MS CNG NCryptSignHash returns 0x80090020

We’ve seen this error when trying to sign using a smart card:

msCngSignWithCert
    Acquired CNG private key.
    dwKeySpec: 0xffffffff
    key is CERT_NCRYPT_KEY_SPEC
    setSmartCardPin:
        setting smart card pin...
    --setSmartCardPin
    Using PKCS1 padding.
    msCngSign.NCryptSignHash failed.
    failed to sign.
    secStatus: 0x80090020
--msCngSignWithCert

The 0x80090020 error is a generic “NTE_FAILED: An internal error occurred”. See https://docs.microsoft.com/en-us/windows/desktop/com/com-error-codes-4

To clarify: Chilkat calls the Microsoft CNG (Cryptographic Next Generation) API, and CNG interacts with the smart card CSP (Cryptographic Service Provider). In other words, it’s like this: Chilkat –> Microsoft CNG –> Atos CardOS API v5.4

The CNG function that is returning the error is NCryptSignHash. See https://docs.microsoft.com/en-us/windows/desktop/api/ncrypt/nf-ncrypt-ncryptsignhash

It seems that the error is caused by an expired smart card.

In a particular test case, the problem occurs for an expired smart card, but there is no problem for a non-expired smart card (using the same smart card vendor).