Microsoft Windows systems use CryptoAPI in native win32 applications that deal with cryptography. Implementing a full CSP for use in the CryptoAPI ecosystem is a tedious task. BaseCSP implements the heavyweight CSP functionality whereas a card minidriver implements only the necessary calls to support a (usually single) smart card.
The situation is comparable to OpenSC itself, where the OpenSC framework takes care of the annoying parts and to support a new smart card, just a card specific driver needs to be implemented.
Unlike a full CSP (which needs to be signed by Microsoft) developing a minidriver is supposed to be easier. (*) BaseCSP is available as a separate download for Windows XP x86. BaseCSP is integrated into Windows starting from Windows Vista. The functionality of the subsystem differs between Windows versions:
- version 5 of the minidriver specification applies to Windows XP (and Windows Vista)
- version 6 applies to Windows Vista
- version 7 applies to Windows 7.
Specifications are freely available from Microsoft:
Supported cards must be listed in HKLM\SOFTWARE\Microsoft\Cryptograph\Calais\!SmartCards.
In the following template smart card name (“Example Card”) in the key name, ATR and ATRmask must be changed, the rest is standard boilerplate, given that the path to the DLL is correct (no path needed if the file is in system folder, which is the default in WindowsInstaller)
- HKLM\SOFTWARE\Microsoft\Cryptograph\Calais\!SmartCards\Example Card
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptograph\Calais\!SmartCards\Example Card
- “ATR”=hex:XX,XX,XX,XX,XX,XX,XX,XX
- “ATRMask”=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
- “Crypto Provider”=“Microsoft Base Smart Card Crypto Provider”
- “Smart Card Key Storage Provider”=“Microsoft Smart Card Key Storage Provider”
- “80000001”=“C:\Program Files\OpenSC Project\OpenSC\minidriver\opensc-minidriver.dll”
Windows 7 has a renewed device manager and has the capability of downloading smart card drivers automagically from Windows Update. OpenSC contains a [source:trunk/src/minidriver/opensc-minidriver.inf.in rudimentary .inf file] to satisfy the needs of device manager, which identifies devices based on the historical bytes in the ATR of a smart card. For example, the device ID of the Estonian ID card would be CID_4573744549442076657220312E30. Changes similar to the registry should be done in the .inf file, before asking Windows to update the unknown smart card device in the device manager with the .inf file.
For testing with Vista and Windows 7 (Windows XP does not contain certutil.exe)
certutil.exe -SCinfo
Smart cards with two ATR-s (warm and cold) don’t fit into the minidriver discovery design. Additional (signed) filter driver (available for Vista and Windows 7) is needed, which only exposes the cold ATR of the card to userland applications. See KB981665 for more information. A pre-built and signed version of this will be made available in near future (and bundled with WindowsInstaller)