually interested in signing other live data); your work flow seems
correct - I'm NOT a CSP expert and hopefully someone else can confirm
that - the CSP does ask for the PIN but only axalto people can indicate
if the CSP does this request before or after context checks, at this
point you can suppose that a) the access to the card is not successful
due to existing PC/SC connexion and the CSP error is actually a card
access error; or b) the PIN is successfully transmitted to the card
but the card refuses to sign the hash certainly because EXCHANGE key
does not allow such operation.

so I think you should:
- check for potential PC/SC side effects
- verify if the AT_SIGNATURE container should be used (instead of
  ExchangeKey)
- verify if your profile does allow "generic" signature (where
  generic means signature not requested by a logon process) -
  to verify that point you can try to configure Outlook or OE
  to sign your emails with the card, if it works you should be
  able to generate signature from your own code, it it fails a
  "card enrollment" (key pair generation & X509 cert. download)
  is required and very likely it's the reason of your issue.

Sylvain.

On Apr 20, 5:21 pm, "Sylvain SF"  wrote:
> Mitesh wrote on 20/04/2008 20:50:
>
> > [far most comprehensive explanation]
>

Thanks for your reply.

> well, your cards are so finely personalized for the OS specific features
> (user logon) and the middleware (axalto CSP) manage these tasks rightly.
> (and since MS itself use CryptoFlex cards, it's a good point).
>
> but apparently, you want to use the card for something different
> than logon process; note that the card profile can provide mechanisms
> required for such logon without having the capability to manage non
> repudiation or basic signature (you used the AT_KEYEXCHANGE key, does
> the AT_SIGNATURE key also present ? if so, does it also fail to generate
> the signature?)

Using CryptAcquireCertificatePrivateKey function I am verifying
whether AT_KEYEXCHANGE or AT_SIGNATURE required. The function return
AT_KEYEXCHANGE in dwKeySpec.
there is no SIGNATURE key present.

>
> if the first point is not the issue (meaning if the card does support
> any signature), may be the issue comes from the PC/SC operations:
> when you know that you want to work with the CryptoFlex CSP, you
> should not iterate the readers list, check the ATR and so on, instead
> you should simply open a context on that CSP, and the CSP itself will
> verify card availability; of course your process is valid but only if
> you don't lock the card resources - for instance with a PC/SC connexion
> (even shared or exclusive) that stays alive when you are using the CSP.
>

when calling SCardConnect function with SCARD_SHARE_EXCLUSIVE, i get
an error SCARD_E_SHARING_VIOLATION
so for now I am passing SCARD_SHARE_SHARED instead of exclusive.



> third, according your explanation, you're asking the exchange key to
> sign a hash of its own cert (I assume it's a sample case and you are
> actually interested in signing other live data); your work flow seems
> correct - I'm NOT a CSP expert and hopefully someone else can confirm
> that - the CSP does ask for the PIN but only axalto people can indicate
> if the CSP does this request before or after context checks, at this
> point you can suppose that a) the access to the card is not successful
> due to existing PC/SC connexion and the CSP error is actually a card
> access error; or b) the PIN is successfully transmitted to the card
> but the card refuses to sign the hash certainly because EXCHANGE key
> does not allow such operation.
>
> so I think you should:
> - check for potential PC/SC side effects
> - verify if the AT_SIGNATURE container should be used (instead of
>   ExchangeKey)

I have verified and sure that AT_KEYEXCHANGE container should be used.

> - verify if your profile does allow "generic" signature (where
>   generic means signature not requested by a logon process) -
>   to verify that point you can try to configure Outlook or OE
>   to sign your emails with the card, if it works you should be
>   able to generate signature from your own code, it it fails a
>   "card enrollment" (key pair generation & X509 cert. download)
>   is required and very likely it's the reason of your issue.
>

I tried to configure outlook I get error "The smart card cannot be
accessed because of other outstanding connections."

Let me know what else i can try? Are there any utility available to
check which process is using the smart card?


Thanks
Mitesh

On Apr 20, 5:21 pm, "Sylvain SF"  wrote:
> Mitesh wrote on 20/04/2008 20:50:
>
> > [far most comprehensive explanation]
>

Thanks for your reply.

> well, your cards are so finely personalized for the OS specific features
> (user logon) and the middleware (axalto CSP) manage these tasks rightly.
> (and since MS itself use CryptoFlex cards, it's a good point).
>
> but apparently, you want to use the card for something different
> than logon process; note that the card profile can provide mechanisms
> required for such logon without having the capability to manage non
> repudiation or basic signature (you used the AT_KEYEXCHANGE key, does
> the AT_SIGNATURE key also present ? if so, does it also fail to generate
> the signature?)

Using CryptAcquireCertificatePrivateKey function I am verifying
whether AT_KEYEXCHANGE or AT_SIGNATURE required. The function return
AT_KEYEXCHANGE in dwKeySpec.
there is no SIGNATURE key present.

>
> if the first point is not the issue (meaning if the card does support
> any signature), may be the issue comes from the PC/SC operations:
> when you know that you want to work with the CryptoFlex CSP, you
> should not iterate the readers list, check the ATR and so on, instead
> you should simply open a context on that CSP, and the CSP itself will
> verify card availability; of course your process is valid but only if
> you don't lock the card resources - for instance with a PC/SC connexion
> (even shared or exclusive) that stays alive when you are using the CSP.
>

when calling SCardConnect function with SCARD_SHARE_EXCLUSIVE, i get
an error SCARD_E_SHARING_VIOLATION
so for now I am passing SCARD_SHARE_SHARED instead of exclusive.



> third, according your explanation, you're asking the exchange key to
> sign a hash of its own cert (I assume it's a sample case and you are
> actually interested in signing other live data); your work flow seems
> correct - I'm NOT a CSP expert and hopefully someone else can confirm
> that - the CSP does ask for the PIN but only axalto people can indicate
> if the CSP does this request before or after context checks, at this
> point you can suppose that a) the access to the card is not successful
> due to existing PC/SC connexion and the CSP error is actually a card
> access error; or b) the PIN is successfully transmitted to the card
> but the card refuses to sign the hash certainly because EXCHANGE key
> does not allow such operation.
>
> so I think you should:
> - check for potential PC/SC side effects
> - verify if the AT_SIGNATURE container should be used (instead of
>   ExchangeKey)

I have verified and sure that AT_KEYEXCHANGE container should be used.

> - verify if your profile does allow "generic" signature (where
>   generic means signature not requested by a logon process) -
>   to verify that point you can try to configure Outlook or OE
>   to sign your emails with the card, if it works you should be
>   able to generate signature from your own code, it it fails a
>   "card enrollment" (key pair generation & X509 cert. download)
>   is required and very likely it's the reason of your issue.
>

I tried to configure outlook I get error "The smart card cannot be
accessed because of other outstanding connections."

Let me know what else i can try? Are there any utility available to
check which process is using the smart card?


Thanks
Mitesh

Sylvain,

I am doing key pair generation and X509 cert. download in my code.
so my question is does it matter if i logged into domain?

What i am trying to achieve is, I am making an activex which let user
to login to web server using their smartcard.
The activex is used to prompt for the PIN, validate it and generate a
signature. if signature is valid then it will let user login to the
web server.

sorry for the posting previous msg twice.

Thanks
Mitesh

M_P wrote on 21/04/2008 23:37:
> 
> Using CryptAcquireCertificatePrivateKey function I am verifying 
> whether AT_KEYEXCHANGE or AT_SIGNATURE required. The function return 
> AT_KEYEXCHANGE in dwKeySpec. there is no SIGNATURE key present.

ok, thanks to learn me that point.

> when calling SCardConnect function with SCARD_SHARE_EXCLUSIVE, i get 
> an error SCARD_E_SHARING_VIOLATION so for now I am passing
> SCARD_SHARE_SHARED instead of exclusive.

so when you call SCardConnect another connexion is still alive
(certainly in shared mode since you can also connect to the card).

that's an information ! the axalto CSP has no intrinsic reason to be
connected to the card if no crypto process involving the card is on the
way, this so means that another process (a daemon ?) is may be
permanently connected to the card.

> I have verified and sure that AT_KEYEXCHANGE container should be
> used.

we can be sure that the perso profile has only created a KEYEXCHANGE
container with a cert compliant with MS requirement for user logon
(some MS attributes are present in the DNs).

but this does not grant that this container allows digital signature
and thus that it shall be used for such purposes.

> I tried to configure outlook I get error "The smart card cannot be 
> accessed because of other outstanding connections."

that a bad point and certainly linked to the previous remark (another
process is linked to the card or irrelevant message forwarded by the CSP).

> Let me know what else i can try? Are there any utility available to 
> check which process is using the smart card?

certainly a lot of quick-n-dirty tools each developed in a single goal,
not sure you can find something fully relevant for your issue.

if an exclusive connexion exists you can (obviously) not establish a new
one to obtain a scardhandle that will allow diagnostic.

one possibility is to implement a "sandwich" (pass-thru) dll that will
define all PC/SC API, doing so you can log who performs which operations.

> I am doing key pair generation and X509 cert. download in my code. so
> my question is does it matter if i logged into domain?

doing that from a basic web page (and with the CEnroll componant) should
avoid potential Outlook confusion.

the cert (whose goal is to certify digital signature) has no reason to
be linked to your domain, nor to your ID and that domain, it should only
identify yourself (as a person) -- the logon cert of course identifies
yourself as an authorised domain user, not as a person and thus has a
different content).

so a free-15 days-whatever verisgn (or other) cert is just fine to this
test, the only requirement for sign email with outlook (or another
mailer) is that you provide the email address used when you send email.

> What i am trying to achieve is, I am making an activex which let user
>  to login to web server using their smartcard. The activex is used to
> prompt for the PIN, validate it and generate a signature. if
> signature is valid then it will let user login to the web server.

the here before test is so useful, to identity user on a specific web
site, you will basically: obtain a web server certificate from a well
known CA (or generate in place a self signed cert), then host a
enrollment page on that web site to deliver end-user cert signed by the
private key associated to the server cert (it can be a standalone tool
depending on more global constraints, the unique relevant point is that
you will have to securely manage the server key).
finally your component will manage full user authentication will
obtaining a nonce (a random) from the server, ask the card to sign it,
return the signature and the cert to the card).

I summarize these tasks just to show / recall that it is quite trivial
process, but of course it supposes that you are able to obtain a
signature from that card when a signature container is present.

my understanding is that you are in a pre-deployment phase, so if that
card or this CSP refuse to do what you need and if card provider support
is missing or useless, just change of provider ... looks like a guy from
idrix.net just dropped a line 2 threads below ,)

Sylvain.

Hi Sylvain,

thanks for your help and giving suggestions.

here is the error i get from event viewer when CryptSignHash function
called from my program.

Axalto Access Client: CPSignHash (0x00000b4c/0x000005e8) returns:
0x80090020 - Original exception: The file specified was not found or
no more files in the current DF.

Before this CryptSignHash function called, I am following this steps.
1. downloading the certificate and storing it into tmp.cer file.
2. Reading the file tmp.cer
3. called following functions
  CryptCreateHash
  CryptHashData - hash the temp.cer which was read in unsiged char
variable.
  CryptGetHashParam to find the HP_HASHVAL
  CryptGetHashParam to store the HP_HASHVAL
  CryptSignHash to find the pbSignature size.
  CryptSignHash to get the pbSignature ---------- At this point PIN UI
from Axalto displayed for verification. Looks like its verifying the
PIN but not finding something.

Hope this might give a hint about the actual problem.

Thanks,
Mitesh

Using certutil -scinfo
i get following error
---------------------------------------------------------------------------------
Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
  Key Container = f8afe460-76e3-4974-b7d7-2b9001509c58
  Provider = Axalto Cryptographic Service Provider
  ProviderType = 1
  Flags = 1
  KeySpec = 1
420.588.0: 0x80090020 (-2146893792)
ERROR: Certificate public key does NOT match private key
317.686.0: 0x80090020 (-2146893792)
---------------------------------------------------------------------------------
0x80090020 - An internal error occurred.

Anyone know what could be wrong here?

Hi,

This kind of errors can be caused by an error at the APDU level. Having a 
transcript of the exchange of APDus before the occurrence of the error can 
help understand its cause. You can use for that a small free tool I have 
developed in order to "spy" on the APDU exchanges between an application and 
smart cards. Here is a link to download it : 

http://www.idrix.fr/Root/ScardSpy/scardspy_setup.zip

Once installed, you just have to copy the dll "winscard.dll" from the 
installation folder to the desired application directory ( iexplore.exe for 
example).  After that, launch the application and all the exchanges will be 
logged to a file on the "APDU Traces" folder of the installation directory. 
You can choose another output directory using the configuration tool. 

With the logs, hopefully it will be much easier to understand what really 
happens.

-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr


"M_P" wrote:

> Using certutil -scinfo
> i get following error
> ---------------------------------------------------------------------------------
> Performing AT_KEYEXCHANGE public key matching test...
> Public key matching test succeeded
>   Key Container = f8afe460-76e3-4974-b7d7-2b9001509c58
>   Provider = Axalto Cryptographic Service Provider
>   ProviderType = 1
>   Flags = 1
>   KeySpec = 1
> 420.588.0: 0x80090020 (-2146893792)
> ERROR: Certificate public key does NOT match private key
> 317.686.0: 0x80090020 (-2146893792)
> ---------------------------------------------------------------------------------
> 0x80090020 - An internal error occurred.
> 
> Anyone know what could be wrong here?
>