Getting Internet Explorer to work with OpenSC: Part 1

This has long been an issue with the Italian CNS cards. OpenSC works on all major platforms, Windows, Linux and OSX but only with Firefox installed on these platforms. While this is actually enough, the general public mostly use Internet Explorer with Windows so this has become problematic. There are some smart cards that do work with Internet Explorer. The opensc-minidriver.dll enables this functionality together with some rather simple registry tweaks which can be found here for eg:

https://github.com/OpenSC/OpenSC/tree/master/src/minidriver

However these settings do not work for the Italian CNS cards. After a lot of tweaking and testing (that might be interesting for another blog post) we found out that there was a missing function in the OpenSC minidriver code. This has fortunately been patched as can be seen here:

https://github.com/OpenSC/OpenSC/pull/321

After getting a build for Windows we are happy to report that it works! Unfortunately, at least in our case, this only seems to work on 32-bit Windows 7 machines. When installing the build on a 32 bit install the files get correctly copied to

C:\Windows\System32\opensc-minidriver.dll 

The registry settings look like the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CPS]
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="opensc-minidriver.dll"
"ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,0c,01,11,01,43,4e,53,10,31,80,05
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff

Note: We are for the moment only testing the Siemens card, not the newer Athena based cards that would require different registry tweeks.

Under Windows 7 64 bit, the driver gets copied to a different folder:

C:\Windows\SysWOW64

Of course the registry settings need to be adjusted slightly to the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\CPS]
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="opensc-minidriver.dll"
"ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,0c,01,11,01,43,4e,53,10,31,80,05
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff

So with everything in place, when starting Internet Explorer in a Windows 64 bit environment it should work but here Internet Explorer simply does not load the certificate into the certificate store which can be found in Internet Explorer > Internet Options > Contect > Certificates which resuslts in an error mesage when trying to authenticate.

When running certutil --SCInfo in a 32 bit shell the certificate on the card can be read, but on the 64 bit variation of Windows the certificate does not get put into to certstore. We decided to do some more testing using a 64 bit Windows 8 machine to understand if we can narrow down the problem a little more. In the screenshot below we can see that the certificate is not being added to the certstore:

When running certutil --SCInfo on a 32 bit shell under Windows 8 64 bit we can see that the driver is working:

But the certificate does not get loaded into the certificate store, the only way this is achievable is if you manually install the certificate:

So prelimenary results seem to indicate the Internet Explorer (32 bit) running on a Windows 8 64 bit installation simply does not make the import for whatever reason. Upon further testing, there were more problems than expected in Windows 8:

That was rather unexpected... 

This error occurs because this is the Internet Explorer "App" found on the Windows 8 start screen. The "real" Internet Explorer is found elsewhere, under C:\Program Files\Internet Explorer. Very annoying. When running the "normal" Internet Explorer this is not the issue and smart card reader works. More to come...

Commenti
Aggiungi Commento
vincent
The certificate propagation service is running in native code. If you install a 32 bits minidriver, the 64 bits service can't access the minidriver because the architecture is not the same.
Inviato il 04/04/15 18.44.