RE: Biometric CSP wrapper

1. You need to have your own Context (returned by CPAcquireContext) and the
key and hash handles. Basically every time you get a handle from the
'downstream' original smartcard CSP you allocate some memory, stuck the
original handle into it and return your own handle in a way that when you get
it back you can find your allocated struct. (Of course, the simplest way is
to return the address yof your allocated struct.) When the context / handle
is used you get the 'downstream' context / handle from your struct and pass
that down to the smartcard CSP. When the context / handle is released you do
the same - plus you also free your memory block.

2. There are two ways to call down:
(a) you use the upper layer Crypt... functions - yes that works
(b) you load the downstream smartcard CSP (LoadLibrary) and get each of its
exported CP... function addresses (GetProcAddress) then call it that way. I
have used only this method - I feel it's cleaner.

Now there is one security issue with the second method: while in case of (a)
Windows ensures that only properly signed CSP is loaded in the (b) case you
may want to check the CSP's signature - especially if it's not one of the
standard MS CSPs. (I only used downstream MS CSP getting the CSP data from
the Registry so I never really checked the signature. My assumption has been
that if somebody tampers with a base MS CSP Windows will not function
properly anyway. Obviously, that's not the case with a downstream 3rd party
CSP so you SHOULD check that the CSP you are calling is properly signed.)

Laszlo Elteto
SafeNet, Inc.

"Stefano Faini" wrote:


I'm working on a strong Logon project for client authentication with Windows
Server 2003. Basically, it consists in the native Smartcard Logon, with the
difference that the PIN is not inserted by the user in the GINA gui but it
is automatically passed to the smartcard CSP after a successfull biometric
authentication (msgina will be properly modified to avoid requesting the
The project assumes to create a "biometric" CSP wrapper, which must do
absolutely nothing but mapping the standard functions of the original
smartcard CSP, except the function which acquires the user pin
(CPSetProvParam i guess) which needs to be preprocessed with the biometric
authentication routines.

Now I have read around the newsgroup that there are different ways to manage
a CSP wrapper, these are the few things I understood:
1) It is possible to load the original smartcard CSP dll, and simply
delegate all the calls through it. There are some structures and handlers
wich need to be allocated anyway in the wrapper. What structures are we
talking about exactly ?
2) It is also possible to recursively call the top-level CryptXXX functions
to get control of the original CSP. This doesnt sound really nice to me...

I would REALLY appreciate any help concerning technical details about
implementing one of those solutions, possibly some links, code samples or
documentation because so far I've been able to find nothing but extremly
generic papers on the web.

Thank you very much (sry for my english),
Best Regards