UWP Application PIV Example Needed

Question

We are developing a C# UWP application using Visual Studio 2019. I have successfully setup monitoring of the YubiKey FIPS (4.4.5 firmware) being inserted/removed from the USB port. We setup the YubiKey to use PIV and have loaded a certificate into slot 9c (using YubiKey PIV Manager, I have not installed the mini driver). I do note that when the YubiKey is inserted into the USB, it auto loads my personal cert store with the certificate that is in slot 9c. We receive a challenge from our server and I need to use it to verify against the YubiKey. What is the next step to get the certificate from slot 9c (what if you have multiple certs on that key)? Yubico does not have an example showing how to integrate the key with an app (I don't believe Windows Hello is applicable here, no?). We are trying to use the Windows.Devices.SmartCards namespace. This namespace does not seem to have the concept of slots. Is that the correct direction or do we need to use Yubico libraries (mini driver) I'm not aware. The documentation is limited.

var yubiKeys = Readers.Where(r => r.Value.Name.Contains("Yubi", StringComparison.OrdinalIgnoreCase));

foreach (KeyValuePair<string, SmartCardReader> item in yubiKeys)
{
    IReadOnlyList<SmartCard> cards = await item.Value.FindAllCardsAsync();

    foreach(SmartCard card in cards)
    {
       SmartCardProvisioning prov = await SmartCardProvisioning.FromSmartCardAsync(card);

       using (SmartCardChallengeContext context = await prov.GetChallengeContextAsync())
       {
            IBuffer yubiKeyChallenge = context.Challenge;  // IS THIS THE CARDS ADMIN PIN?

            // Challenge to acquire cert here perhaps?
            // the card object has no concept of slots, would each slot be a card in the reader?
            // if so, how would I use the Challenge for that card?
       }
    }
}

Answer 1

To access smartcard or usb token content like slots, keys in it, directly you may need to use PKCS#11.

But since you said smartcard content is being loaded by smartcard driver (CSP) to Windows Certificate store, you may use Windows.Security, X509 certificates and RSA Provider (I don't remember .NET namespaces exactly...) to give signing request using RSAProvider and CSP would in turn send that request to smartcard. You many not need to access smartcard directly for signing.

For browser based user authentication, please refer to so answer

Answer 2

The Windows Smart Card components (including the Windows Inbox Smart Card Minidriver and the Yubico minidriver) don’t directly implement supported PIV concepts like slots or objects. Instead, the minidriver scans the PIV slots and converts any present keys to "key containers", which is how Windows deals with private keys and certificates. Each certificate in the Certificate Store has an associated key container, but since it has no concept of PIV, details like the key reference slot have been abstracted away.

As with most built-in Windows components, the app doesn’t talk to the smart card directly, instead it uses the certificate that the Certificate Propagation service adds to the personal store.

If you inspect the user's personal store with Certificate Manager (certmgr.msc), the certificate properties should have a note that you have a private key associated with the certificate.

To sign or encrypt with the private key, the app acquires the certificate from the personal store and uses the appropriate .NET CSP with that certificate.

In general, UWP apps have limited native interop capabilities and rely on using the rudimentary APIs of the smart card key storage provider (KSP) to later be called through the CNG interface.

Here’s an example of using the UserCertificateStore to interact with certificates within the user’s personal certificate store.

You can then use that certificate with your favorite CSP software library to sign or encrypt. A few examples here.