locked
Impementing a GIDS card: what's missing in the GIDS / minidriver specification to make it works RRS feed

  • Question

  • Hi,

    In the following remarks / questions, I'm talking about the GIDS specification v2 (https://msdn.microsoft.com/en-us/library/windows/hardware/dn642100(v=vs.85).aspx) and the smart card minidriver specification v7.07 (https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754(v=vs.85).aspx). Indeed, some GIDS détails are included in the minidriver specification.

    I've already asked this questions to gids@microsoft.com without having received an answer.

    The goal is to build a GIDS card (which is a MS design) to make it works with the Embedded generic identity device minidriver included in all Windows OS since 7 and to build a PKCS#11 module for application not supporting the Base CSP / Base KSP.

    The GIDS specification is adequate to build a javacard applet but not to make it interoperable. My questions are relative to the gap between the GIDS and minidriver specification:

    1) the GIDS specification do not give an example on how ECC can be activated by modifying the FCP. There is a phrase in the specification, but this can be interpreted with different meaning. Until now, I was unable to make it work. It is possible to have an example for a FCP activating the ECC capability in the minidriver ?

    2) The content of the data stored Inside the card is not documented. The online documentation found is located in the minidriver specification. Example, the masterfile.

    The masterfile A000 DF1F is described in the page talking about the initialization of the card (https://msdn.microsoft.com/en-us/library/windows/hardware/dn468781(v=vs.85).aspx - found again in the minidriver specification document). The format of this file, needed to add new files, is not described.

    ok, the file seems to be a set of records but there is an extra byte and nothing describe what must be done to add a new file. What is the purpose of the extra byte of the GIDS master file ?

    3) certificate compression

    The GIDS minidriver does not set the flag fCertificateCompression to yes (https://msdn.microsoft.com/en-us/library/dd627627(v=vs.85).aspx) which is a workaround for the following problem. As a consequence, a DER certificate is stored by the Base CSP/KSP in an undocumented compression form (starting with the 2 bytes 01 00) and it cannot be loaded by a PKCS#11 module because the module does not know how to uncompress it.

    I've tried the usual gzip uncompression with or without the 2 first bytes without success.

    Can you document the proprietary Base CSP / Base KSP certificate compression algorithm ?

    regards,

    Vincent LE TOUX

    Monday, November 30, 2015 10:38 AM

Answers

All replies