locked
WinHttp PIV card removal stop communication / logout RRS feed

  • Question

  • Hi all,

    I'm looking for solution for my problem.

    I have Desktop web(Http) client application (C++) which requires PIV card authentication(SSL Client authentication).I have used WinHttp API for the communication (SSL handshake) b/w client and server.

    I have set the client (smartcard) certificate using WinHttpSetOption(...WINHTTP_OPTION_CLIENT_CERT_CONTEXT, .....) and working fine as expected.

    The problem here is that, after successful login (client authentication) when I remove the PIV card from reader, my client application still able to communicate with the server in SSL and it doesn't throw any error. is there way to avoid?

    1) How can I set (if any) option in WinHttp to check the existence of SAME PIV card in the reader always and show error / message if card is removed during communication b / w client and server.

    2) Is there way to get Smartcard reader name from PCCERT_CONTEXT (I'm enumerating this PCCERT_CONTEXT from user local store "MY")

    Currently I'm managing it pragmatically with the help of SCardGetStatusChange API in the thread. There are some minor issues I'm are facing due to this approach in case of multiple readers are connected with the system, so looking for BEST solution. 




    Balamurali C


    • Edited by techpach Monday, April 10, 2017 7:35 PM
    Monday, April 10, 2017 7:31 PM

All replies

  • Removing the smart card is fine in that case because the smart card's work is already done: the client certificate part of the SSL handshake already completed and the smart card no longer has any role to play. It sounds like you want to implement a smart card removal policy. To do this, you should use SCardGetStatusChange on a helper thread to monitor for card removal. So your approach is correct.

    The problem seems like you need to find the specific scard context that correlates with the PCCERT_CONTEXT. The answer to that question depends on how you got the PCCERT_CONTEXT in the first place. Which APIs are you specifically using?

    Wednesday, April 12, 2017 2:56 PM