Solving CryptoCard Graphite Plus Smart Card Signing Problems

Information about the CryptoCard Graphite Plus smartcard is located at https://www.cryptotech.com.pl/Produkty/CryptoCard_Graphite,content.html

“The card works closely with the new edition of the CryptoCard Suite software dedicated to it, which allows you to manage the content of the card and mediates in communication between programs using the card (logging into operating systems, e-mail programs, web browsers or signing applications) and the card inserted into the reader. CryptoCard Suite is a middleware, fully compliant with industry standards PKCS#11 v2.01 and later and CryptoAPI and CNG API. The new card is equipped with a software interface for new Windows operating systems and works via a module compatible with Microsoft Smart Card miniDriver v7 API, used by CSP and KSP.”

Given the above information, and assuming the CryptoCard Suite software is correctly installed, Chilkat should be able to access and sign using any of PKCS#11, MS CAPI/CSP/CNG, or miniDriver.

Over time, Chilkat collects experience with more and more smartcard and token vendors, and incorporates intelligence within the software to automatically choose the best method of interacting with the card (in other words, choose between PKCS11, MS CAPI/CSP/CNG, or ScMinidriver. This intelligence is contained in the Chilkat.Cert.LoadFromSmartcard method. However, applications, can directly choose PKCS11 or ScMinidriver by directly utilizing the Chilkat.Pkcs11 or Chilkat.ScMinidriver classes.

Regarding CryptoCard Graphite Plus, Chilkat is apparently giving preference to ScMinidriver when available, but we are seeing this error when trying to authenticate, yet it seems the signing still succeeds. (The following is an excerpt from the LastErrorText)

    scMinidriver:
      Smart card PIN authentication via the SC Minidriver...
      pinAuthenticate:
        cardName: CryptoCard Graphite Plus
        atr: 3B7F96000080318065B0855956FB120268829000
        Incorrect PIN.
        numAttemptsRemaining: 0
      --pinAuthenticate
      scSignData:
        cardName: CryptoCard Graphite Plus
        atr: 3B7F96000080318065B0855956FB120268829000
        containerIndex: 0
        keyspec: sig
        hashAlg: none
        inDataSize: 32
        rsaPaddingHash: sha256
        rsaPaddingScheme: PKCS
        Success.
      --scSignData
    --scMinidriver

Chilkat will generally proceed with trying the signature even if authentication fails, because it’s possible the card was already authenticated or perhaps it was not needed. Also, some smartcards seem to require PIN authentication before every signature operation, whereas with others it is possible to authenticate once and then do multiple signing operations.

In the above case, the signing certificate was loaded by first setting the Chilkat.Cert.SmartCardPin property, and then calling Chilkat.Cert.LoadFromSmartcard. See https://chilkatsoft.com/refdoc/csCertRef.html#prop43 and https://chilkatsoft.com/refdoc/csCertRef.html#method38 If a PIN is required, the SmartCardPin property should always be set prior to calling LoadFromSmartcard.

The LoadFromSmartcard method will typically use the “user” PIN when authenticating. However, a smartcard can have different PINs for different uses. See https://cknotes.com/types-of-smartcard-pins/ In some cases, when ScMinidriver is used, the “3” PIN is required. To specify the “3” PIN, do the following:

// Provide the smart card PIN's for both the "user" and the signing PIN, which is role "3".
// These PINs may be the same.

// If the PIN is not explicitly provided here, the Windows OS should
// display a dialog for the PIN.
cert.SmartCardPin = "{ \"user\":\"0000\", \"3\":\"12345678\" }";

Perhaps the CryptoCard Graphite Plus card requires the “3” PIN authentication prior to signing when using ScMinidriver…