Re: Questions about smart card minidriver
- From: "Dave" <daveswen_AT_gmail_DOT_com>
- Date: Thu, 9 Aug 2007 17:15:23 +0800
Hi Jan,
I've developed a smart card minidriver, how can the certificates in the
smart card be propagated to system store?
Typically, on Windows XP and up, there is a certificate propagation
service
(on XP and Windows Server 2003 as part of winlogon.exe, on Vista as a
separate service), which will automatically add new certificates on an
inserted smart card to the user's certificate store. Unless certificate
propagation has been switched off, there's nothing you have to do to get
the
certificates into the user's store.
(This happens through reading the mscp\cmapfile (to get the list of used
key
containers on the smart card) and then reading the mscp\k?c?? files that
contain the actual certificates.)
I tested my minidriver on several operating
systems(win2000,winxp,server2003,vista),the certificates doesn't apear when
I open the certificate manager in IE.
I guess it's "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ScCertProp" on XP and 2003,and
"certificate propagation" service on vista,but they seem not work properly.
How can I switch them on?
Then I wrote a simple certSP, but it acts differently on different
platforms:
1.On win2000,every certificate apears only once.
2.On winxp and 2003,certificates apear once on some machine.all in the
physical store registered by my certSP.But on the other machines,the
certificate of *default* container apears twice,one in the registry
store,another in the physical store .
3.On vista,all certificates apear twice.
Yes,the CA does store data on smart card through my minidriver.How can the certificates be
imported to or deleted from the smart card? Is a user-defined
certificate
store provider necessary to accomplish these works?
Certificate import onto the smart card can happen when you are using
certificate authority web pages. A typical CA web application will
generate
a key pair, create a certificate for your public key and then store the
certificate on the card, if you have selected the Microsoft Base Smart
Card
CSP as a CSP. This happens through CardCreateContainer and CardWriteFile
calls to your card module. You don't have to do anything special for this
either.
But users of my smart card may want enroll a certificate using other
CSPs,and import it through "Microsoft Base Smart Card CSP" into the card.
And what is important is,when the users want delete a single certificate
from the card,there is no way.
If you are looking for a GUI application to manage keys and certificates:-(
on
the smart card; you will probably have to create one for this. I don't
think
there are any such tools available yet in any of the resource kits.
Since the minidriver interface is provided by Microsoft while the data
format is tansparent to the vendors,I think Microsoft will write one sooner
or later.
Cheers,Thanks ,Jan.
Jan.
Dave
.
- References:
- Questions about smart card minidriver
- From: Dave
- Questions about smart card minidriver
- Prev by Date: Re: Ctrl Alt Del on Vista
- Next by Date: Need Help with CryptoAPI DSA Signature Verification Options
- Previous by thread: Questions about smart card minidriver
- Next by thread: Re: Questions about smart card minidriver
- Index(es):
Relevant Pages
|
