I'm developing a Minidriver for a smartcard that requires card access number (CAN, printed on a card to prevent contactless skimming of the data) to read the public data (certificates) on it. The usual workflow with this card is:
- CAN authentication
- Reading of PKCS#15 file structures and certificates
- PIN authentication
- Signature operation
In PKCS#11 library this can be achieved by using CKF_LOGIN_REQUIRED token flag.
But certutil -scinfo utility (which I use for testing the Minidriver) seems to try to get container information before any authentication is performed (it calls CardGetContainerInfo) and then fails when Minidriver doesn't return any containers (with NTE_BAD_KEYSET).
Is there a way to indicate to CAPI application that it should login before trying to read any information from the card (maybe in CONTAINER_MAP_RECORD or PIN_INFO structures)?
