locked
Certificate Signing Request generation fails with error 0x80090030 (NTE_DEVICE_NOT_READY) when using smartcard with EC support and KSP RRS feed

  • Question

  • Hello,

    I would like to test newly written minidriver for smartcard with ECC support (key generation, signing
    works on the smartcard side - it was tested using PKCS#11 library). The problem is that I am not able to use smartcard via Microsoft Smart Card Key Storage Provider.
    With RSA and Microsoft Base Smart Card Crypto Provider all works fine - CSRs were generated without issues. Problem is present on Windows 7 64bit and Windows 10 64 bit. My minidriver implementation
    provides CardCreateContainer function which supports CARD_CREATE_CONTAINER_KEY_GEN as dwFlags and any dwKeySpec from AT_ECDSA_P256, AT_ECDSA_P384, or AT_ECDSA_P521.
    Windowes registry is set as stated on the webpage, with ATR and ATR mask; minidriver.dll should works under BaseCSP and KSP, right? Card reader works fine, all drivers are up to date.

    [part of the registry entry]

    "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
    "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
    "80000001"="C:\\Windows\\System32\\minidriver.dll"



    I used certreq to generate keypair and prepare the CSR, and cspustil -csptest to get the provider name.
    Question: What possibly went wrong with this request and where start to find looking for bugs in my minidriver code or configuration files / installation?

    thanks in advance,
    Michal

    This is my certreq.inf

    [NewRequest]
    ; At least one value must be set in this section
    Subject = "CN=user@example.org"
    Exportable = FALSE
    KeyAlgorithm = ECDSA_P256
    KeyLength = 0
    KeySpec = AT_ECDSA_P256
    KeyUsage = 0xd0
    ; certutil –csplistProviderName="Microsoft Smart Card Key Storage Provider"
    Below is excerpt from output of the `csputil -csptest` command:
     
    Provider Name: Microsoft Smart Card Key Storage Provider
          Name: Microsoft Smart Card Key Storage Provider
          HWND Handle:Binary:
    0000	00 00 00 00 00 00 00 00                            ........
          Impl Type: 11 (0xb)
        NCRYPT_IMPL_HARDWARE_FLAG -- 1
        NCRYPT_IMPL_SOFTWARE_FLAG -- 2
        NCRYPT_IMPL_REMOVABLE_FLAG -- 8
    
          Version: 65536 (0x10000)
        Pass
    
      Provider Aliases:
        Microsoft Base Smart Card Crypto Provider
        Microsoft Smart Card Key Storage Provider
    
      Provider Module:
          UM(1): scksp.dll
          0(1): 10001, 0
            0: KEY_STORAGE
    
      Asymmetric Encryption Algorithms:
       RSA
        BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE -- 3
        NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION -- 4
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
      Secret Agreement Algorithms:
       ECDH_P256
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDH_P384
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDH_P521
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
      Signature Algorithms:
       RSA
        BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE -- 3
        NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION -- 4
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDSA_P256
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDSA_P384
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDSA_P521
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
      Asymmetric Algorithms:
       RSA
        BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE -- 3
        NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION -- 4
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
        NCryptCreatePersistedKey(Microsoft Smart Card Key Storage Provider, RSA)
          Algorithm Group: RSA
          Algorithm Name: RSA
          Length: 2048 (0x800)
          Lengths:
    	dwMinLength = 1024 (0x400)
    	dwMaxLength = 4096 (0x1000)
    	dwIncrement = 512 (0x200)
    	dwDefaultLength = 2048 (0x800)
          Block Length: 256 (0x100)
          UI Policy:
    	dwVersion = 1 (0x1)
    	dwFlags = 0 (0x0)
    	pszCreationTitle = (null)
    	pszFriendlyName = (null)
    	pszDescription = (null)
          Export Policy: 0 (0x0)
    
          HWND Handle:Binary:
    0000	00 00 00 00 00 00 00 00                            ........
          Key Usage: 0 (0x0)
    
        Pass
    
       ECDH_P256
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
        NCryptCreatePersistedKey(Microsoft Smart Card Key Storage Provider, ECDH_P256)
          Algorithm Group: ECDH
          Algorithm Name: ECDH_P256
          Length: 256 (0x100)
          Lengths:
    	dwMinLength = 256 (0x100)
    	dwMaxLength = 256 (0x100)
    	dwIncrement = 0 (0x0)
    	dwDefaultLength = 256 (0x100)
          UI Policy:
    	dwVersion = 1 (0x1)
    	dwFlags = 0 (0x0)
    	pszCreationTitle = (null)
    	pszFriendlyName = (null)
    	pszDescription = (null)
          Export Policy: 0 (0x0)
    
          HWND Handle:Binary:
    0000	00 00 00 00 00 00 00 00                            ........
          Key Usage: 0 (0x0)
    
        Pass
    
       ECDH_P384
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
        NCryptCreatePersistedKey(Microsoft Smart Card Key Storage Provider, ECDH_P384)
          Algorithm Group: ECDH
          Algorithm Name: ECDH_P384
          Length: 384 (0x180)
          Lengths:
    	dwMinLength = 384 (0x180)
    	dwMaxLength = 384 (0x180)
    	dwIncrement = 0 (0x0)
    	dwDefaultLength = 384 (0x180)
          UI Policy:
    	dwVersion = 1 (0x1)
    	dwFlags = 0 (0x0)
    	pszCreationTitle = (null)
    	pszFriendlyName = (null)
    	pszDescription = (null)
          Export Policy: 0 (0x0)
    
          HWND Handle:Binary:
    0000	00 00 00 00 00 00 00 00                            ........
          Key Usage: 0 (0x0)
    
        Pass
    
       ECDH_P521
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
        NCryptCreatePersistedKey(Microsoft Smart Card Key Storage Provider, ECDH_P521)
          Algorithm Group: ECDH
          Algorithm Name: ECDH_P521
          Length: 521 (0x209)
          Lengths:
    	dwMinLength = 521 (0x209)
    	dwMaxLength = 521 (0x209)
    	dwIncrement = 0 (0x0)
    	dwDefaultLength = 521 (0x209)
          UI Policy:
    	dwVersion = 1 (0x1)
    	dwFlags = 0 (0x0)
    	pszCreationTitle = (null)
    	pszFriendlyName = (null)
    	pszDescription = (null)
          Export Policy: 0 (0x0)
    
          HWND Handle:Binary:
    0000	00 00 00 00 00 00 00 00                            ........
          Key Usage: 0 (0x0)
    
        Pass
    
       ECDSA_P256
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
        NCryptCreatePersistedKey(Microsoft Smart Card Key Storage Provider, ECDSA_P256)
          Algorithm Group: ECDSA
          Algorithm Name: ECDSA_P256
          Length: 256 (0x100)
          Lengths:
    	dwMinLength = 256 (0x100)
    	dwMaxLength = 256 (0x100)
    	dwIncrement = 0 (0x0)
    	dwDefaultLength = 256 (0x100)
          UI Policy:
    	dwVersion = 1 (0x1)
    	dwFlags = 0 (0x0)
    	pszCreationTitle = (null)
    	pszFriendlyName = (null)
    	pszDescription = (null)
          Export Policy: 0 (0x0)
    
          HWND Handle:Binary:
    0000	00 00 00 00 00 00 00 00                            ........
          Key Usage: 0 (0x0)
    
        Pass
    
       ECDSA_P384
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
        NCryptCreatePersistedKey(Microsoft Smart Card Key Storage Provider, ECDSA_P384)
          Algorithm Group: ECDSA
          Algorithm Name: ECDSA_P384
          Length: 384 (0x180)
          Lengths:
    	dwMinLength = 384 (0x180)
    	dwMaxLength = 384 (0x180)
    	dwIncrement = 0 (0x0)
    	dwDefaultLength = 384 (0x180)
          UI Policy:
    	dwVersion = 1 (0x1)
    	dwFlags = 0 (0x0)
    	pszCreationTitle = (null)
    	pszFriendlyName = (null)
    	pszDescription = (null)
          Export Policy: 0 (0x0)
    
          HWND Handle:Binary:
    0000	00 00 00 00 00 00 00 00                            ........
          Key Usage: 0 (0x0)
    
        Pass
    
       ECDSA_P521
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
        NCryptCreatePersistedKey(Microsoft Smart Card Key Storage Provider, ECDSA_P521)
          Algorithm Group: ECDSA
          Algorithm Name: ECDSA_P521
          Length: 521 (0x209)
          Lengths:
    	dwMinLength = 521 (0x209)
    	dwMaxLength = 521 (0x209)
    	dwIncrement = 0 (0x0)
    	dwDefaultLength = 521 (0x209)
          UI Policy:
    	dwVersion = 1 (0x1)
    	dwFlags = 0 (0x0)
    	pszCreationTitle = (null)
    	pszFriendlyName = (null)
    	pszDescription = (null)
          Export Policy: 0 (0x0)
    
          HWND Handle:Binary:
    0000	00 00 00 00 00 00 00 00                            ........
          Key Usage: 0 (0x0)
    
        Pass
    
      All Algorithms:
       RSA
        BCRYPT_ASYMMETRIC_ENCRYPTION_INTERFACE -- 3
        NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION -- 4
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDH_P256
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDH_P384
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDH_P521
        BCRYPT_SECRET_AGREEMENT_INTERFACE -- 4
        NCRYPT_SECRET_AGREEMENT_OPERATION -- 8
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDSA_P256
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDSA_P384
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
       ECDSA_P521
        BCRYPT_SIGNATURE_INTERFACE -- 5
        NCRYPT_SIGNATURE_OPERATION -- 10 (16)
    
    
    BCryptEnumAlgorithms:
      Hash Algorithms:
        SHA256
        SHA384
        SHA512
        SHA1
        MD5
        MD4
        MD2
        AES-GMAC
        AES-CMAC
    
      Asymmetric Encryption Algorithms:
        RSA
    
      Secret Agreement Algorithms:
        DH
        ECDH_P256
        ECDH_P384
        ECDH_P521
        ECDH
    
      Signature Algorithms:
        RSA_SIGN
        ECDSA_P256
        ECDSA_P384
        ECDSA_P521
        ECDSA
        DSA
    
      Cipher Algorithms:
        AES
          dwMinLength=128 dwMaxLength=256 dwIncrement=64
        3DES
          dwMinLength=192 dwMaxLength=192 dwIncrement=0
        3DES_112
          dwMinLength=128 dwMaxLength=128 dwIncrement=0
        XTS-AES
          dwMinLength=256 dwMaxLength=512 dwIncrement=128
        DESX
          dwMinLength=192 dwMaxLength=192 dwIncrement=0
        DES
          dwMinLength=64 dwMaxLength=64 dwIncrement=0
        RC2
          dwMinLength=16 dwMaxLength=128 dwIncrement=8
        RC4
          dwMinLength=8 dwMaxLength=512 dwIncrement=8
    
      RNG Algorithms:
        RNG
        FIPS186DSARNG
        DUALECRNG
    
      Asymmetric Algorithms:
        RSA
        DH
        ECDH_P256
        ECDH_P384
        ECDH_P521
        ECDH
        RSA_SIGN
        ECDSA_P256
        ECDSA_P384
        ECDSA_P521
        ECDSA
        DSA
    
      All Algorithms:
        AES
          dwMinLength=128 dwMaxLength=256 dwIncrement=64
        3DES
          dwMinLength=192 dwMaxLength=192 dwIncrement=0
        3DES_112
          dwMinLength=128 dwMaxLength=128 dwIncrement=0
        XTS-AES
          dwMinLength=256 dwMaxLength=512 dwIncrement=128
        DESX
          dwMinLength=192 dwMaxLength=192 dwIncrement=0
        DES
          dwMinLength=64 dwMaxLength=64 dwIncrement=0
        RC2
          dwMinLength=16 dwMaxLength=128 dwIncrement=8
        RC4
          dwMinLength=8 dwMaxLength=512 dwIncrement=8
        SHA256
        SHA384
        SHA512
        SHA1
        MD5
        MD4
        MD2
        AES-GMAC
        AES-CMAC
        RSA
        DH
        ECDH_P256
        ECDH_P384
        ECDH_P521
        ECDH
        RSA_SIGN
        ECDSA_P256
        ECDSA_P384
        ECDSA_P521
        ECDSA
        DSA
        RNG
        FIPS186DSARNG
        DUALECRNG
        SP800_108_CTR_HMAC
        SP800_56A_CONCAT
        PBKDF2
        CAPI_KDF
        TLS1_1_KDF
        TLS1_2_KDF
    
    CertUtil: -csptest command FAILED: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)



    Monday, January 16, 2017 11:16 AM

All replies

  • Hi Michal_1339E75,

    Considering this is more likely a developing issue, it is recommended to ask for help from our MSDN forum. They are more familiar with the developing issue and they may have more resources to help you.
    MSDN forum
    https://social.msdn.microsoft.com/Forums/en-US/home?forum=wdk

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 17, 2017 2:27 AM
  • Hello Moderator, 

    I have exactly the same issue. It is related to Application CertUtil and Win 10 compatibility so may be the question is appropriate for this forum. The Application Certutil as part of PowerShell in Win 10 fails while in Win 7, the same application works with exactly the same command. I suspect that it is related to Certutil not compatible with Win 10 for ECC certs and related activity. 

    Please advise if there is another forum for PowerShell for Win10. 

    Thank you so much, 

    Best regards,

    Tuesday, May 29, 2018 6:23 PM
  • Hi Michal_1339E75,

    I don't see any reply from MS TechForum. Did you encounter same issue with using Certutil to import an ECC256 Cert into a smartcard using minidriver. I have listed my commands as following. 

    I have the same problem with different error message. I suspect that is Certutil compatibility with Win 10 64 bit OS. On Win 7, the same command works with same smartcard. 

    Using CertUtil with an ECDsa384, I get the NTE_BAD_FLAGS error when I try to import a .p12 file into a Smartcard. Any idea what could be the reason. The private Key created using as Exportable option. The following error still pops up. Please advise. Thanks for your help.

    C:\WINDOWS\system32>certutil.exe -csp "Microsoft Smart Card Key Storage Provider" -importpfx "D:\Temp\5_4_2018_5_12_50_PM\X509Ecc384.p12"
    Enter PFX password:
    CertUtil: -importPFX command FAILED: 0x80090009 (-2146893815 NTE_BAD_FLAGS)
    CertUtil: Invalid flags specified.

    Any idea, what the invalid flags means?

    Best Regards,

    Tuesday, May 29, 2018 6:30 PM