当您尝试使用 PIV 卡的私钥和全局密码进行签名时，RSACryptoServiceProvider 是否有效？

Question

I am trying to use RSACryptoServiceProvider with CspParameters that point to a global pin. It works correctly if I use an application pin but when I use the global pin it fails with: "The card cannot be accessed because the wrong PIN was presented."

Will it work when I use a global pin? Is there an option that tells it what type of pin to look for?

Thanks in advance.

Update:

I am retrieving the discovery object from the smart card if it exists. This will tell me two things I want to know.

1). If the card has both application and global pins. (first byte of pin usage >= 60)

2). Which pin is considered primary. (second byte 0x10 = app, 0x20 = global)

I have a card, the NIST Test Pivcard 3, which has both pins but the global pin is primary. For this card when I enter the global pin on my test form, I can do a verify against it and it validates the pin correctly. (CLA=0x00, INS=0x20, P1=0x00, P2=0x00, Lc=0x8)

I can do the same for this card if I enter the application pin instead (with P2 set to 0x80) and it verifies it correctly.

After I verify the pin, set the AID and get some other x509 data from the card, I attempt to sign some hashed data using the card's private key.

Using RSACryptoServiceProvider and CspParameters it fails whenever I pass it the global pin. I get "The card cannot be accessed because the wrong PIN was presented."

If I pass it a valid application pin, then it works fine.

My code looks like this:

try
{
SecureString ss = new SecureString();
char[] PINs = PIN.ToCharArray();
foreach (char a in PINs)
{
    ss.AppendChar(a);
}
CspParameters csp = new CspParameters(1, "Microsoft Base Smart Card Crypto Provider");
csp.Flags = CspProviderFlags.UseDefaultKeyContainer;
csp.KeyPassword = ss;
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(csp);
byte[] data = File.ReadAllBytes(hashFile);
sig = rsa.SignHash(data, "SHA1");
bool verified = rsa.VerifyHash(data, CryptoConfig.MapNameToOID("SHA1"), sig);
}
catch (Exception ex)
{
  txt_msg.Text = ex.Message;
  etc...
}

Is there some flag I am missing here to say that the pin being used is a global pin? Or are we not allowed to use a global pin? Or am I missing some other thing here? This is my first attempt to use RSACryptoServiceProvider and I'm probably missing some fundamentals.

Any suggestions would be appreciated.

Answer 1

You seem to assume, that PINs are somewhat exchangeable in the sense, that a global PIN is an appropriate substitute for an application-specific one. This is not true.

While a card could have been set up this way (accepting global PIN say #1 OR application specific PIN #2), your card is obviously not. If the card does not offer the choice, the service provider can't succeed. Even if the service provider uses the PIN you want and the comparison succeeds, the card will not allow usage of the private key.

And no, there is no way that you change the ID of the PIN required for signature according to your liking, since this path would then also be available for an attacker.

(All of this answers assume, that you are not allowed to modify the card content, eg you are a normal card holder.)