Using SCardControl under Linux and from a Java program

SCardControl is the PC/SC function that makes it possible for the application to invoke ‘proprietary’ functions, implemented either in the PC/SC reader itself (CSB6Prox’N’Roll PC/SCEasyFinger or CrazyWriter) , or in its driver running on the PC, or in the PC/SC middleware.

The prototype is:

LONG SCardControl(
  SCARDHANDLE hCard,
  DWORD dwControlCode,
  LPCVOID lpInBuffer,
  DWORD nInBufferSize,
  LPVOID lpOutBuffer,
  DWORD nOutBufferSize,
  LPDWORD lpBytesReturned
);

(see http://pcsclite.alioth.debian.org/api/group__API.html for the PCSC-Lite documentation, and http://msdn.microsoft.com/en-us/library/windows/desktop/aa379474%28v=vs.85%29.aspx for Microsoft’s version).

The lpInbuffer / nInBufferSize parameters hold the command buffer that will be processed by either target -reader, driver, or PC/SC middleware-.

SpringCard PC/SC Readers do provide a few ‘proprietary’ functions (called ‘Escape commands’ in the USB CCID specification). For instance, an application would send the command 58 1E 01 00 to switch the reader’s red LED ON. A question remains: what must the value of dwControlCode be, when the application wants to send the command right to the reader, bypassing both the PC/SC middleware and the driver? The answer varies with the operating system, which doesn’t help implementing portable code.

Differences between Windows and PCSC-Lite implementations

Windows

In Microsoft’s CCID driver (http://msdn.microsoft.com/en-us/library/windows/hardware/gg487509.aspx), the dwControlCode for the Escape command is defined as follows:

#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(3500)

SpringCard PC/SC Readers follow the CCID specification. SpringCard’s CCID driver (SDD480) uses the same dwControlCode as Microsoft’s.

Therefore, on Windows, the application would switch the red LED on this way:

#include <windows.h>
#include <winscard.h>

#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(3500)

(...)

const BYTE SET_RED_LED_ON[4] = { 0x58, 0x1E, 0x01, 0x00 };

SCARDCONTEXT hContext;
SCARDHANDLE hCard;
DWORD dwProtocol;
BYTE abResponse[256];
DWORD dwRespLen;
LONG rc;

(...)

/* Instanciate the winscard.dll library */
rc = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &amp;hContext);
if (rc != SCARD_S_SUCCESS) { /* TODO: handle error */ }

/* Get a direct connection to the reader (we don't need a card to send Escape commands) */
rc = SCardConnect(hContext, szReader, SCARD_SHARE_DIRECT, 0, &amp;hCard, &amp;dwProtocol);
if (rc != SCARD_S_SUCCESS) { /* TODO: handle error */ }

/* Send the command */
rc = SCardControl(hCard, IOCTL_CCID_ESCAPE, SET_RED_LED_ON, sizeof(SET_RED_LED_ON), abResponse, sizeof(abResponse), &amp;dwRespLen);
if (rc != SCARD_S_SUCCESS) { /* TODO: handle error */ }

SCardDisconnect(hCard, SCARD_LEAVE_CARD);
SCardReleaseContext(hContext);

 

Important notes:

Working with MS’ CCID driver

With Microsoft’s CCID driver, the Escape feature is disabled by default.

In order to send or receive an Escape command to a reader, the DWORD registry value EscapeCommandEnable must be added and set to a non-zero value under one of the following keys.

  • HKLM\SYSTEM\CCS\Enum\USB\Vid*Pid*\*\Device Parameters (prior to Windows 7).
  • HKLM\SYSTEM\CCS\Enum\USB\Vid*Pid*\*\Device Parameters\WUDFUsbccidDriver (Windows 7 and later).

This is clearly explained in the Developer’s Manual for every PC/SC reader.

Using SpringCard’s SDD480 CCID driver shall be preferred.

Early versions of SDD480

Branch -Ax of SpringCard’s SDD480 CCID driver uses a different value for the dwControlCode parameter.

#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(2048)

Switching to the latest version of SpringCard’s SDD480 CCID driver (branch -Bx and onwards) shall be preferred.

Linux, MacOS and other Unix*

In Ludovic Rousseau’s open-source CCID driver (http://pcsclite.alioth.debian.org/ccid.html), the dwControlCode for the Escape command is defined as follows:

#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(1)

(See http://anonscm.debian.org/viewvc/pcsclite/trunk/Drivers/ccid/SCARDCONTOL.txt?view=markup for details)

Therefore, when working with PCSC-Lite, the application would switch the red LED on this way:

#ifdef __APPLE__
#include <pcsc/winscard.h>
#include <pcsc/wintypes.h>
#else
#include <winscard.h>
#endif

#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(1)

(...)

const BYTE SET_RED_LED_ON[4] = { 0x58, 0x1E, 0x01, 0x00 };

SCARDCONTEXT hContext;
SCARDHANDLE hCard;
DWORD dwProtocol;
BYTE abResponse[256];
DWORD dwRespLen;
LONG rc;

(...)

/* Instanciate the winscard.dll library */
rc = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);
if (rc != SCARD_S_SUCCESS) { /* TODO: handle error */ }

/* Get a direct connection to the reader (we don't need a card to send Escape commands) */
rc = SCardConnect(hContext, szReader, SCARD_SHARE_DIRECT, 0, &hCard, &dwProtocol);
if (rc != SCARD_S_SUCCESS) { /* TODO: handle error */ }

/* Send the command */
rc = SCardControl(hCard, IOCTL_CCID_ESCAPE, SET_RED_LED_ON, sizeof(SET_RED_LED_ON), abResponse, sizeof(abResponse), &dwRespLen);
if (rc != SCARD_S_SUCCESS) { /* TODO: handle error */ }

SCardDisconnect(hCard, SCARD_LEAVE_CARD);
SCardReleaseContext(hContext);

Enabling the Escape commands

With this CCID driver, the Escape feature is also disabled by default.

You’ll have to edit the CCID driver’s Info.plist file to enable this feature:

  • Open /usr/local/lib/pcsc/drivers/ccid/Info.plist in edit mode with root priviledge,
  • Locate the line <key>ifdDriverOptions</key>,
  • The following line is typically <string>0000</string>,
  • Define the new value: <string>0001</string>,
  • Save the file and restard pcscd.

(More details on http://ludovicrousseau.blogspot.fr/2011/10/featureccidesccommand.html)

Writing portable code

The idea is only to use a #ifdef to compile the correct value:

#ifdef WIN32
#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(3500)
#else
#define IOCTL_CCID_ESCAPE SCARD_CTL_CODE(1)
#endif

Java

The javax.smartcardio API provides Java methods that are stricly bound to the underlying PC/SC subsystem. The Card.transmitControlCommand method is the wrapper for SCardControl. The prototype is coherent:

java decode:true">public abstract byte[] transmitControlCommand(
  int controlCode,
  byte[] command)
    throws CardException

Now the same question: what must the value of controlCode be? The answer is short: it depends on the PC/SC stack! SCARD_CTL_CODE(3500) for Windows, and SCARD_CTL_CODE(1) for PCSC-Lite. But with another difference: the macro SCARD_CTL_CODE is not computed the same way between both systems!

 

As a consequence, the Java application must detect the OS, and compute the controlCode parameter accordingly.

Same example to switch the red LED on:

java decode:true">import javax.smartcardio.*;

(...)

static boolean isWindows()
{
  String os_name = System.getProperty("os.name").toLowerCase();
  if (os_name.indexOf("windows") > -1) return true;
  return false;
}

static int SCARD_CTL_CODE(int code)
{
  int ioctl;
  if (isWindows())
  {
    ioctl = (0x31 < < 16 | (code) << 2);
  } else
  {
    ioctl = 0x42000000 + (code);
  }
  return ioctl;
}

static int IOCTL_CCID_ESCAPE()
{
  if (isWindows())
  {
    return SCARD_CTL_CODE(3500);
  } else
  {
    return SCARD_CTL_CODE(1);
  }
}

static final byte[] SET_RED_LED_ON = { (byte) 0x58, (byte) 0x1E, (byte) 0x01, (byte) 0x00 };

(...)

String readerName;

/* Note that the reader's name vary with the OS too!!! */
if (isWindows())
  readerName = "SpringCard Prox'N'Roll Contactless 0";
else
  readerName = "SpringCard Prox'N'Roll (00000000) 00 00";

CardTerminal terminal = CardTerminals.getTerminal(readerName);

Card virtualCard = terminal.connect("DIRECT");

virtualCard.transmitControlCommand(IOCTL_CCID_ESCAPE(), SET_RED_LED_ON);

virtualCard.disconnect(false);

Of course this code works only if the Escape feature is enable by the underlying CCID driver, as seen above.

SpringCard introduces new SDK for NFC-enabled PC/SC readers

It’s now the final countdown before the launch of new SpringCard NFC products, H512 and NFC’Roll. Both products are not only able to read/write NFC Tags, but they also introduce NFC peer-to-peer communication and an innovative Card emulation mode.

The developers who already have an early release of either product, or who want to start evaluating the development process, are welcomed to download the first version of the SDK, which has been made available today, together with its documentation.

The NFC SDK for PC/SC includes
NFcTool, a Tag read/write Utility,
NFcBeam, implementing the NFC Forum ‘Simple NDEF Exchange Protocol’ (SNEP) on top of NFC Forum LLCP (Logical Link Control Protocol), itself on top of NFC-DEP, i.e. the NFCIP1 peer-to-peer layer (ISO 18092 chapter 12). A typical use-case would be to retrieve a contact entry (VCard) from an Android smartphone, or to push a SmartPoster from the PC to the smartphone,
NfcTagEmul, showing how easy it is for either H512 or NFC’Roll to emulate a NFC Forum Tag (type 2 or type 4). This makes it possible to push a SmartPoster, URI, Text, VCard… from the PC to the smartphone, as smoothly as if the phone was reading a static Tag,
– and much more!

Edit 15/10/2013: starting with PC/SC SDK version 2.12, the NFC extensions are now included in the PC/SC SDK itself. Please read this article for details.

Those software are available with complete source (C# for .NET) in the SDK. Please download and read PMD2228: NFC SDK for PC/SC – Getting Started Guide for a guided tour and a few technical details.

Click here to download SpringCard NFC SDK for PC/SC

The reference manual for operating the readers from PC/SC applications is here: PMD2176: H512 (and NFC’Roll) Developer’s Reference Manual.

An installer is also available (SQ2211: QuickStart for H512 and NFC’Roll) for people who want to try the products but don’t need the full SDK.

Warning: a few changes have been on the specifications since the Alpha version of the firmware (1.6x branch). Products shall be updated to firmware v1.70 in order to be compliant with the final specifications, and to work with this SDK. Current 1.7x branch doesn’t include peer-to-peer in Target mode (only Initiator mode is currently implemented). This will be added in 1.8x branch.

Print and encode simultaneously using SpringCard CrazyWriter and Evolis Zenius

Evolis Zenius is a color or monochrome card printer. Evolis offers SpringCard CrazyWriter PC/SC (ISO 14443, ISO 15693 + 2 SAM) as the contactless encoding option for Zenius -as well as for the other printers in its portfolio. Zenius plus CrazyWriter makes it easy to issue personalized cards on-the-field.

In this article we’ll show how to synchronize the card encoding part (CrazyWriter PC/SC) with the card printing job using Evolis’ SDK. Our sample project (C# source code available in the PC/SC SDK, under folder /samples/dotnet/ZeniusVCard) is a real-world example: we print a business card on a Desfire EV1 smartcard, and we store a vCard object into the Desfire, following NFC Forum standard known as ‘NFC Forum Type 4 tag’. Doing so, the business card goes NFC and could be read by any compliant smartphone, that will automatically add the vCard data to its contact list! All you need to try the demo by yourself is a blank and virgin Desfire EV1 card, and, of course, an Evolis Zenius printer featuring SpringCard CrazyWriter.

In a nutshell

To print and encode a vCard, the process is as follows:

  1. Ask the printer to take one card in the feeder, and to put it in position for encoding (in front of the CrazyWriter’s antenna),
  2. Recognize the card, format it if needed, write the data,
  3. Launch the print job,
  4. Optionnaly repeat the process, until there is no card left in the feeder.

The process always encodes a card before printing it. Doing so, should any problem append (not the expected type of card, card locked read-only…), the card is ejected immediately. No time nor ribbon has been waisted printing a useless card.

Architecture

There are two ways to communicate with an Evolis printer:

  • using the Windows spooler (as with any other printer),
  • using iomem.dll, a communication library supplied within Evolis’ SDK.

Sending print jobs to the spooler is straightforward as all the steps of the printing are handled automatically by the system. Unfortunately, once the job is launched, the software has no way to know where the card actually is in the printer nor to stop it for a few seconds in front of the antenna..

On the other end, sending low level commands through iomem.dll offers a lot of flexibility, but lots of things have to be re-implemented in the printing software. This requires a specific expertise and can be time consuming.

So we’ll take the best of the two worlds: iomem.dll will be used to drive the card in the printer until the CrazyWriter has done its job, and afterwards a print job will be sent to the spooler to actually print the card. We’ll also have to use iomem.dll again to detect the end of the print job, so our software will not try to insert another card in the path until the previous card has been printed and ejected.

Step by step explanation of the sample project

Selecting the target printer and contactless coupler

The .NET PrintDialog object (System.Windows.Controls.PrintDialog) if the easiest way to select a printer. The name of the selected printer is returned in PrintDialog.PrinterSettings.PrinterName.

There’s no immediate way to know which CrazyWriter (or in general which PC/SC reader) belongs to the selected printer. So we display our common ‘Select PC/SC Reader’ dialog to let the user find the reader. Default is to select the contactless interface of the first available CrazyWriter.

Controlling the printer through iomem.dll

First step is to gain access to iomem.dll‘s entry points from our C# application. The function used are:

  • OpenPebble
  • ClosePebble
  • ReadPebble
  • WritePebble
  • GetTimeout
  • SetTimeout


Please refer to Evolis’ SDK for a detailed documentation of the DLL.

OpenPebble(PrinterName) gives use access to the printer, we then can use the couple WritePebble/ReadPebble to send arbitrary commands to the printer -and wait for its answer.

Here are the 3 only commands we need:

  • Rlr;h to check whether the feeder is empty,
  • Sic to load a card from the feeder, and to move it into position for encoding (in front of the CrazyWriter’s antenna),
  • Se to eject the card (in case the encoding has failed).

If the encoding is successful, sending a print job to the spooler is enough to make the printer take the card from its current position (in front of the antenna), print it, and eject it.

To know whether the print job is terminated or still pending, we’ll use a very simple trick: as the printer is not available to answer to iomem.dll commands while it is under control of the system’s spooler, we’ll send repeated dummy commands, and we’ll know that the job is ended when we’ll get an answer at last. The dummy command is:

  • Rfv read firmware version

Please also refer to Evolis’ SDK for details regarding the printer’s command set.

Encoding the vCard on the contactless card

This part is shared with the vCard part of NFCTool, another of our samples. The only difference is that NFCTool can also read cards, and implements a ‘wake up on card arrival’ scheme that doesn’t have to be implemented in this sample. The card ‘arrives’ only after a successful invocation of the “Sic” control command.

We start by opening a PC/SC channel to the card: scard = new SCardChannel(ReaderName) (see the documentation of our PC/SC for .NET API for details).

Then we use the methods of our NfcTag object (NfcTag.IdentifyTagType, NfcTag.BackgroundRecognize) to check whether the card is a NFC Forum tag or not. It must be either already formatted (and offering enough memory space to store the vCard) or a Desfire EV1 that we know how to format and write. Note that BackgroundRecognize, as the name says, performs the recognition in a background thread and invoke a callback function once done. This is generally speaking a good practice to implement card-related stuff in a background thread so the application’s window remains ‘alive’ even if the card takes its time to answer. At this step, the card is now for sure compliant with NFC Forum type 4 specification (or has been ejected if not, or if the user has chosen not to overwrite existing data).

Eventually, a new NfcVCard object is created, populated with the data entered by the user, and inserted as the content of the NfcTag objet. The the NfcTag.BackgroundWrite method is called, so the vCard content goes actually into the card. Once again this is done in a background thread.

Printing the layout on the card

At the end of the writing (that takes no more than one second anyway), the callback that is invoked launches the print job.

To print our business card, we process as follow:

  1. Create a PrintDocument object (System.Drawing.Printing.PrintDocument),
  2. Add to this PrintDocument object a PrintPageEventHandler function that will be invoked to actually draw the layout,
  3. Code the PrintPageEventHandler to implement the drawing of the business card from the data entered by the user,
  4. Invoke the PrintDocument.Print() method to send it to the spooler.

In this example, the PrintPageEventHandler is implemented in the FormatBusinnessCard function. The name and the title are printed in the middle of the card, respectively in Arial 16 and Arial 14; the contact information (business phone and e-mail) are in the down-left corner in Arial 10; the picture is printed in the up-right corner; etc… Of course this is the first thing you’ll have to change to design your cards according your own layout.

Waiting for the end of the job

Once PrintDocument.Print() has been called, there’s nothing else to do but wait. The spooler works in background, so the application is free to do anything else, but we can’t start encoding another card until the current one has been printed and ejected. Therefore we implement a waiting loop, sending the “Rfv” command through iomem.dll repeatedly. Once the printer responds, we know that the job is over. We could then loop to go on with the next card.

PC/SC driver updated

We’ve just published a new release of our WHQL-certified driver for SpringCard PC/SC products. This new version (code name: SDD480-BB) fixes a few bugs that have been experienced with the earlier release:
– corrected a memory leakage that used to occur as a consequence of frequent SCardControl calls
– CSB6 now reports correctly “card mute” when a card is physically inserted but unresponsive
– improved overall stability on multi-slot readers thanks to a stricter synchronization of SCardTransmit calls

To download the driver, please go to http://www.springcard.com/download/find.php?file=sdd480. The installer now contains both x86 and x64 binaries, and select automatically the one adapted to your system. It will also be available through Windows Update in a few days.

As the previous one, this release targets all SpringCard USB CCID readers :
CSB6
CrazyWriter
EasyFinger
Prox’N’Roll PC/SC

Users are welcome to deploy this new release as soon as possible.

New PC/SC SDK and sample applications

The version 2.00 of our PC/SC SDK is now available for download: pcsc-sdk_2-00.zip. This SDK works with our PC/SC readers (CSB6Prox’N’Roll PC/SCEasyFinger and CrazyWriter).

This release of the SDK includes a new PC/SC Diag application, rewritten from scratch in C# for the .NET framework (previous version written in C++ with MFC for Win32 is still available anyway). This PC/SC Diagnostic application makes it easy to exchange APDU commands/responses (SCardTransmit) with the smartcard in a given reader, and/or to send directly control commands to the reader itself (SCardControl). Giving the user full control on the various options given by the other winscard.dll‘s function (SCardConnect, SCardReconnect, SCardDisconnect), this new version of PC/SC Diag is the must-have utility to discover the PC/SC world and to explore virtually any smartcard “by hand”.

The SDK provides both the source code and the compiled binaries. Should you want to use the software directly, you may download and install PC/SC Diag for Windows through this setup package: PC/SC Diag setup (SQ2075).

The SDK also now includes a brand new application to deal with NFC Forum tags, according to the SmartPoster and vCard specifications. NFCTool is able to both format, write and read the popular NFC Forum type 2 tags (NXP Mifare UL and UL C family, Infineon My-D NFC SLE66 series, Kovio 2KB tags, and more) and also the NFC Forum type 4 tags (formatting is implemented only for NXP Desfire EV1, but read/write is designed to operate with virtually any compliant card already formatted). A companion to NFCTool is NFCSpTray is a small utility that sits in the tray-bar and waits “silently” until a tag holding a valid SmartPoster is presented on the contactless reader. Then NFCSpTray opens the SmartPoster’s URL in your default web browser. This is the first step for a NFC Forum SmartPoster-based navigation on Windows!

The SDK provides both the source code and the compiled binaries. Should you want to use the software directly, you may download and install NFCTool and NFCSpTray for Windows through this setup package: NFCTool and NFCSpTray setup (SQ2074).

Card analysis on NFCWizard

NFCWizard.com is a free web-based online service, created and managed by SpringCard. Thanks to a Java applet, NFCWizard makes it possible to read and write SmartPoster or vCard tags directly within your web browser! NFCWizard is compliant with NFC Forum type 2 tags (Mifare UL family, and equivalent chips) and NFC Forum type 4 tags (ISO 7816-4, including complete handling of Desfire EV1 chips). All you need is a SpringCard PC/SC reader.

More than that, NFCWizard provides a free and easy-to-use card « analysis » tool, that given a smartcard will tell you want kind of chip it may be, and/or what kind of application it may host. You can use NFCWizard with our products in the SpringCard CSB6 Family (CSB6Prox’N’Roll PC/SCEasyFinger and CrazyWriter) and our NFC readers/encoders (H512NFC’Roll).

Click here for a direct access to NFCWizard’s card analysis page.

New WHQL-certified PC/SC driver

Edited 24/04/2012: an updated version has been published to correct a few bugs. Please read this article.

Our new PC/SC driver is now online and ready for download! This driver (code name : SDD480-BA) has been certified my Microsoft’s Windows Hardware Qualification Labs (WHQL) for both 32 and 64 bits operating systems.

It targets all SpringCard USB CCID readers :
CSB6
CrazyWriter
EasyFinger
Prox’N’Roll PC/SC

Note: as the Prox’N’Roll has only one smartcard slot (its contactless card interface), it is not required to use our driver since the default CCID driver supplied by Microsoft also does the job.

The SDD480-BA driver is also ready for the new generation of USB CCID products that will be launched in a near future.

To download the driver, please go to http://www.springcard.com/download/find.php?file=sdd480

Choose either
sdd480_x86-ba.exe for 32 bits targets (certified and signed for Windows 2000, XP, Vista and Seven on i386 core)
sdd480_x64-ba.exe for 64 bits targets (certified and signed for Windows XP, Vista and Seven on amd64 or intel64 core)

The setup package uncompress the driver in Program Files\SpringCard\SDD480_x86-ba (or Program Files\SpringCard\SDD480_x64-ba depending on the target) and then installs the driver into Windows’ system directory. Of course you must run the setup with administrative priviledges.

The driver will also be available through Windows Update very soon.

A few more details for integrators and developers

Should you need to redistribute this driver with your own software or to recreate a setup package bundled with yours, just copy the uncompressed files and invoke DPInst.exe when you want the installation to take place.

Although we’ve done our best to ensure full compatibility with our previous (unsigned) driver and with Microsoft’s default CCID driver, please pay attention that the naming of the slots may be a little different in some cases. In fact slot naming and numbering has been designed to show clearly which slots belongs to which reader. Let’s suppose we have 2 CrazyWriter and 1 CSB6 connected to the PC. The 1st CrazyWriter instanciates 3 slots: CrazyWriter Contactless 0, CrazyWriter SAM A 0, CrazyWriter SAM B 0; the 2nd CrazyWriter instanciates 3 slots as well: CrazyWriter Contactless 1, CrazyWriter SAM A 1, CrazyWriter SAM B 1. Then the CSB6 instanciates 5 slots : CSB6 Contactless 2, CSB6 Contact 2, CSB6 SAM A 2, CSB6 SAM B 2, CSB6 SAM C 2. You see that the number is the same for all slots of one reader. This is the best approach to know which SAM (or contact interface) comes with whatever contactless interface.

Windows 7 complains on missing driver for smartcards – a practical workaround

Smartcards and smartcard-aware applications using application level commands (APDUs) are older than Windows and worked very well in the past, until Microsoft suddently decided that a smartcard shouldn’t be handheld directly by the applications anymore, and introduced the concept of smartcard driver software (ICC Service Provider withing the PC/SC framework). This issue sometimes occurs with our products in the SpringCard CSB6 Family (CSB6Prox’N’Roll PC/SCEasyFinger and CrazyWriter) and our NFC readers/encoders (H512NFC’Roll).

With Windows Seven, Microsoft goes one step further and mandates that every smartcard has its own driver (a ‘minidriver’ actually, i.e. a DLL running in user mode and not a SYS binary running in kernel mode). Everytime you put a smartcard on a contactless reader, or in a contact reader, the system tries to locate the appropriate driver, and this generally ends up with a red mark in the tray bar and this annoying message in the tray bar : “Device driver software was not successfully installed. Click here for details.” Luckily, smartcard-aware applications keep on working as usual on top of PC/SC API, thanks to classical SCardConnect / SCardTransmit function calls.

According to Microsoft, smartcard-issuers should provide a minidriver for their cards. The point is, the ICC Service Provider architecture is meaningfull to let security-sensitive applications access security features (digital signature, secure login) in an interoperable and high-level way, but it appears useless in other cases, when only one single software has to communicate with a single smartcard. And this is the case in 99% of the systems using contactless smartcards or contactless memory cards.

A techninal article has been published in Microsoft Knowledge base (http://support.microsoft.com/kb/976832/en-us) giving different solutions to prevent the system from looking for a driver and issuing the warning message. In this article we are detailing two solution :

  • 1st solution is to disable SmartCard PnP feature through a Group Policy. The side effect is that there’s not choice but to disable this feature for every cards, not only for the one that do not have a minidriver,
  • 2nd solution is to write in the system registry the list of cards that will not have a minidriver. In this article we do this through a small utility that makes it easier than entering the required lines in the registry one after the other.

Using a Group Policy to disable the smartcard PnP feature

Just follow this five steps :

  1. Run MMC.exe (Microsoft Management Console)
  2. Add Group Policy snap-in to the console
  3. Open Local Computer
  4. Browse to Policy\Computer Configuration\Windows Settings\Administrative Templates\Windows Components\Smart Card
  5. Disable Turn On Smart Card Plug And Play Services.

Command-line utility to selectively disable some smartcard minidrivers

The principle is to register in the system registry the ATRs of every smartcard we don’t want to go through the PnP feature, and to associate them to a dummy minidriver.

Here’s the technical part (details are to be found in MS’ reference article (http://support.microsoft.com/kb/976832/en-us),

  1. Create a branch under HKLM\Software\Microsoft\Cryptography\Calais\Smartcards, name the branch with any clever name that will describe the related smartcard
  2. In this branch create a REG_BINARY entry named ATR in which you put the smartcard’s ATR
  3. Create a REG_SZ entry named Crypto Provider and put the value $DisableSCPnP$ in it.

You may also add a REG_BINARY entry named ATRMask to associate this entry with more than one ATR. In the ATRMask, bits set to 1 means that the bits in ATR are relevant, and bits set to 0 act as wildcards.

 

A sample source code to do so is provided by MS’ with the article. We’ve  implemented this source code in a small command line tool, and added a lot of modifications to ease its use and to make it possible to disable smartcard PnP for any arbitrary-entered smartcard ATR, and not only for the smartcards physically inserted in the readers at the time of execution.

There are two binaries : pcsc_no_minidriver32.exe for 32-bit systems, and pcsc_no_minidriver64.exe for 64-bit systems. Invoke either software with the -h parameter to get help. With the -m parameter, the software starts monitoring all the PC/SC readers. For every card inserted, it disables the plug and play. Alternatively, the -a parameter let you specify the ATR (hexadecimal string) ; you may optionally use the -n parameter to specify a name for your smartcard (this is convenient if you want to remove it from the registry later on !).

Note, you must run this program as an administrator.

We supplied the software with 2 command line scripts (.CMD),

  • pcsc_no_minidriver_memory.cmd disables every memory card (ATR constructed according to PC/SC v.2 specification for memory cards)
  • pcsc_no_minidriver_well_known.cmd disables  some well-known contactless cards that do not have a minidriver (NXP Desfire, NXP Mifare Plus, various Calypso cards, …).

Of course, use this software and the related scripts with care and make sure you really do understand what it does, as it may prevent your system to work correctly with your 20$-cryptographic card that do need its minidriver to work with CryptoAPI.

Here’s the link to the package : http://www.springcard.com/download/pub/pcsc_no_minidriver.zip . It comes with complete source code. Just unzip in a local folder and enjoy.

Upgrade in our PC/SC SDK (release 1.20)

The release 1.20 of SpringCard PC/SC SDK is now available in the Download section of the website (direct link to latest version : http://www.springcard.com/download/find.php?file=pcsc-sdk). This SDK is meant to be used with our products in the SpringCard CSB6 Family (CSB6Prox’N’Roll PC/SCEasyFinger and CrazyWriter).

People working in the ’emerging’ NFC field will be glad to discover the updated versions of NFCTool, a .NET based application (written in C#) that makes it easy to create or to read NFC Tags compliant with the SmartPoster specification (as published by NFC Forum). Command-line nfc_create utility is also very useful to encode batches of NFC Tags.

The Desfire support library (pcsc_desfire.dll on Windows) has been upgraded; it now fully supports all the new features of NXP Desfire EV1 smartcards: AES and Triple-DES with 3 keys (3KDES), ISO 7816-4 compliant directories and files, card-level configuration. NXP Mifare UltraLight C chips are supported easily thanks to a new library (pcsc_mifulc.dll). Also, we’ve added in the SDK the Calypso support library (pcsc_calypso.dll) and its related sample software. All those libraries come with C source code.

New command line utilities have also been written for the ones who want to master PC/SC from its very basis, or have portability in mind. Most our C examples now run on Linux without any modification.

Cardpeek – open source tool to read the content of smartcards

We’ve discovered a new open source project (lead by “L1L1”) that sounds promising.

Cardpeek is a Linux tool to read the contents of ISO7816 smartcards. It uses a PC/SC reader to communicate with the card, and its GTK GUI represents card data is a tree view. Cardpeek list of supported cards is expandable thanks to a scripting language. Currently, the tool can explore EMV cards, Calypso cards (including the Navigo pass from Paris area, with translation of the station names -this part developed by pterjan), Moneo cards (french ePurse) and Vitale (french health card).

Here’s a few snapshot I’ve taken with a Prox’N’Roll PC/SC and my own Navigo card (Paris’ Calypso card)

Cardpeek + Prox'N'Roll PC/SC

Selecting Prox'N'Roll PC/SC reader

Content of a Calypso card: ATR and list of contracts

Card content explained: ATR and list of contracts

Content of a Calypso card: transport log

Card content explained: transport log, with station code translated to actual names

Project homepage : http://code.google.com/p/cardpeek/

A few more explanations on freshmeat : http://freshmeat.net/projects/cardpeek