What API call will tell me the number of PIN attempts remaining on a smartcard?

Question

I am successfully retrieving certificates and their private key as follows:

    PCCERT_CONTEXT cert = NULL;
    if (!(cert = CertFindCertificateInStore(sys, X509_ASN_ENCODING, 0, CERT_FIND_EXISTING, search, NULL))) {
        // error handling
    }

    CertFreeCertificateContext(search);

    NCRYPT_HANDLE key;
    DWORD dwKeySpec = 0;
    if (!CryptAcquireCertificatePrivateKey(cert, CRYPT_ACQUIRE_CACHE_FLAG | CRYPT_ACQUIRE_COMPARE_KEY_FLAG | CRYPT_ACQUIRE_SILENT_FLAG | CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG, NULL, &key, &dwKeySpec, NULL))
    {
        // error handling
    }

    PIN_INFO pin_info;
    DWORD pin_info_size = sizeof(PIN_INFO);
    NCryptGetProperty(key, NCRYPT_SCARD_PIN_INFO, (PBYTE)&pin_info, pin_info_size, &pin_info_size, 0);
    if (pin_info_size)
    {
        // success
    }

    // obtain PIN attempt remaining from key

I can confirm details of the private key PIN from NCryptGetProperty, but the key bit of information I need is the number of PIN attempts remaining, and whether the PIN is locked.

I know the PKCS11 API gives me this, but I am struggling to get the CNG API to give me the information.

What Windows API call must be used to get the info described above?

The end goal is to be considerate to the end user.

Answer 1

The Verify command as described in ISO 7816-4 specifies a way to get the number of further allowed retries by sending an empty data field. (The PIN is identified - as usual - in P2).

If you get SW1/SW2 as 9000 this means, that the PIN was already successfully verified, so the maximum value should apply. If 63Cx is returned, you have still x attempts to successfully verify that PIN.

As usual: One can't rely on a card to actually support that command variant, receiving the status values as 6700 and 6A86 most likely to indicate non-support, 6983 (or 63C0) suggest that the command is understood, but the PIN is already blocked.