Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force pin prompt not working #111291

Closed
RufusJWB opened this issue Jan 10, 2025 · 2 comments
Closed

Force pin prompt not working #111291

RufusJWB opened this issue Jan 10, 2025 · 2 comments
Labels
area-System.Security

Comments

@RufusJWB
Copy link

If what you're looking to do is reset the "I've collected the PIN" state, you can do that by

private static void ForcePinPrompt(CngKey key)
{
    key.SetProperty(new CngProperty("SmartCardPin", Array.Empty<byte>(), CngPropertyOptions.None));
}

private static void ForcePinPrompt(RSA key)
{
    if (key is RSACng rsaCng)
    {
        ForcePinPrompt(key.Key);
    }
}

... at least for a key created with ForceHighProtection.  Normal PIN prompting seems to still be cached with that.  Hm.

Originally posted by @bartonjs in #79338

This is not working for me, but produces an exception with this content:

System.Security.Cryptography.CryptographicException
  HResult=0x8010006B
  Message=The card cannot be accessed because the wrong PIN was presented.
  Source=System.Security.Cryptography
  StackTrace:
   at System.Security.Cryptography.CngKey.SetProperty(CngProperty property)
   at Benchmark.X509Certificate2Extension.ForcePinPrompt(CngKey key) in

Do you have any idea how to fix this?
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Jan 10, 2025
@bartonjs
Copy link
Member

From the exception message, it seems that whatever provider you're using is rejecting the empty PIN instead of clearing out the PIN-captured state... which seems like a reasonable thing for it to do.

Knowing what you can do instead would depend on what provider you're using, and there may not even be an option.

This doesn't currently look actionable to me.

@bartonjs bartonjs added the needs-author-action An issue or pull request that requires more info or actions from the author. label Jan 10, 2025
@RufusJWB
Copy link
Author

RufusJWB commented Jan 13, 2025
edited
Loading

Thank you for your prompt reply, @bartonjs . Interestingly, it throws an exception, but seems to work anyhow. If I catch the exception and continue, the pin is not cached. --> I'll close this ticket.

@dotnet-policy-service dotnet-policy-service bot removed the needs-author-action An issue or pull request that requires more info or actions from the author. label Jan 13, 2025
@dotnet-policy-service dotnet-policy-service bot removed the untriaged New issue has not been triaged by the area owner label Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RufusJWB @bartonjs