Microsoft Windows systems use CryptoAPI in native win32 applications that deal with cryptography. Implementing a full CSP for use in the CryptoAPI ecosystem is a tedious task. BaseCSP implements the heavyweight CSP functionality whereas a card minidriver implements only the necessary calls to support a (usually single) smart card.
The situation is comparable to OpenSC itself, where the OpenSC framework takes care of the annoying parts and to support a new smart card, just a card specific driver needs to be implemented.
The smart card minidriver offers a shortcut compared to building a traditional cryptographic service provider (CSP). It does this by handling most of the complicated cryptographic tasks behind the scenes, saving the developer time and effort. Available specifications can be found here. The versions are:
- version 5 of the minidriver specification applies to Windows XP (and Windows Vista),
- version 6 applies to Windows Vista,
- version 7 applies to Windows 7 and later.
Sources available from Microsoft:
- Specifications
- Smart Card Minidrivers Descriptions
- Smart Card Minidriver Overview
- Developer Guidelines
Supported cards must be listed in HKLM\SOFTWARE\Microsoft\Cryptograph\Calais\!SmartCards
.
In the following template smart card name ("Example Card") in the key name, ATR and ATRmask must be changed, the rest is standard boilerplate, given that the path to the DLL is correct (no path needed if the file is in system folder, which is the default in WindowsInstaller):
HKLM\SOFTWARE\Microsoft\Cryptograph\Calais\!SmartCards\Example Card
HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptograph\Calais\!SmartCards\Example Card
"ATR"=hex:XX,XX,XX,XX,XX,XX,XX,XX
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="C:\Program Files\OpenSC Project\OpenSC\minidriver\opensc-minidriver.dll"
Windows 7 has a renewed device manager and has the capability of downloading smart card drivers automagically from Windows Update. OpenSC contains a rudimentary .inf file to satisfy the needs of device manager, which identifies devices based on the historical bytes in the ATR of a smart card. For example, the device ID of the Estonian ID card would be CID_4573744549442076657220312E30
. Changes similar to the registry should be done in the .inf file, before asking Windows to update the unknown smart card device in the device manager with the .inf file.
For testing with Vista and Windows 7 (Windows XP does not contain certutil.exe
)
_certutil.exe -SCinfo_
Smart cards with two ATR-s (warm and cold) don't fit into the minidriver discovery design. Additional (signed) filter driver (available for Vista and Windows 7) is needed, which only exposes the cold ATR of the card to userland applications.