Provider could not perform the action since the context was acquired as silent.

[Kurt Santelé]

Dear MW Dev team,

Prodatex has developed an application for Dexia. The application is
signing a PDF file up to max 4 times. This is currently working on
Win XP and Vista. The same source code (C#) is now used on Win 7 (64
bit) and we get a CryptographicException with the cryptographic
message: "Provider could not perform the action since the context was
acquired as silent."
The method throwing the exception is
SignedCms.ComputeSignature(CmsSigner, Boolean):

private static byte[] SignMsg(byte[] msg, X509Certificate2
signerCert, bool detached)
{
ContentInfo content = new ContentInfo(msg);

// pass "true" to the constructor to indicate we want to
sign detached (= return only the signature)
SignedCms signedMessage = new SignedCms(content,
detached);
signedMessage.Certificates.Add(signerCert);

CmsSigner signer = new CmsSigner(signerCert);

// Include the following line if the top certificate in
the
// smartcard is not in the trusted list.
signer.IncludeOption = X509IncludeOption.EndCertOnly;

signedMessage.ComputeSignature(signer, true);

return signedMessage.Encode();
}

As eID reader we are using Vasco's DP855 with keypad. The application
must request the PIN code on the device and not on the PC.

Any idea what might be the problem? And the solution?

Thx in advance,
Kurt

[fvernelen]

Hello Kurt,

Is the driver are you using on Windows 7 CCID compliant?

As on Windows Vista and Windows 7 we use our minidriver instead of our
base csp as crypto module,
and in the minidriver we only support CCID compliant secure pinpad
readers.
(When using a non-ccid compliant readerdriver, the pincode would be
asked on the pc instead of on the reader,
which is probably what you experience now)

Wkr,
Frederik

[Kurt Santelé]

Dear Frederik,

Vasco's DP855 has worked on Windows Vista and XP. And Vasco confirms
me that their device is compatible with Windows 7 64 bit.
You can see the specs (incl. CCID) of the device here:
http://www.vasco.com/products/digipass/digipass_readers/digipass_850_range/digipass_855.aspx

If it might help I'm willing to come over so we can solve this problem
together. I could show you what we are developing for Dexia.

And unfortunately I don't get the PIN code question on the screen.
The application now throws an exception.

Best regards,
Kurt

[Koen De Causmaecker]

Kurt,

Are you sure that the NoPrompt flag is not set? Please see

http://msdn.microsoft.com/en-us/library/system.security.cryptography.cspproviderflags.aspx

Kind regards,

Koen

--
Koen De Causmaecker
koe...@gmail.com

[Kurt Santelé]

Hi Koen,

We are not using CspProviderFlags anywhere in the source code. I have
searched through the complete solution for "csp", "provider" and
"prompt" but without any results.

Best regards,
Kurt

On Apr 1, 11:06 am, Koen De Causmaecker <koe...@gmail.com> wrote:
> Kurt,
>

> Are you sure that the NoPrompt flag is not set? Please seehttp://msdn.microsoft.com/en-us/library/system.security.cryptography....
>
> <http://msdn.microsoft.com/en-us/library/system.security.cryptography....>Kind
> regards,
>
> Koen

>
> On Fri, Apr 1, 2011 at 10:32 AM, Kurt Santelé <kurt.sant...@gmail.com>wrote:
>
>
>
> > Dear Frederik,
>
> > Vasco's DP855 has worked on Windows Vista and XP.  And Vasco confirms
> > me that their device is compatible with Windows 7 64 bit.
> > You can see the specs (incl. CCID) of the device here:
>

> >http://www.vasco.com/products/digipass/digipass_readers/digipass_850_...

[Koen De Causmaecker]

Kurt,

First, please make sure anything that could trigger this "silent context" is checked. 

Probably something is set by default so just grepping your source code is not enough. 

Do you have the same problem with a non-pinpad reader?

Kind regards,

Koen

[Kurt Santelé]

Hi,

With the following source code (built for an x86 platform):
signedMessage.ComputeSignature(signer, true); // silent = true

I get the following results:
- device: ACR28U (no keypad); Provider could not perform the action

since the context was acquired as silent.

- device: OMNIKEY 3821 (keypad present); Provider could not perform

the action since the context was acquired as silent.

- device: DP855 (keypad present); Exception caught: Provider could

not perform the action since the context was acquired as silent.

I have changed the source code:
FROM: signedMessage.ComputeSignature(signer, true);
TO: signedMessage.ComputeSignature(signer, false);
and I have built the source code for an x86 platform.

The results are mentioned below:
- device: ACR28U (no keypad); PIN is requested on screen and is
accepted
- device: OMNIKEY 3821 (keypad present); PIN is requested on screen
and is accepted
- device: DP855 (keypad present); PIN is requested on screen and is
NOT accepted

Best regards,
Kurt

On Apr 1, 2:55 pm, Koen De Causmaecker <koe...@gmail.com> wrote:
> Kurt,
>

[Koen De Causmaecker]

Dear Kurt,

Good to see it works at least with some readers. 

About the secure PIN-pad readers: can you specify the drivers you are using? 

The generic Microsoft CCID driver does not support secure PIN-pad.

About Vasco DP855: are you able to read out the contents of an eID with the eID Viewer?

Thanks,

Koen

[Kurt Santelé]

Hi,

>can you specify the drivers you are using?

- device: ACR28U (no keypad): ACR38 Smart Card Reader (provider: ACS;
date: 15/12/2009; version: 1.1.6.2; signer: Microsoft Windows Hardware
Compatibility Publisher)
- device: OMNIKEY 3821 (keypad present): OMNIKEY 3821 (provider: HID
Global; date: 18/01/2010; version: 1.2.2.8; signer: Microsoft Windows
Hardware Compatibility Publisher)
- device: DP855 (keypad present): Microsoft Usbccid Smartcard Reader
(WUDF) (provider: Microsoft; date: 21/06/2006; version:
6.1.7600.16385; signer: Microsoft Windows)

>Vasco DP855: are you able to read out the contents of an eID with the eID Viewer?

Yes. This works with any problem. And the weird part is: I can test
my PIN code with the eID Viewer (4th tab). The PIN code question pops
up on the screen and I have to enter my code on the device itself.

Best regards,
Kurt

[Koen De Causmaecker]

Kurt,

Thank you for the detailed information. 

We'll look at the issues with the two readers.

Regards,

Koen

[Kurt Santelé]

Thx Koen!

On Apr 4, 10:56 pm, Koen De Causmaecker <koe...@gmail.com> wrote:
> Kurt,
>

[Kurt Santelé]

Perhaps a small update? Has something been found? An indication? A
clue? A thought? Or nothing at all at this moment?

Sincerely yours,
Kurt

[Kurt Santelé]

A small update from my side. I have just installed SP 1 for Win7
x64. And my Windows driver for my DP855 has been updated:

OLD: Microsoft Usbccid Smartcard Reader (WUDF) (provider: Microsoft;

date: 21/06/2006; version: 6.1.7600.16385; signer: Microsoft Windows)

NEW: Microsoft Usbccid Smartcard Reader (WUDF) (provider: Microsoft;
date: 21/06/2006; version: 6.1.7601.17514; signer: Microsoft Windows)

(Apparently MS forgot to update the timestamp)

Now the eID Viewer no longer detects my DP855. I will install once
more the DP855 Vasco drivers with my fingers crossed.

Best regards,
Kurt

[Koen De Causmaecker]

Kurt,

About the Omnikey reader: the reader is using CCID VERIFY_DIRECT which is currently not supported by the minidriver. 

Support for this feature will be added in the next version of the minidriver.

Kind regards,

Koen

[Kurt Santelé]

Hi Koen,

In the mean time the eID Viewer does not detect any readers anymore.
Any ideas about that?

- The Smart Card service is running
- The device manager is displaying the smart card reader
- I have tried several USB ports

Best regards,
Kurt

On Apr 7, 2:15 pm, Koen De Causmaecker <koe...@gmail.com> wrote:
> Kurt,
>

> About the Omnikey reader: the reader is using CCID VERIFY_DIRECT which is
> currently not supported by the minidriver.
> Support for this feature will be added in the next version of the
> minidriver.
>
> Kind regards,
>
> Koen
>

> ...
>
> read more »

[Kurt Santelé]

Another update:
- I have uninstalled all eID related software
- I went to http://eid.belgium.be/ and I have launched the eID Quick
Installer
- The eID Quick Installer has installed the software and is now
hanging on the second tab ("Kaartlezer verbinden")

Apparently no card reader is found. I have uninstalled the DP855
while the eID Quick Installer is still running (hanging on the second
tab). I have removed and inserted the DP855 and the driver was
installed by Windows 7. However the eID Quick Installer is still
hanging on tab 2.

My DP855 is now visible under Control Panel\Hardware and Sound\Devices
and Printers.

I have closed the eID Quick Installer and I have launched it again.
The installation on the first tab goes fast and we are again hanging
on the second tab.

Last scenario: I have uninstalled the DP855 and I have removed the
device. Then I launched the eID Quick Installer and the installation
on the first tab was again fast. The second tab was again in waiting-
mode. I have plugged in the DP855 and Windows 7 has installed it
properly. However the eID Quick Installer still hangs.

How can I install my eID software again?

Best regards,
Kurt

> ...
>
> read more »

[Frederik Vernelen]

Hello Kurt,

The second tab (checking for cardreaders) is only there for checking purposes,
the eid-middleware should be already installed by then (during the first tab).
You can check in control panel->programs

Alternatively, you can also run the manual install: http://eid.belgium.be/nl/Hoe_installeer_je_de_eID/Windows/man.jsp

In regards to no readers detected : does the scardservice have read permissions
 on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers and the corresponding driver subfolders?

Wkr,
 Frederik

[Kurt Santelé]

Hi Frederik,

I just figured out that the permissions were indeed gone (I called the
Fedict Service Desk). I have added them again for Local Service and
now it's working on my PC.

However it's still not working on my HP Mini. The eID Viewer can test
the PIN code. After successful verification I should get a popup
mentioning that the PIN code was OK. I'm not seeing this popup so I
don't know if it's working.

Best regards,
Kurt

On Apr 8, 10:12 am, Frederik Vernelen <frederik.verne...@gmail.com>
wrote:

> Hello Kurt,
>
> The second tab (checking for cardreaders) is only there for checking
> purposes,
> the eid-middleware should be already installed by then (during the first
> tab).
> You can check in control panel->programs
>
> Alternatively, you can also run the manual install:http://eid.belgium.be/nl/Hoe_installeer_je_de_eID/Windows/man.jsp
>
> In regards to no readers detected : does the scardservice have read
> permissions
>  on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers and
> the corresponding driver subfolders?
>
> Wkr,
>  Frederik
>

> On Fri, Apr 8, 2011 at 9:52 AM, Kurt Santelé <kurt.sant...@gmail.com> wrote:
> > Another update:
> > - I have uninstalled all eID related software

> > - I went tohttp://eid.belgium.be/and I have launched the eID Quick

> ...
>
> read more »

[Kurt Santelé]

My initial problem isn't solved though. I'm still getting the
exception: "Provider could not perform the action since the context
was acquired as silent."

If I change the source code as follows:

FROM: signedMessage.ComputeSignature(signer, true);
TO: signedMessage.ComputeSignature(signer, false);

then I can sign with the ACR38 device. However the DP855 is not
working and I get the message "A wrong PIN was entered".

Any thoughts, ideas, hints, support, ... on this?

Best regards,
Kurt

> > > - I went tohttp://eid.belgium.be/andI have launched the eID Quick

> ...
>
> read more »

[Kurt Santelé]

Another update:

I have uninstalled the latest middleware and I have installed a
previous version "Belgium e-ID middleware 3.5.1 (build 5075)".
Now I'm getting another exception from the same method.

The method: signedMessage.ComputeSignature(signer, true);
throws the following CryptographicException: "Keyset does not exist"

Any idea what is happening here?

Best regards,
Kurt

> > > > - I went tohttp://eid.belgium.be/andIhave launched the eID Quick

> ...
>
> read more »