Skip to Content

We’re going to look at using the Smart Card SDK provided in more recent versions of Windows (XP and later).  Earlier versions of Windows had an ActiveX installed called CAPICOM which could be accessed from PowerBuilder through OLE Automation, but that control was removed as of Windows Vista because of security issues.

We’re going to look at a number of operations:

Communicating with the card

The first step is establish a context for the API calls.  To do that, we need to declare the following local external function for SCardEstablishContext:


Function ulong SCardEstablishContext  ( &
  Long dwScope, &
  long pvReserved1, &
  long pvReserved2, &
  REF ulong phContext &
  ) Library "winscard.dll"





And call it as follows:


ulong    rc
rc = scardestablishcontext( SCARD_SCOPE_USER, 0, 0, context )
IF rc = SCARD_S_SUCCESS THEN
    Return SUCCESS
ELSE
    Return FAILURE
END IF





Where the following are defined as constants.


CONSTANT LONG SCARD_S_SUCCESS            = 0
CONSTANT LONG SCARD_SCOPE_USER          = 0





Context (the last argument) should be defined as an instance variable because we will need to release it when we are done making API calls.  We will also be passing a reference to it in many of the API calls.


ulong        context





The second step is get a reference to the smart card reader(s) that the user’s machine is equipped with.  We do that by declaring the following local external function for the SCardListReaders method in the SDK:


Function ulong SCardListReaders  ( &
  ulong hContext, &
  Long mszGroups, &
  REF Blob mszReaders, &
  REF Long pcchReaders &
  ) Library "winscard.dll" Alias For "SCardListReadersW"





The API defines the second argument as a string.  However, we want to pass a null, and the way we do that with PowerBuilder is by declaring the argument as a long and then passing a zero.  That causes the method to return all readers, rather than just a subset.

Once we’ve declared that we can use the following PowerScript to get an array that contains the name of all smart card readers on the system.  The SDK returns the list as a null terminated array, so we parse the blob we get back and use the String function to pull the names out and put them in an array that PowerBuilder is more comfortable with.


ulong                    rc
long                    ll_bufflen = 32000
long                    ll_readerlen
string                    ls_reader = Space ( ll_bufflen )
blob                    buffer
buffer = Blob ( ls_reader )  // Preallocate space in the buffer or the call will fail
rc = SCardListReaders ( context, 0, buffer, ll_bufflen )
IF ll_bufflen > 0 THEN
    // BlobMid is messed up.  Len reports Unicode chars, BlobMid acts like ANSI chars
    // so we have to double the values we pass to it to get full Unicode characters
    //Truncate the buffer to what was actually returned
    buffer = BlobMid ( buffer, 1, ( ll_bufflen - 1 ) * 2 )
    //Read off the first value (string stops at the null terminator)
    ls_reader = String ( buffer )
    //Add it to the array
    readers[1] = ls_reader
    //See if we have any data left
    ll_readerlen = ( Len ( ls_reader ) * 2 ) + 3
    buffer = BlobMid ( buffer, ll_readerlen )
    ll_bufflen = Len ( buffer )
    //Loop through for the remaining data
    DO WHILE ll_bufflen > 0
        ls_reader = String ( buffer )
        readers[UpperBound(readers)+1] = ls_reader
        ll_readerlen = ( Len ( ls_reader ) * 2 ) + 3
        buffer = BlobMid ( buffer, ll_readerlen )
        ll_bufflen = Len ( buffer )
    LOOP
END IF





If there are no readers, there isn’t much further to go.  If there is only one, then you can proceed immediately to check if there is a smart card in it.  If there is more than one reader, you may need to check them all to see which have cards in them, and if more than one do then prompt the user to select the card they want to work with.

There is a function in the SDK that can do some of this work for you (SCardUIDlgSelectCard).  It determines what cards are available and prompts the user to select the one they want to work with.  It does require working with an OPENCARDNAME_EX structure though, which is a bit tricky from PowerBuilder.  For a number of reasons, we found that method didn’t serve our needs.  As a result, this sample does all of the work without using that method.

The third step is to attempt to open a connection to any card(s) in the card reader(s) we’ve found.  We do that by first declaring the following local external function for the SCardConnect method in the SDK.


Function ulong SCardConnect  ( &
    Long hContext, &
    String szReader, &
    Long dwShareMode, &
    Long dwPreferredProtocols, &
    REF ulong phCard, &
    REF ulong pdwActiveProtocol &
    ) Library "winscard.dll" Alias For "SCardConnectW"





And then call it in PowerScript as follows:


ulong    rc
rc = SCardConnect ( context, &
                             reader, &
                             SCARD_SHARE_SHARED, &
                             SCARD_PROTOCOL_Tx, &
                             card, &
                             protocol )





Where “reader” is the name of the smart card reader we obtained from the previous step.  The next two arguments are defined constants as follow (along with some other values you might use instead):


CONSTANT LONG SCARD_SHARE_EXCLUSIVE    = 1
CONSTANT LONG SCARD_SHARE_SHARED        = 2
CONSTANT LONG SCARD_SHARE_DIRECT        = 3
CONSTANT LONG SCARD_PROTOCOL_T0         = 1
CONSTANT LONG SCARD_PROTOCOL_T1         = 2
CONSTANT LONG SCARD_PROTOCOL_Tx         = 3





Once again, you’ll want to save “card” and “protocol” off as instance variables, because you’ll need to use them later.


protected ulong        card
protected ulong        protocol





The fourth step (assuming we found a card) is to get the card status to ensure that it’s ready for us to communicate with it.  We do that using the SCardStatus API function:


Function ulong SCardStatus  ( &
    ulong hCard, &
    REF String szReaderName, &
    REF Long pcchReaderLen, &
    REF Long pdwState, &
    REF Long pdwProtocol, &
    REF byte pbAtr[], &
    REF Long pcbAtrLen &
    ) Library "winscard.dll" Alias For "SCardStatusW"





Which we then call via the following PowerScript:


integer    i
ulong    rc
long    pcchReaderLen = 32000
string    szReaderName = Space ( pcchReaderLen )
long    pdwState
long    pdwProtocol
byte     pbAtr[]
long    pcbAtrLen = 32
FOR i = 1 TO pcbAtrLen
    pbAtr[i] = Byte ( Space(1) ) // Prepad the buffer
NEXT
rc = SCardStatus( card, &
    szReaderName, &
    pcchReaderLen, &
    pdwState, &
    pdwProtocol, &
    pbAtr, &
    pcbAtrLen )
IF rc = SCARD_S_SUCCESS THEN
    CHOOSE CASE pdwState
        CASE SCARD_UNKNOWN
            status = 'Unknown'
        CASE SCARD_ABSENT
            status= 'Absent'
        CASE SCARD_PRESENT
            status= 'Present'
        CASE SCARD_SWALLOWED
            status= 'Swallowed'
        CASE SCARD_POWERED
            status= 'Powered'
        CASE SCARD_NEGOTIABLE
            status= 'Negotiable'
        CASE SCARD_SPECIFIC
            status= 'Specific'
        CASE ELSE
            status= 'Not Known'
    END CHOOSE
    atrbytes = pbAtr
    atr = ""
    FOR i = 1 TO pcbAtrLen
        atr += of_bytetohex ( pbAtr[i] )
    NEXT
END IF





Once again, you may want to save off the “status” and the “atr” (Answer to Reset) value.  For ease in using them from PowerBuilder, I’ve converted them to strings (the ATR being a hex encoded string).

The constants for the various possible state values are:


CONSTANT LONG SCARD_UNKNOWN               = 0
CONSTANT LONG SCARD_ABSENT                = 1
CONSTANT LONG SCARD_PRESENT               = 2
CONSTANT LONG SCARD_SWALLOWED             = 3
CONSTANT LONG SCARD_POWERED               = 4
CONSTANT LONG SCARD_NEGOTIABLE            = 5
CONSTANT LONG SCARD_SPECIFIC              = 6





And the of_bytetohex function was borrowed from PFC.


string    ls_hex=''
char    lch_hex[0 to 15] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', &
                            'A', 'B', 'C', 'D', 'E', 'F'}
Do
    ls_hex = lch_hex[mod (abyte, 16)] + ls_hex
    abyte /= 16
Loop Until abyte = 0
IF Len ( ls_hex ) = 1 THEN
    ls_hex = '0' + ls_hex
END IF
Return ls_hex





Now that we’re connected to the card, the fifth step is to connect to the specific applet on the smart card we want to work with.  For this, you’ll need to have information from the card manufacturer as to the applet IDs you need to communicate with and the specific APDU command syntax they require.  If you are working with US DoD Common Access Cards, a great deal of that information can be obtained from Common Access Card (CAC): Home, particularly Common Access Card (CAC) Security.  The “Test Materials” section contains links for instructions on obtaining test cards and the form to do so.  Also of particular interest on that page are DoD Implementation Guide for CAC Next Generation (NG) and Technical Bulletin: CAC Data Model Change in 144K Dual Interface

Cards

We’ll need to declare the SCardTransmit API call to send commands to the applet:


Function ulong SCardTransmit( &
      ulong hCard, &
      Long pioSendPci, &
     byte pbSendBuffer[], &
      Long cbSendLength, &
      Long pioRecvPci, &
      REF byte pbRecvBuffer[], &
      REF long pcbRecvLength &
    ) Library "winscard.dll"





The API documentation indicates that the second argument is a SCARD_IO_REQUEST structure, but we’re going to use a pointer to that structure that we obtain from the SDK.  The API documentation indicates that the fifth argument is a similar structure, but we’re going to declare it as a long and pass 0 to indicate that we’re passing null for that value.

We create a wrapper function because we’re going to be sending a number of commands to the card.  The function takes a byte array as an argument and returns a string with status info.


integer    i
ulong        rc
byte        sendBuffer[]
long        pioSendPci
byte         pbRecvBuffer[]
long         pcbRecvLength
long        cbSendLength
byte        getdata[5]
string        respSW1
string        respSW2
cbSendLength = UpperBound ( apdu )
FOR i = 1 TO cbSendLength
    sendBuffer[i] = of_hextobyte ( apdu[i] )
NEXT
pcbRecvLength = 2
FOR i = 1 TO pcbRecvLength
    pbRecvBuffer[i] = 0 ;
NEXT
pioSendPci = of_getpci()
rc = SCardTransmit ( card, &
      pioSendPci, &
    sendBuffer, &
      cbSendLength, &
      0, &
      pbRecvBuffer, &
     pcbRecvLength )
IF rc <> scard_s_success THEN return ""
respSW1 = of_bytetohex ( pbRecvBuffer[1] )
respSW2 = of_bytetohex ( pbRecvBuffer[2] )
//This means there is more data to come
IF respSW1 = "61" THEN
    getdata[1] = of_hextobyte ( "00" )
    getdata[2] = of_hextobyte ( "C0" )
    getdata[3] = of_hextobyte ( "00" )
    getdata[4] = of_hextobyte ( "00" )
    getdata[5] = pbRecvBuffer[2]
    cbSendLength = 5
    pcbRecvLength = pbRecvBuffer[2] + 2 // We need two extra bytes for the status bits
    FOR i = 1 TO pcbRecvLength
        pbRecvBuffer[i] = 0 ;
    NEXT
    rc = SCardTransmit ( card, &
        pioSendPci, &
        getdata, &
        cbSendLength, &
        0, &
        pbRecvBuffer, &
        pcbRecvLength )
    IF rc <> SCARD_S_SUCCESS THEN Return ""
    respSW1 = of_bytetohex ( pbRecvBuffer[pcbRecvLength - 1] )
    respSW2 = of_bytetohex ( pbRecvBuffer[pcbRecvLength] )
END IF
Return respSW1 + respSW2





The script uses another method borrowed from PFC (of_hextobyte)  to convert a hex value to a byte:


char        lch_char[]
integer    li_byte
int li_dec[48 to 70], li_i, li_len
//Get the decimal code for hexadecimal value of '0' to 'F'
// Whose ASC Value are from 48 to 57 and 65 to 70
For li_i = 48 To 57
    li_dec[li_i] = li_i - 48
Next
For li_i = 65 To 70
    li_dec[li_i] = li_i - 55
Next
as_hex = upper(as_hex)
lch_char = as_hex
li_len = len (as_hex)
//Convert Hexadecimal data into decimal
For li_i = 1 to li_len
    //Make sure only 0's through f's are present
    Choose Case lch_char[li_i]
        Case '0' to '9', 'A' to 'F'
            li_byte = li_byte * 16 + li_dec[asc(lch_char[li_i])]
        Case Else
            Return li_byte
    End Choose
Next
Return li_byte





The of_getpci method is the one that gets a pointer to a LPCSARD_IO_REQUEST structure from the winscard DLL:


ulong dllhandle
ulong pci
dllhandle = LoadLibrary ( "WinSCard.dll" )
pci = GetProcAddress ( dllhandle, "g_rgSCardT0Pci" )
FreeLibrary(dllhandle)
return pci





That method in turn relies on external function declarations for three Windows API functions:


Function ulong LoadLibrary ( &
    string fileName&
    ) Library "kernel32.dll" Alias For "LoadLibraryW"
SubRoutine FreeLibrary ( &
    ulong dllhandle &
    ) Library "kernel32.dll"
Function ulong GetProcAddress ( &
    ulong dllhandle, &
    string procName &
    ) Library "kernel32.dll" Alias For "GetProcAddress;Ansi"





The return value from the SCardTransmit is “9000” if it works.  If the first two characters are “61”, it means that the call returns more data than could be returned in the original request.  If that is the case, a second call is made to the function to retrieve the rest of the data.

Ok, now we’re ready to select the applet.  This is the card specific process, so the following example will only work for US DoD CAC cards.  You will need to consult information from the manufacturer of the card for specific details on how to deal with it.

There are two versions of the US DoD CAC card, one in which you need to access an applet ID of 790101 (the first version).  If that fails, we attempt to connect to a container applet ID of 790100 and, if that works, an applet within it through it’s object ID of 0101.


string    apdu[]
string    respSW
string    emptyarray[]
apdu[1] = "00"
apdu[2] = "A4" // Select
apdu[3] = "04" // By id
apdu[4] = "00" // first record
apdu[5] = "07" // Lenth of data
apdu[6] = "A0" // Applet ID to bit 11
apdu[7] = "00"
apdu[8] = "00"
apdu[9] = "00"
apdu[10] = "79"
apdu[11] = "01"
apdu[12] = "01"
respSW = of_sendapdu ( apdu )
// If we got OK, then it's an old card and we're already good
IF respSW =  SWRESPOK THEN
  version = '1'
ELSE
    //Otherwise, try using the new card method
    //Select the master applet
    apdu[12] = "00"
    respSW = of_sendapdu ( apdu )
    IF respSW <> SWRESPOK THEN
        //We don't know what it is
        Return FAILURE
    END IF
    //Reset the array
    apdu = emptyarray
    apdu[1] = "00" // CLA
    apdu[2] = "A4" // INS - select object
    apdu[3] = "02" // P1
    apdu[4] = "00" // P2 -
    apdu[5] = "02" // Lc - length of data
    apdu[6] = "01" // file id
    apdu[7] = "01"
    respSW = of_sendapdu ( apdu )
    IF respSW = SWRESPOK THEN
        version = '2'
    ELSE
        //We couldn't select the applet
        version = 'Unknown'
        Return FAILURE
    END IF
END IF
Return SUCCESS





Before we go into specific operations, let’s see what we need to do to clean up after ourselves when we’re done.  So, for our sixth step we need to disconnect from the card.  To do that, we declare a local external function for the SCardDisconnect method in the SDK:


Function ulong SCardDisconnect ( &
    ulong hCard, &
    long dwDisposition &
    ) Library "winscard.dll"





And call it with the following PowerScript:


ulong    rc
rc = scarddisconnect( card, SCARD_LEAVE_CARD )
SetNull ( card )
IF rc = SCARD_S_SUCCESS THEN
    Return SUCCESS
ELSE
    Return FAILURE
END IF





Where SCARD_LEAVE_CARD (and other values you might need to use) are defined as:


CONSTANT LONG SCARD_LEAVE_CARD            = 0
CONSTANT LONG SCARD_RESET_CARD            = 1
CONSTANT LONG SCARD_UNPOWER_CARD      = 2





Finally, in our seventh step, we need to release the context that we established in the first step.  We need the SCardReleaseContext SDK method for that:


Function ulong SCardReleaseContext( &
    ulong hContext &
    ) Library "winscard.dll"





And then use the following PowerScript to call it:


ulong rc
rc = scardreleasecontext( context )
IF rc = SCARD_S_SUCCESS THEN
    Return SUCCESS
ELSE
    Return FAILURE
END IF




Validating the user’s PIN

Now that we know how to connect to the card, we’ll look at some specific operations that we might want to perform using it.  One is to have the user validate their PIN so we know that the user is actually the holder of the card.  To do that, we need to send a specific APDU command to the card while we’re connected to it.  For US DoD CAC cards, the value is 00 20 00 followed by the length of the PIN buffer ( “08” ) and then the hex encoded PIN right padded to the length of the PIN buffer with FF values.

In the following sample, w_pin is a window that is presented to the user into which they enter their PIN.  The return code from the APDU call, if the PIN is invalid, indicates the number of additional attempts the user is allowed to make before the card is automatically locked and the user will need to go to a RAPIDS site to have the card unlocked.


int        i
int        chances
int        pinlen
string apdu[]
string    ls_pin
string    respSW
Open ( w_pin )
ls_pin = message.StringParm
// User hit cancel
IF ls_pin = "" THEN Return NO_ACTION
pinlen = Len ( ls_pin )
apdu[1] = "00" // CLA
apdu[2] = "20"  // Verify PIN
apdu[3] = "00" // Not used
apdu[4] = "00" // Not used
apdu[5] = "08" // Indicate length of data, fixed at 8
// Add the PIN to the APDU
FOR i = 1 TO pinlen
    apdu[5 + i] = of_bytetohex ( Asc ( Mid ( ls_pin, i, 1 ) ) )
NEXT
// Pad out the rest of the APDU with 0xFF
FOR i = pinlen + 6 TO 13
    apdu[i] = "FF"
NEXT
respSW = of_sendapdu ( apdu )
CHOOSE CASE respSW
    CASE SWRESPOK
        // PIN Verified
        Return SUCCESS
    CASE PINLOCKED
        Return PIN_LOCKED
    CASE CACLOCKED
        Return CAC_LOCKED
    CASE INVALIDDATA
        Return INVALID_DATA
    CASE PINUNDEFINED
        Return PIN_UNDEFINED
    CASE ELSE
        IF Left ( respSW, 2 ) = PININVALID THEN
            chances = Integer ( Right ( respSW, 1 ) )
            Return -chances
        End If
END CHOOSE





The possible status codes returned from the APDU call are defined as:


CONSTANT STRING PININVALID         = "63"
CONSTANT STRING PINLOCKED        = "63C0"
CONSTANT STRING CACLOCKED       = "6983"
CONSTANT STRING INVALIDDATA      = "6984"
CONSTANT STRING PINUNDEFINED   = "6A88"





Reading the certificate Subject Name

The other thing we may want to do, once we’ve verified that the user knows the CAC PIN, is determine who the CAC card says the user is.  To do that, we’re going to read the certificate off the card and then determine what the CN value of the Subject Name is. The US DoD stores the user’s name and EDI/PI number in the CN value in the following format:  CN=LastName.FirstName.MiddleName.EDI/PI

The first step to access the certificate is to establish a cryptography context using the Windows API CryptAcquireContext method:


Function ulong CryptAcquireContext ( &
    REF ulong hProv, &
    ulong pszContainer, &
    string pProviderName, &
    long dwProvType, &
    long dwFlags &
    ) Library "advapi32.dll" Alias For "CryptAcquireContextW"





And call it using this PowerScript:


ulong    rc
rc = CryptAcquireContext ( &
    prov, &
    0, &
    providername, &
    PROV_RSA_FULL, &
    0 )





“prov” is a pointer to the cryptography context that is passed by reference returned to us as a result of the call, defined as:


ulong        prov





We declared pszContainer as a ulong rather than a string (as in the SDK) because we’re passing 0 indicating a null value.  “providername” is also passed by reference as is defined as follows.  However, we don’t use the value.


string        providername





And PROV_RSA_FULL is defined as:


CONSTANT LONG PROV_RSA_FULL                = 1





The second step, once we have the context, we need to call CryptGetUserKey in the Windows API to get a handle to the certificate:


Protected Function ulong CryptGetUserKey ( &
    ulong hProv, &
    long dwKeySpec, &
      REF ulong phUserKey &
    ) Library "advapi32.dll"





And call it as follows:


ulong        rc
rc = CryptGetUserKey ( &
  prov, &
  AT_KEYEXCHANGE, &
  userkey )





Where AT_KEYEXCHANGE is defined as:


LONG AT_KEYEXCHANGE   = 1





And “userkey” is passed by referenced and returned to us by the method, defined as:


ulong        userkey





The third step is to call CryptGetKeyParam in the Windows API, declared as follows, to get the actual certificate:


Function ulong CryptGetKeyParam ( &
    ulong hKey, &
    long dwParam, &
    REF byte pbData[], &
    REF long pdwDataLen, &
    long dwFlags &
    ) Library "advapi32.dll"





And call it as follows:


integer    i
ulong        rc
long        certlen
byte        temp[]
//Call it with 0 first to get the size
certlen = 0
rc =  CryptGetKeyParam ( &
        userkey, &
        KP_CERTIFICATE, &
        temp, &
        certlen, &
        0 )
//Now setup the buffer and call again for that size
FOR i = 1 TO certlen
    temp[i] = 0
NEXT
rc =  CryptGetKeyParam ( &
        userkey, &
        KP_CERTIFICATE, &
        temp, &
        certlen, &
        0 )
certbytes = temp





Where KP_CERTIFICATE is defined as:


CONSTANT LONG KP_CERTIFICATE                    = 26





As indicated in the code comments, we call the function once with certlen set to 0 and the function returns the size of the certificate to use.  We then call it a second time with a byte buffer populated to that size to get the certificate data.

The fourth step once we have the certificate data is to convert it to a certificate.  To do that, we first have to establish a certificate context using CertCreateCertificateContext in the Windows API:


Protected Function ulong CertCreateCertificateContext ( &
    long dwCertEncodingType, &
    byte pbCertEncoded[], &
    long cbCertEncoded &
    ) Library "crypt32.dll"





And call it as follows:


long    certlen
long    encoding = X509_ASN_ENCODING + PKCS_7_ASN_ENCODING
certlen = UpperBound ( certbytes )
certContextPointer = CertCreateCertificateContext ( &
    encoding, &
    certbytes, &
    certlen )





Where X509_ASN_ENCODING and PKCS_7_ASN_ENCODING are defined as:


CONSTANT LONG PKCS_7_ASN_ENCODING       = 65536 // 0x00010000
CONSTANT LONG X509_ASN_ENCODING            = 1





And certContextPointer is defined as:


ulong    certcontextpointer





The fifth step is to get the Subject Name off the certificate using the CertGetNameString method in the Windows API:


Function ulong CertGetNameString ( &
    ulong pCertContext, &
    long dwType, &
    long dwFlags, &
    long pvTypePara, &
    REF string pszNameString, &
    REF long cchNameString &
    ) Library "crypt32.dll" Alias For "CertGetNameStringW"





And call it as follows:


ulong        rc
long        subjectlen
string        ls_subject
subjectlen = 256
ls_subject = Space ( subjectlen )
rc = CertGetNameString ( &
    certContextPointer, &
    CERT_NAME_SIMPLE_DISPLAY_TYPE, &
    0, &
    0, &
    ls_subject, &
    subjectlen )





Where CERT_NAME_SIMPLE_DISPLAY_TYPE is defined as:


CONSTANT LONG CERT_NAME_SIMPLE_DISPLAY_TYPE = 4





Now that we have the subject name, we need to release the certificate context.  We do that with the CertFreeCertificateContext Windows API function.


Function ulong CertFreeCertificateContext (&
    ulong pCertContext &
    ) Library "crypt32.dll"





Which we call as follows:


ulong    rc
rc = CertFreeCertificateContext ( certcontextpointer )





After which we need to release the cryptography context as well using the CryptReleaseContext Windows API function:


Function ulong CryptReleaseContext ( &
    ulong hProv, &
    long dwFlags &
    ) Library "advapi32.dll"





And call as follows:


ulong rc
rc = CryptReleaseContext ( &
    prov, &
    0 )




Reading other Certificate Data

Once we have a pointer to a CERT_CONTEXT structure, one member of which is a CERT_INFO structure, we can actually access the certificate.  The first thing we need to do is create a PowerBuilder structure we can copy the data into.


global type cert_context from structure
  long dwcertencodingtype
  unsignedlong pbcertencoded
  long cbcertencoded
  unsignedlong pcertinfo
  unsignedlong hcertstore
end type

Then declare the following which we can use to perform the copy:


Protected Subroutine CopyCERT_CONTEXT ( &
  ref CERT_CONTEXT dest, &
  ulong source, &
  long buffsize &
  ) Library "kernel32" Alias For "RtlMoveMemory"

And we call it as follows:


cert_context lstr_cert_context
CONSTANT LONG CERT_CONTEXT_SIZE = 20
long buffersize =
CopyCERT_CONTEXT ( lstr_cert_context, certcontextpointer, CERT_CONTEXT_SIZE )

Now we’re going to declare a PowerBuilder structure to hold the certificate information:


global type cert_info from structure
     long          dwversion
     crypt_integer_blob          serialnumber
     crypt_algorithm_identifier          signaturealgorithm
     cert_name_blob          issuer
     filetime          notbefore
     filetime          notafter
     cert_name_blob          subject
     cert_public_key_info          subjectpublickeyinfo
     crypt_bit_blob          issueruniqueid
     crypt_bit_blob          subjectuniqueid
     long          cextension
     unsignedlong          rgextension
end type

The crypt_integer_blob structure referenced above is defined as:


global type crypt_integer_blob from structure
     long          cbdata
     long          pbdata
end type

The crypt_algorithm_identifier structure referenced above is defined as:


global type crypt_algorithm_identifier from structure
     long          pszobjid
     crypt_objid_blob          parameters
end type

The crypt_objid_blob structure referenced here is defined as:


global type crypt_objid_blob from structure
     long          cbdata
     long          pbdata
end type

The cert_name_blob structure referenced above is defined as:


global type cert_name_blob from structure
     long          cbdata
     long          pbdata
end type

The filetime structure referenced above is defined as:


global type filetime from structure
     long          lowdatetime
     long          highdatetime
end type

The cert_public_key_info structure referenced above is defined as:


global type cert_public_key_info from structure
     crypt_algorithm_identifier          algorithm
     crypt_bit_blob          publickey
end type

The crypt_algorithim_identifier structure is defined above.  The crypt_bit_blob structure is defined as:


global type crypt_bit_blob from structure
     long          cbdata
     long          pbdata
     long          cUnusedBits
end type

Then declare the following in order to copy the information from the cert_into portion of the cert_context into the PowerBuilder structure:


Protected Subroutine CopyCERT_INFO ( &
  ref CERT_INFO dest, &
  ulong source, &
  long buffsize &
  ) Library "kernel32" Alias For "RtlMoveMemory"

And then call it as follows:


cert_info               lstr_cert_info
CONSTANT LONG CERT_INFO_SIZE                    = 112
long buffsize = CERT_INFO_SIZE
CopyCERT_INFO ( lstr_cert_info, lstr_cert_context.pcertinfo, buffsize )

Now let’s access some of the certification information.  We’re going to need the following function declared so we can convert the start and end dates of the certificate’s valid lifetime.



Protected Function ulong FileTimeToSystemTime ( &
  filetime lpFileTime, &
  REF systemtime lpSystemTime &
  ) Library "kernel32.dll"

We’re going to need to define a PowerBuilder structure to pass for the systemtime.


global type systemtime from structure
     uint          wYear
     uint          wMonth
     uint          wDayOfWeek
     uint          wDay
     uint          wHour
     uint          wMinute
     uint          wSecond
     uint          wMilliseconds
end type

And then call it as follows:


systemtime          lstr_notbefore
systemtime          lstr_notafter
ulong                    rc
rc = FileTimeToSystemTime( lstr_cert_info.notbefore, lstr_notbefore )
rc = FileTimeToSystemTime( lstr_cert_info.notafter, lstr_notafter )

The following will convert the systemtime structures to a PowerBuilder datetime variables


datetime notbefore
datetime notafter
notbefore = DateTime ( Date ( lstr_notbefore.wyear, lstr_notbefore.wmonth, lstr_notbefore.wday ), &
  Time ( lstr_notbefore.whour, lstr_notbefore.wminute, lstr_notbefore.wsecond, lstr_notbefore.wMilliseconds ) )
notafter = DateTime ( Date ( lstr_notafter.wyear, lstr_notafter.wmonth, lstr_notafter.wday ), &
  Time ( lstr_notafter.whour, lstr_notafter.wminute, lstr_notafter.wsecond, lstr_notafter.wMilliseconds ) )

Finally we’re going to grab the public certificate both as a byte array and as a hex string.  We’re going to need one more function declaration:


Protected Subroutine CopyCertEncoded ( &
  ref byte dest[], &
  ulong source, &
  long buffsize &
  ) Library "kernel32" Alias For "RtlMoveMemory"

And then call it as follows:


byte                    encodedcert[]
string                    ls_cert
buffsize = lstr_cert_info.subjectpublickeyinfo.publickey.cbdata
FOR i = 1 TO buffsize
     encodedcert[i] = 0
NEXT
CopyCertEncoded ( encodedcert, lstr_cert_info.subjectpublickeyinfo.publickey.pbdata, buffsize )
FOR i = 1 TO buffsize
     ls_cert += of_bytetohex ( encodedcert[i] )
NEXT


To report this post you need to login first.

15 Comments

You must be Logged on to comment or reply to a post.

  1. Mark van Niekerk

    Hi Bruce.

    Just had to do some integration work involving RFID Smart card reader. You cannot believe how much your example above helped.

    Thank you sooo much.

    Regards

    Mark

    (0) 
  2. FRANCO CASTILLO

    Hello Bruce.  I’m trying to implement this code in a reader ATHENA ASEDrive V3CR, however your code does not understand very well the variable: SWRESPOK, you could explain a little more?

    Thanks

    (0) 
    1. Bruce Armstrong Post author

      Yep, looks like I missed one of the constant definitions. 

           CONSTANT  STRING  SWRESPOK  =  “9000”

      Let me know if you encounter other problems.

      (0) 
      1. FRANCO CASTILLO

        Dear Bruce, thank you very much for your help. I have another question, the function SCardTransmit return 22, I researched and apparently is an unrecognized command, you’ll have some idea that can be?

        (0) 
        1. Bruce Armstrong Post author

          the function SCardTransmit return 22, I researched and apparently is an unrecognized command, you’ll have some idea that can be?

          Returned from which call?  That particular call is made quite a bit.

          If you’re able to connect to the card reader and then to the card, but you’re failing when you request to talk to the applet, then the issue is that you need to find out what particular ID the card you are working with needs you to send for it’s applet.

          (0) 
            1. Bruce Armstrong Post author


              Returned, inside the function: of_sendapdu ( apdu ), call a SCardTransmit, this last returned the code 22 ( if rc <> scard_s_success then….. ). 


              Error 22 means “Bad Command”.  The card doesn’t recognize the APDU you sent it.  That’s where documentation from the card vendor is required.


              System Error Codes (0-499) (Windows)

              I requested help Athena and they said to use ( Authentication Functions (Windows) ) is the same function using here,


              Correct, those are the functions we’re using.


              however they do not indicate the id card etc.

              Based on what you said earlier, Athena is the manufacturer of the card reader.  They have no idea what card you’re trying to use.  You need to find out who made the card you’re trying to talk to.

              (0) 
  3. Levi Keith

    Bruce,

    I am trying to do this same thing in a VB application. I have gotten everything to work up to the transmit section. Do you have the full code that you could send to me? I noticed that a few functions aren’t declared above.

    (0) 
  4. Martin Kaltenboeck

    Hi Bruce, this tutorial helped me a lot on my first trials with reading a Smartcard and reading the certificate. Thank you very much for that. Now the next challenge is to get out the several values of the certificate. You showed an example to get the subject via CertGetNameString(), but how can I get the other values. Your hint of having a pointer to the CERT_CONTEXT (and CERT_INFO) structures is clear to me, but how can I access these structures? Can you give me an idea of what api-functions to call or how to read the structures in Powerbuilder? Regards, Martin

    (0) 
    1. Bruce Armstrong Post author

      I’ve expanded the article to indicate how to access other values.  Let me know if it works for you or if you run into problems.

      (0) 
      1. Martin Kaltenboeck

        Hi Bruce, I integrated your code snippets into my services and they work perfect. The RtlMoveMemory function to copy the Information from the Memory addresses into PB structures was the thing I was missing out. I also was able to read the serialnumber by declaring a copy function that is receiving a PB Long in the dest Parameter: (Subroutine CopyLong (ref long dest, ulong source, long buffsize) Library “kernel32” Alias For “RtlMoveMemory”) Anyway, I have problems to grab some other properties (Issuer, Subject) of the structure. I can copy the data to a byte array in the same way, which in my case has a length of 164 Bytes, but they are encoded. so how can I decode this Information? Would be great if you could point me out, how to get this Information! Many thanks, Martin

        (0) 
  5. Rusty Rickmon

    Hi Bruce

    I hope you can help me.  It is a tremendous article, definitely helped to validate the user PIN of a DOD CAC.

    I am having a problem retrieving the EDIPI # from the subject name.  I am getting the crypto context handle, but when I use the handle to retrieve the userkey in CryptGetUserKey, I get a return code of 0, and userkey stays a 0.

    Here is my code:

    CONSTANT LONG AT_KEYEXCHANGE = 1

    ulong rc

    rc = CryptGetUserKey (il_crypto_context, AT_KEYEXCHANGE, il_userkey )

    IF rc = 1 THEN

         Return 1

    ELSE

         Return -7

    END IF

    I’m not sure why it isn’t working.

    Thank You

    Rusty Rickmon

    (0) 
    1. Bruce Armstrong Post author

      Ive put my code up on my Google Drive:  Powerbuilder Samples

      Looks for winscard_demo.

      Run that and see if it doesn’t show the subject.

      I’m not using CryptGetUserKey though.  That function is for getting the public/private key pairs.  You don’t need that to get the subject.

      (0) 

Leave a Reply