Re: Writing a Smart Card Minidriver (on PKCS#11)
- From: "Jan Spooren" <jspooren@xxxxxxxxxxxxx>
- Date: Mon, 30 Jul 2007 21:20:31 +0200
Hi Alexander,
Do you maybe know, what commands are called when creating a keypair (key
container) and installing the certificate to this keypair?
Yes, knowing a typical sequence of calls for this kind of operation is quite
useful for making estmations with regards to your minidriver.
So here you go:
- CardAcquireContext
- CardReadFile for the \cardid file
- CardReadFile for the \cardcf file
- CardReadFile for the mscp\cmapfile; to retrieve the free slots from the
minidriver
- CardQueryKeySizes to get the available key lengths, called twice (for
AT_SIGNATURE and AT_KEYEXCHANGE)
- CardReadFile, again for the \cardcf file
- CardQueryFreeSpace
- CardAuthenticatePin
- CardReadFile for the \cardcf file
- CardAuthenticatePin
- CardWriteFile, updating the \cardcf file
- CardWriteFile to the mscp\cmapfile, creating a key container. Typical
data:
30 00 66 00 38 00 38 00 31 00 61 00 36 00 62 00 0.f.8.8. 1.a.6.b.
2D 00 39 00 61 00 36 00 63 00 2D 00 34 00 61 00 -.9.a.6. c.-.4.a.
37 00 36 00 2D 00 38 00 62 00 37 00 38 00 2D 00 7.6.-.8. b.7.8.-.
62 00 37 00 61 00 63 00 36 00 34 00 38 00 38 00 b.7.a.c. 6.4.8.8.
35 00 66 00 33 00 34 00 00 00 00 00 00 00 00 00 5.f.3.4. ........
01 00 00 00 00 00 ......
This creates a key container with container name
'0f881a6b-9a6c-4a76-8b78-b7ac64885f34', bit 0 of the flags is set,
indicating it is a valid container.
- CardWriteFile, updating the \cardcf file
- CardWriteFile to the mscp\cmapfile, updating the key container. Typical
data:
30 00 66 00 38 00 38 00 31 00 61 00 36 00 62 00 0.f.8.8. 1.a.6.b.
2D 00 39 00 61 00 36 00 63 00 2D 00 34 00 61 00 -.9.a.6. c.-.4.a.
37 00 36 00 2D 00 38 00 62 00 37 00 38 00 2D 00 7.6.-.8. b.7.8.-.
62 00 37 00 61 00 63 00 36 00 34 00 38 00 38 00 b.7.a.c. 6.4.8.8.
35 00 66 00 33 00 34 00 00 00 00 00 00 00 00 00 5.f.3.4. ........
03 00 00 00 00 00 ......
Bit 1 is also set on the flags, indicating the new container is a default
container.
- CardQueryCapabilities is called to verify if the card can generate key
pairs on-card, and if it can compress certificates.
Let's assume the minidriver returns that it cannot generate key pairs on
card. The Base Smart Card CSP will then generate a key pair and store it on
the card:
- CardWriteFile, updating the \cardcf file
- CardCreateContainer is called with the CARD_CREATE_CONTAINER_KEY_IMPORT
flag set, i.e. the key material is provided by the Base Smart Card CSP and
passed in pbKeyData
- CardWriteFile, updating the \cardcf file
- CardWriteFile to the mscp\cmapfile, updating the key container. Typical
data:
30 00 66 00 38 00 38 00 31 00 61 00 36 00 62 00 0.f.8.8. 1.a.6.b.
2D 00 39 00 61 00 36 00 63 00 2D 00 34 00 61 00 -.9.a.6. c.-.4.a.
37 00 36 00 2D 00 38 00 62 00 37 00 38 00 2D 00 7.6.-.8. b.7.8.-.
62 00 37 00 61 00 63 00 36 00 34 00 38 00 38 00 b.7.a.c. 6.4.8.8.
35 00 66 00 33 00 34 00 00 00 00 00 00 00 00 00 5.f.3.4. ........
03 00 00 00 00 04 ......
The key length data has now been updated; indicating we have a 1024 bit Key
Exchange key in the container.
- CardGetContainerInfo is called, retrieving back the public key.
- CardSignData is called twice to sign a hash using the private key.
- CardDeauthenticate is called
- CardReadFile for the \cardcf file, twice
- CardAuthenticatePin
- CardWriteFile, updating the \cardcf file
- CardDeleteFile, deleting the privious certuficate in e.g. mscp\kxc00
- CardWriteFile, updating the \cardcf file
- CardCreateFile, to create e.g. the mscp\kxc00 file to write the key
exchange certificate in for key 00
- CardWriteFile, updating the \cardcf file
- CardWriteFile to e.g. mscp\kxc00, writing the certificate
- CardReadFile for the mscp\cmapfile
- CardWriteFile, updating the \cardcf file
- CardWriteFile, updating the mscp\cmapfile
- CardDeauthenticate is called.
Is there maybe a testapplication? I found the document "Smart Card
Minidriver Certification Requirements for Base CSP and KSP". There are the
command desribed in detail, but not which data are transfered. This will
maybe save a lot of time, because I will not have to debug all
applications, to see how they call the minidriver.
A smart card minidriver test suite is available from Microsoft. However, it
will still be useful to look at real life use case scenarios, to see what is
expected in practise from the minidriver; especially since you will probably
not be able to fully implement the minidriver specification...
You wrote, that the challenge response authentication is is used in the
pintool.exe to unblock the card. In most cases the PINs are unblocked with
a PUK and not via challenge response. How can this challenge response
authentication which encrypts a challenge with a key (often DES) mapped to
a PUK. The application which encrypts the challenge must hold the key, do
I have to enter this key in the pintool.exe. In case of a DES key it will
be a least 8 bytes and nobody would remember this key. A PUK can not be
used to encrypt the challenge.
Exactly. If your card has a PUK instead of a challenge response system for
allowing administrator authentication, you will not be able to implement the
challenge response scheme. This means you will have to provide a card
unblock tool separately, since you will not be able to use the pintool.exe
that comes with the Microsoft Base Smart Card CSP.
Cheers,
Jan.
.
- Follow-Ups:
- Re: Writing a Smart Card Minidriver (on PKCS#11)
- From: Alexander
- Re: Writing a Smart Card Minidriver (on PKCS#11)
- References:
- Writing a Smart Card Minidriver (on PKCS#11)
- From: Alexander
- Re: Writing a Smart Card Minidriver (on PKCS#11)
- From: Jan Spooren
- Re: Writing a Smart Card Minidriver (on PKCS#11)
- From: Alexander
- Writing a Smart Card Minidriver (on PKCS#11)
- Prev by Date: How to Checking a URL :Valid or Invalid
- Next by Date: Re: Machine policy registry keys
- Previous by thread: Re: Writing a Smart Card Minidriver (on PKCS#11)
- Next by thread: Re: Writing a Smart Card Minidriver (on PKCS#11)
- Index(es):
Relevant Pages
|
