CN107609362B

CN107609362B - Method for logging in Windows system by smart card and private credential providing device

Info

Publication number: CN107609362B
Application number: CN201710979901.3A
Authority: CN
Inventors: 陆舟; 于华章
Original assignee: Feitian Technologies Co Ltd
Current assignee: Feitian Technologies Co Ltd
Priority date: 2017-10-19
Filing date: 2017-10-19
Publication date: 2020-02-11
Anticipated expiration: 2037-10-19
Also published as: CN107609362A

Abstract

The invention discloses a method for logging in a Windows system by a smart card and a private credential providing device, wherein the method comprises the following steps: when the first interface function of the private credential providing device is called, the private credential providing device finds the system default credential providing device from all the credential providing devices, sets the system default credential providing device invisible, and returns a response to the upper layer; when the fifth interface function of the private credential providing device is called, the private credential providing device sets the personal identification code as a default value according to the personal identification code input box identifier, and returns a response to the upper layer; when the ninth interface function of the private credential providing device is called, the private credential providing device pops up the fingerprint verification box, prompts the user to input the fingerprint, and returns a response to the upper layer. The technical scheme of the invention can not cause the user to be confused in the login interface, provides a friendly login interface and improves the use experience of the user.

Description

Method for logging in Windows system by smart card and private credential providing device

Technical Field

The invention relates to the field of information security, in particular to a method for logging in a Windows system by a smart card and a private credential providing device.

Background

With the development of technology, besides using traditional encryption algorithm and various security measures to ensure the security of smart cards, biometric identification technology is increasingly applied to the field of smart cards. Because fingerprints are easy to collect, more and more smart cards are used in a mode of combining fingerprint identification and other security technologies, and therefore the smart cards with fingerprint sensors appear.

The function of logging in the Windows system by using the smart card is common, and can be realized by a default Credential Provider (CP for short) of the Windows system. The process of logging in the Windows system by the user through the smart card comprises the following steps:

after the Windows system is loaded, a local security process (LSA) calls a window login (Winlogon) process, the Winlogon process calls a login user interface (Logon UI) process and pops up a man-machine interaction interface, a user inputs authentication information (namely a user name and a password) in the popped up man-machine interaction interface, the Logon UI process enumerates the authentication information input by the user and registers the authentication information in all credential providing programs (CP) under a registry path, the CP collects user credentials and returns the collected credentials to the Winlogon process, the Winlogon process provides the obtained credentials to the LSA, and the LSA calls a corresponding encrypted service providing program (CSP) according to the credentials to further realize the authentication of the identity of the user.

However, in the prior art, when a user logs in a Windows system by using a smart card with a fingerprint sensor, the default CP of the Windows system cannot meet the requirements, such as: the user interface during login is not friendly enough, the interfaces displayed by the smart card with the fingerprint sensor and the smart card without the fingerprint sensor are not different, the user cannot be prompted whether the current smart card is provided with the fingerprint sensor or not, and a PIN input box appears; in the login process, the default CP is only responsible for collecting the certificate information and the PIN code and submitting the collected certificate information and the PIN code to the security process LSA for authentication, so that the Windows system cannot prompt a user to verify a fingerprint in a pop-up box mode; and if the CP developed by the normal process is used, the CP developed by the normal process is overlapped with the default CP of the system in the process of logging in the Windows system, so that the condition that one certificate has two login options occurs, and the user easily clicks the login options in a login interface, so that misoperation occurs, and the login interface is not friendly enough.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provides a method for logging in a Windows system by a smart card and a private credential providing device.

A method for logging in a Windows system by a smart card comprises the following steps:

the private credential provisioning device waits for an upper layer call,

when the first interface function of the private credential provisioning device is invoked, the private credential provisioning device finds a system default credential provisioning device from all credential provisioning devices, sets the system default credential provisioning device invisible, and returns a response to an upper layer;

when the third interface function of the private credential providing device is called, the private credential providing device acquires the number of credentials, acquires and stores the personal identification code input box identifier, acquires the name of the currently logged smart card, and returns a response to the upper layer;

when the fifth interface function of the private credential providing device is called, the private credential providing device sets the personal identification code as a default value according to the personal identification code input box identifier, and returns a response to the upper layer;

when the ninth interface function of the private credential providing device is called, the private credential providing device pops up a fingerprint verification box, prompts a user to input a fingerprint, and returns a response to the upper layer;

when the tenth interface function of the private credential providing device is called, the private credential providing device acquires credentials required by logging in a Windows system, returns a response to an upper layer, and sends the credentials required by logging in the Windows system to a local security authority service, wherein the credentials required by logging in the Windows system comprise an encryption service provider name, a name of a currently logged smart card, a container name and a key purpose.

Further, when the third interface function of the private credential providing device is called, the private credential providing device obtains the number of credentials, obtains and stores the id entry box identifier, obtains the name of the currently logged-in smart card, and returns a response to the upper layer, specifically including:

when the third interface function of the private credential providing device is called, the private credential providing device acquires the number of credentials, acquires and stores the personal identification number input box identifier, acquires the name of the currently logged smart card, judges whether the currently logged smart card is a smart card with a fingerprint sensor according to the name of the currently logged smart card, acquires a judgment result, creates an object instance of the credentials according to the number of the credentials, stores the judgment result and the object instance of the credentials into a credential provider package type instance, and returns a response to an upper layer.

Further, when the second interface function of the private credential provisioning device is called, the private credential provisioning device creates and saves an instance of a system default credential provisioning device, and returns a response to the upper layer;

when the fourth interface function of the private credential provisioning device is invoked, the private credential provisioning device invokes the corresponding member function of the instance of the system default credential provisioning device and returns a response to the upper layer after the invocation is complete; wherein the corresponding member function is a member function corresponding to the fourth interface function;

when the sixth interface function of the private credential providing device is called, the private credential providing device sets the state of the personal identification code input box according to the personal identification code input box identifier and returns a response to the upper layer;

when the seventh interface function of the private credential providing device is called, the private credential providing device loads a special login picture of the smart card with the fingerprint sensor and returns a response to the upper layer;

when the eighth interface function of the private credential providing device is called, the private credential providing device sets the position of a submit button according to the saved identifier of the display information control, and returns a response to the upper layer;

when the third interface function of the private credential provisioning device is called, further comprising: the private credential providing device obtains and saves the identifier of the display information control.

Further, the obtaining of the number of credentials by the private credential providing device further comprises: the private credential providing device acquires a credential list of a Windows system and judges whether the credential list of the Windows system is empty; if so, the private credential providing device acquires the number of credentials, and if not, the private credential providing device clears the current credential list and the private credential providing device acquires the number of credentials.

Further, when the third interface function of the private credential providing device is called, the acquiring and storing the personal identification number input box identifier specifically includes:

step 101, the private credential providing device obtains the total number of field descriptors of all controls;

102, the private credential providing device starts traversing the field descriptors of all the controls in sequence;

103, the private credential providing device acquires a field descriptor of a current control, judges whether the current control is a personal identification number input frame or not according to the acquired field descriptor of the current control, if so, executes step 105, and if not, executes step 104;

104, the private credential providing device judges whether the number of the traversed field descriptors of the control is equal to the total number of the field descriptors of all the controls, if so, the process is ended, if not, the field descriptor of the next control is obtained as the field descriptor of the current control, and the step 103 is continuously executed;

step 105, the private credential providing device saves the personal identification number input box identification.

Further, the private credential providing device judges whether the current control is the personal identification code input box according to the acquired field descriptor of the current control, namely, the private credential providing device judges whether the type value of the field descriptor is a first preset value, if so, the current control is the personal identification code input box; if not, the current control is not the personal identification code input box.

Further, the obtaining and storing of the display information control identifier by the private credential providing device specifically includes:

step 201, the private credential providing device uses the personal identification number input box identifier as a starting point, and uses the former identifier as the current identifier;

step 202, the private credential providing device obtains the state of the control corresponding to the current identifier;

step 203, the private credential providing device judges whether the control is a display information control according to the state of the control, if so, step 204 is executed; if not, taking the previous identifier of the current identifier as the current identifier, and executing the step 202;

step 204, the private credential providing device saves the display information control identifier.

Further, the private credential providing device determines, according to the state of the control, whether the control is a display information control, specifically: and the private credential providing device judges whether the value of the state of the control is a second preset value, if so, the control is determined to be an information display control, and if not, the control is determined not to be the information display control.

Further, when the third interface function of the private credential providing device is called, acquiring the name of the currently logged-in smart card specifically includes: the private credential providing device calls a member function of an object instance of the credential, acquires encapsulation data submitted to local security authority service by the current login smart card, and analyzes the encapsulation data to acquire the name of the current login smart card.

Further, the setting of the state of the personal identification number input box by the private credential providing device according to the personal identification number input box identifier specifically includes: and the private credential providing device sets the state of the personal identification code input box to be invisible according to the personal identification code input box identifier.

Further, when the fifth interface function of the private credential providing device is called, the private credential providing device sets the personal identification code as a default value according to the personal identification code input box identifier, specifically: when the fifth interface function of the private credential providing device is called, the private credential providing device judges that the currently logged-in smart card is a smart card with a fingerprint sensor according to the judgment result stored in the credential provider packaging class instance, and then sets the personal identification code as a default value according to the personal identification code input box identifier.

Further, when a seventh interface function of the private credential providing device is called, the private credential providing device loads a login picture dedicated for the smart card with the fingerprint sensor, specifically: and the private credential providing device loads the special login picture of the smart card with the fingerprint sensor after judging that the current login smart card is the smart card with the fingerprint sensor according to the judgment result stored in the credential provider packaging type example.

Further, when the eighth interface function of the private credential providing device is called, the private credential providing device sets a position of a submit button according to the saved identifier of the display information control, specifically: and the private credential providing device sets the position of a submission button according to the stored identification of the display information control after judging that the currently logged smart card is the smart card with the fingerprint sensor according to the judgment result stored in the credential provider packaging class example.

Further, when the sixth interface function of the private credential providing device is called, the private credential providing device sets the state of the personal identification number input box according to the personal identification number input box identifier, specifically: and the private document providing device judges that the currently logged smart card is a smart card with a fingerprint sensor according to a judgment result stored in a document provider packaging class example, and then sets the state of the personal identification code input box according to the personal identification code input box identifier.

A private credential provisioning device comprising:

the first operation module is used for finding out a default credential providing device of the system from all credential providing devices when the first interface function is called by the upper layer, setting the default credential providing device of the system to be invisible and returning a response to the upper layer;

the third operation module is used for acquiring the number of the credentials, acquiring and storing the personal identification code input box identifier, acquiring the name of the currently logged smart card and returning a response to the upper layer when the third interface function is called by the upper layer;

the fifth operation module is used for setting the personal identification code as a default value according to the personal identification code input box identification when the fifth interface function is called by the upper layer, and returning a response to the upper layer;

the ninth operation module is used for popping up a fingerprint verification box when the ninth interface function is called by the upper layer, prompting a user to input a fingerprint and returning a response to the upper layer;

and the tenth operation module is used for acquiring the credential required by the login Windows system when the tenth interface function is called by the upper layer, returning a response to the upper layer, and sending the credential required by the login Windows system to the local security authority service, wherein the credential required by the login Windows system comprises an encryption service providing program name, the name of the currently logged-in smart card, a container name and a key purpose.

Further, the third operation module specifically includes:

the acquisition unit is used for acquiring the number of the certificates, acquiring and storing the personal identification code input box identification, acquiring the name of the currently logged intelligent card, and acquiring a judgment result after the second judgment unit judges whether the currently logged intelligent card is the intelligent card with the fingerprint sensor;

the second judgment unit is used for judging whether the currently logged-in smart card is a smart card with a fingerprint sensor according to the name of the currently logged-in smart card acquired by the acquisition unit;

an instance creating unit configured to create an object instance of the credential according to the number of the credentials acquired by the acquiring unit;

a storage unit, configured to store the determination result obtained by the obtaining unit and the object instance of the credential created by the creating instance unit according to the number of the credentials into a credential provider package class instance;

and the response unit is used for returning a response to the upper layer.

Further, the private credential providing device further comprises:

the second operation module is used for creating and storing an example of the system default credential providing device when the second interface function is called by the upper layer, and returning a response to the upper layer;

the fourth operation module is used for calling the corresponding member function of the instance of the system default credential providing device when the fourth interface function is called by the upper layer, and returning a response to the upper layer after the calling is finished; the corresponding member function is a member function corresponding to the fourth interface function;

the sixth operation module is used for setting the state of the personal identification code input box according to the personal identification code input box identification when the sixth interface function is called by the upper layer and returning a response to the upper layer;

the seventh operation module is used for loading the special login picture of the smart card with the fingerprint sensor when the seventh interface function is called by the upper layer and returning a response to the upper layer;

the eighth operation module is used for setting the position of the submission button according to the stored identifier of the display information control when the eighth interface function is called by the upper layer, and returning a response to the upper layer; and the third operation module is also used for acquiring and storing the identifier of the display information control.

Further, the third operation module further includes:

the first judging unit is used for judging whether the credential list of the Windows system acquired by the acquiring unit is empty or not;

the clearing unit is used for clearing the credential list of the Windows system when the first judging unit judges that the acquired credential list of the Windows system is not empty;

accordingly, the method can be used for solving the problems that,

the obtaining unit is also used for obtaining a credential list of the Windows system; when the first judging unit judges that the acquired credential list of the Windows system is empty, acquiring the number of credentials; and acquiring the number of the credentials after the emptying unit empties the credential list of the Windows system.

Further, the third operating module further includes:

the traversal unit is used for starting traversal of the field descriptors of all the controls in sequence;

the third judging unit is used for judging whether the current control is a personal identification code input frame or not according to the field descriptor of the current control acquired by the acquiring unit;

the fourth judging unit is used for judging whether the number of the traversed field descriptors of the control is equal to the total number of the field descriptors of all the controls or not when the third judging unit judges that the current control is not the personal identification code input frame;

the acquisition unit is further used for acquiring the total number of the field descriptors of all the controls; acquiring a field descriptor of the current control; the fourth judging unit is used for acquiring the field descriptor of the next control as the field descriptor of the current control when the fourth judging unit judges that the number of the traversed field descriptors is not equal to the total number of the field descriptors of all the controls, and then triggering the third judging unit;

the storage unit is also used for storing the identification of the personal identification code input box.

Further, the second judging unit is specifically configured to judge whether the type value of the field descriptor is a first preset value, and if so, judge that the current control is the pin input box; otherwise, judging that the current control is not the personal identification code input box.

Further, the third operating module further includes:

the fourth judging unit is used for judging whether the control is a display information control or not by the providing device according to the state of the control;

the searching unit is used for taking the personal identification code input box mark as a starting point and taking the former mark as the current mark; when the fourth judging unit judges that the control is not the display information control, the previous identification of the current identification is used as the current identification;

the acquiring unit is further configured to acquire a state of the control corresponding to the current identifier;

the storage unit is further configured to store the identifier of the display information control when the fourth determination unit determines that the control is a display information control.

Further, the fourth determining unit is specifically configured to determine whether the state value of the control is a second preset value, if so, determine that the control is a display information control, and otherwise, determine that the control is not a display information control.

Further, the third module is specifically configured to, when the third interface function is called by the upper layer, obtain the number of credentials, obtain and store the id entry box identifier, call a member function of an object instance of the credentials to obtain encapsulation data submitted to a local security authority service by the currently logged-in smart card, analyze the encapsulation data, obtain a name of the currently logged-in smart card, and return a response to the upper layer.

Further, the sixth operation module is specifically configured to set the state of the pin input box to be invisible when the sixth interface function is called by the upper layer, and return a response to the upper layer.

Further, the fifth operation module is specifically configured to, when the fifth interface function is called by the upper layer, determine that the currently logged-in smart card is a smart card with a fingerprint sensor according to a determination result stored in a credential provider package type instance, set the personal identification number to a default value according to the personal identification number input box identifier, and return a response to the upper layer.

Further, the seventh operation module is specifically configured to, when the seventh interface function is called by the upper layer, load a dedicated login picture for the smart card with the fingerprint sensor after determining that the currently logged-in smart card is the smart card with the fingerprint sensor according to the determination result stored in the credential provider package type instance, and return a response to the upper layer.

Further, the eighth operation module is specifically configured to, when the eighth interface function is called by the upper layer, set a position of a submit button according to the stored identifier of the display information control after determining that the currently logged-in smart card is a smart card with a fingerprint sensor according to the determination result stored in the credential provider encapsulation class instance, and return a response to the upper layer.

Further, the sixth operation module is specifically configured to, when the sixth interface function is called by the upper layer, set a state of the pin according to the pin identifier, and return a response to the upper layer, after determining that the currently logged-in smart card is a smart card with a fingerprint sensor according to a determination result stored in a credential provider package type instance.

Compared with the prior art, the technical scheme of the invention has the following advantages: the method for logging in the Windows system by the smart card and the private credential providing device provided by the invention can realize the condition that only one login option is displayed by one certificate when the smart card with the fingerprint sensor is used for logging in the Windows system, so that a user is not confused in a login interface, a friendly login interface is provided, and the use experience of the user is improved.

Drawings

Fig. 1 is a flowchart of a method for logging in a Windows system by a smart card according to embodiment 1 of the present invention;

fig. 2 is a flowchart of a method for logging in a Windows system by using a smart card according to embodiment 2 of the present invention;

fig. 3 is a flowchart illustrating an operation of the private CP device when the third interface is called in embodiment 2 of the present invention;

fig. 4 is a detailed flowchart of the private CP apparatus obtaining and storing the ID of the PIN code entry box in embodiment 2 of the present invention;

fig. 5 is a detailed flowchart of obtaining and storing an ID of a display information control by a private CP in embodiment 2 of the present invention;

fig. 6 is a diagram of a private credential providing device according to embodiment 3 of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, belong to the scope of the present invention.

For the convenience of understanding of the embodiments of the present invention, the following description will be further explained with reference to specific embodiments, which are not to be construed as limiting the embodiments of the present invention.

Description of terms:

the CP is a credential provisioning device.

The system default CP is a system default credential provisioning device.

The private CP is a private credential provisioning device.

The PIN code is a personal identification number.

The PIN code input box is a personal identification number input box.

The PIN code input box ID is a personal identification number input box identification.

The CwrappCredental instance is a credential provider package class instance.

Exe is a local security rights service.

The object instance of the Credential is an object instance of a Credential.

The ID is an identification.

The CSP provides programs for cryptographic services.

Example 1

The embodiment 1 of the invention provides a method for logging in a Windows system by a smart card. As shown in fig. 1, the specific process is as follows:

step 1, the private credential providing device waits for an upper layer call,

when the first interface function of the private credential providing device is called, executing step 2;

when the third interface function of the private credential providing device is called, executing step 3;

when the fifth interface function of the private credential providing device is called, performing step 4;

when the ninth interface function of the private credential providing device is called, performing step 5;

when the tenth interface function of the private credential providing device is called, step 6 is performed.

Specifically, the upper layer may be a program that implements a login function, such as loginui.

And 2, the private credential providing device finds the system default credential providing device from all credential providing devices, sets the system default credential providing device invisible and returns a response to the upper layer.

And 3, the private document providing device acquires the number of documents, acquires and stores the personal identification code input box identification, acquires the name of the currently logged smart card and returns a response to the upper layer.

Further, the private document providing device obtains the number of documents, obtains and stores the id input box identifier, obtains the name of the currently logged smart card, and returns a response to the upper layer, which specifically includes:

the private credential providing device obtains the number of credentials, obtains and stores the personal identification code input box identification, obtains the name of the currently logged smart card, judges whether the currently logged smart card is the smart card with the fingerprint sensor according to the name of the currently logged smart card, obtains a judgment result, creates an object instance of the credentials according to the number of the credentials, stores the judgment result and the object instance of the credentials into a credential provider packaging instance, and returns a response to an upper layer.

Further, the obtaining of the number of credentials by the private credential providing device may further comprise: the private credential providing device acquires a credential list of the Windows system and judges whether the credential list of the Windows system is empty; if yes, the private credential providing device acquires the number of credentials, if not, the private credential providing device clears the credential list of the Windows system, and the private credential providing device acquires the number of credentials.

And 4, the private credential providing device sets the personal identification code as a default value according to the personal identification code input box identifier, and returns a response to the upper layer.

And 5, popping up a fingerprint verification box by the private certificate providing device, prompting the user to input a fingerprint, and returning a response to the upper layer.

And 6, the private credential providing device acquires credentials required by logging in the Windows system, returns a response to the upper layer, and sends the credentials required by logging in the Windows system to the local security authority service, wherein the credentials required by logging in the Windows system comprise the name of an encryption service provider, the name of the currently logged smart card, the name of a container and the use of a key.

Example 2

The embodiment 2 of the invention provides a method for logging in a Windows system by a smart card. As shown in fig. 2, the specific process is as follows:

step S1, the private credential providing device (private CP for short) waits for the upper layer call;

when the first interface function of the private CP is called, step S2 is performed; when the second interface function of the private CP is called, step S3 is performed; when the third interface function of the private CP is called, step S4 is performed; when the fourth interface function of the private CP is called, step S5 is performed; when the fifth interface function of the private CP is called, step S6 is performed; when the sixth interface function of the private CP is called, step S7 is performed; when the seventh interface function of the private CP is called, step S8 is performed; when the eighth interface function of the private CP is called, step S9 is performed; when the ninth interface function of the private CP is called, step S10 is performed, and when the fingerprint authentication is passed and the tenth interface function of the private CP is called, step S11 is performed.

The upper layer is a program that implements a login function, such as loginui.

In step S2, the private CP (private credential provisioning device) finds the system default CP and sets the system default CP to invisible, and returns a response to the upper layer.

In this embodiment, the first interface function is a Filter function inherited from an icredential providerfilter;

specifically, the Filter function is:

HRESULT

CWrappedProvider::Filter(CREDENTIAL_PROVIDER_USAGE_SCENARIOcpus,DWORDdwFlags,

GUID*rgclsidProviders,BOOL*rgbAllow,DWORD cProviders)

specifically, when the first interface function is called by the upper layer, the private CP finds the system default CP from all CPs according to the parameter value of the Filter function, that is, the value of the GUID; setting the value of rgbAllow corresponding to the system default CP in the function parameters as False, so that the private CP filters the system default CP, and the system default CP is set to be invisible;

when the first interface function is called, the private CP returns a response to the upper layer after completing the above operation.

Specifically, in the above operation, the returning of the private CP to the upper layer in response specifically includes that, if the operation is completed normally, the private CP returns a correct response of the operation to the upper layer; if the operation is wrong, the private CP returns a parameter error or an operation result error to an upper layer.

In step S3, the private CP creates and saves an instance of the system default CP, and returns a response to the upper layer.

In this embodiment, the second function interface is specifically a setusages screenario function inherited from icredential provider;

the method comprises the following specific steps: when a SetUsageScenario function inherited from an ICredentialProvider is called by an upper layer, a private CP calls a CocreateInstance function to create an instance of a system default CP, and the instance of the system default CP is stored;

when the second interface function is called, the private CP returns a response to the upper layer after completing the operation;

Step S4, the private CP obtains the number of credentials, obtains and stores the PIN code input box ID, obtains the name of the currently logged smart card, obtains the result of determining whether the currently logged smart card is a smart card with a fingerprint sensor, and returns a response to the upper layer.

Specifically, as shown in fig. 3, step S4 performs the following operations for the private CP:

step 201, the private CP obtains a credential list of the Windows system and determines whether the credential list of the Windows system is empty, if yes, step 202 is executed; if not, the private CP empties the credential list of the Windows system, and then step 202 is executed;

specifically, the third interface function is a getcredentialing count function inherited from an icrestialprovider;

when the GetCredentilaCount function inherited from the ICredentialProvider is called by the upper layer, the private CP acquires a credential list of the Windows system, judges whether the credential list of the Windows system is empty, and if the credential list of the Windows system is empty, executes step 202; if the credential list of the Windows system is not empty, the private CP empties the current credential list, executing step 202;

step 202, the private CP acquires the number of credentials;

specifically, the private CP calls the member function GetCredentialCount of the instance of the system default CP to acquire the number of credentials.

Step 203, the private CP acquires the ID of the PIN code input box and stores the ID of the PIN code input box;

specifically, as shown in fig. 4, step 203 includes the following steps:

step 203-1, the private CP calls a member function GetFieldDescriptor of an instance of the system default CP to acquire the total number of field descriptors of all controls;

step 203-2, the private CP starts traversing the field descriptors of all the controls in sequence;

203-3, calling a member function GetFieldDscript At of the instance of the system default CP by the private CP to acquire a field descriptor of the current control, judging whether the current control is a PIN code input frame according to the acquired field descriptor of the current control, if so, executing a step 203-5, and if not, executing a step 203-4;

the private CP determines whether the current control is a PIN code input box specifically as follows: the private CP judges whether the type of the field descriptor is a first preset value, such as CPFT-PASSSWORD-TEXT, if the type of the field descriptor is judged to be the first preset value, the current control is judged to be a PIN code input box, and the step 203-5 is executed; if the type of the field descriptor is not the first preset value, step 203-4 is executed.

In step 203-4, the private CP determines whether the number of the traversed field descriptors of the control is equal to the total number of the acquired field descriptors of all the controls, if so, the process is ended, if not, the field descriptor of the next control is acquired, and the step 203-3 is continuously executed.

Step 203-5, storing the ID of the PIN code input box and ending;

step 204, the private CP obtains an object instance of the credit, and obtains a name of the currently logged-in smart card.

The private CP calls a member function GetCredentiatalAt of an instance of the system default CP according to the number of the acquired credentials to acquire an object instance of the Credential;

the private CP calls a member function GetSerialization of the object instance of the creative to obtain encapsulation data submitted to Lsass.exe by the current login smart card; and the private CP analyzes the obtained encapsulated data to obtain the name Readenname of the logged intelligent card.

In step 205, the private CP determines whether the currently logged-in smart card is a smart card with a fingerprint sensor according to the acquired name of the smart card, and obtains a determination result.

Specifically, the private CP calls the middleware expansion interface to judge whether the smart card is a smart card with a fingerprint sensor according to the Readername, and obtains a judgment result.

In step 206, the private CP creates a cwrappedcreditial instance, and stores the judgment result and the object instance of creditial in the cwrappedcreditial instance.

Specifically, the private CP creates a cwrappdcreditial instance according to the number of credentials obtained in step 202, and stores the judgment result and the object instance of creditial obtained in step 204 into the cwrappdcreditial instance.

For example, if the number of credentials obtained before the private CP is 1, one cwrappedcreditial instance is created, and if the number of credentials obtained before the private CP is 2, two cwrappedcreditial instances are created. Wherein the instance of Crapped creditial is inherited from the ICrepential providercreditial class.

Specifically, the private CP stores the previously obtained determination result and the object instance of the credit in the cwrappledcentrial instance. By the method, the judgment result of whether the currently logged smart card is the smart card with the fingerprint sensor is associated with the object instance of the credit, and the associated data is stored in the CWrapped credit instance.

Step 207, the private CP obtains the ID of the display information control and stores the ID of the display information control.

Specifically, as shown in fig. 5, step 207 includes the following steps:

in step 207-1, the private CP starts with the PIN code entry box ID and takes the previous ID as the current ID.

Step 207-2, the private CP calls a member function GetFieldState of the cwrappedcreditial instance to obtain a state of the control corresponding to the current ID;

step 207-3, the private CP judges whether the control is a display information control according to the state of the control, if so, step 207-4 is executed; if not, step 207-2 is performed with the previous ID of the current ID as the current ID.

Specifically, the private CP determines whether the state of the control is a second preset value, for example, the second preset value is CPFS _ DISPLAY _ IN _ SELECTED _ TILE or the second preset value is CPFS _ DISPLAY _ IN _ BOTH, if yes, the control is determined to be a DISPLAY information control, and if not, the control is determined not to be the DISPLAY information control.

In step 207-4, the private CP saves the ID of the display information control.

When the third interface function is called, the private CP returns a response to the upper layer after the execution of the above operation is completed.

And step S5, the private CP calls the corresponding member function of the default CP instance, and after the calling is finished, the private CP returns a response to the upper layer.

And the fourth interface function is other member functions of the ICrepentialprovider.

Specifically, when the upper layer calls other member functions of the icrodentialprovider, the private CP calls the corresponding other member functions of the instance of the system default CP and returns a response to the upper layer.

Specifically, other member functions of the iicreditialprovider include:

specifically, in the above operation, the returning of the response from the private CP to the upper layer specifically includes, if the operation is completed normally, returning the correct response from the private CP to the upper layer; if the operation is wrong, the private CP returns a parameter error or an operation result error to an upper layer.

In step S6, the private CP sets the PIN code to a default value, and returns a response to the upper layer.

Specifically, the fifth interface function is a member function selected of the cwrappedcreditial instance.

When the member function SetSelected of the CWrapppedCredental instance is called by the upper layer, the private CP judges whether the currently logged smart card is a smart card with a fingerprint sensor, if the currently logged smart card is the smart card with the fingerprint sensor, the PIN code is set to a default value, such as 1234, and then the private CP returns a response to the upper layer by calling the function SetSelected corresponding to the object instance of the Credental.

If the current login smart card is not the smart card with the fingerprint sensor, the private CP calls the corresponding function SetSelected of the object instance of the Credential and returns a response to the upper layer.

The private CP determines whether the currently registered smart card is a smart card with a fingerprint sensor according to the determination result of whether the currently registered smart card is a smart card with a fingerprint sensor stored in the cwrappedcreditial instance in step 206.

In step S7, the private CP sets the state of the PIN code entry box and returns a response to the upper layer.

Specifically, the sixth interface function is a member function GetFieldState of the cwrappedcreditial instance, when the member function GetFieldState of the cwrappedcreditial instance is called by the upper layer, the private CP judges whether the currently logged smart card is a smart card with a fingerprint sensor, if so, the state of the PIN box is set to be invisible according to the ID of the obtained PIN code input box, and a response is returned to the upper layer by calling the corresponding function GetFieldState of the object instance of the Credential; if not, the private CP directly calls a corresponding function GetFieldState of the object instance of the Credential and returns a response to the upper layer.

Step S8, the private CP loads the smart card specific login picture with the fingerprint sensor and returns a response to the upper layer.

Wherein, the seventh interface function is a member function GetBlapvalue of CWrapped credinal instance, that is

GetBitmapValue(__in DWORD dwFieldID,__out HBITMAP*phbmp)；

Specifically, when the member function getbetatmappval of the cwrappedcreditaal instance is called by the upper layer, the private CP determines whether the currently registered smart card is a smart card with a fingerprint sensor, if so, the private CP loads a smart card specific picture of the fingerprint sensor, that is, a smart card specific Logo of the fingerprint sensor, calls a system API to obtain a structural body, assigns a second parameter value __ out HBITMAP of the member function getbetatmaval of the cwrappedcreditaal instance to the structural body, calls a corresponding function getmapvalue of the object instance of the creditaal, and returns a response to the upper layer.

If not, the private CP loads the default smart card logo of the system, specifically, the private CP directly calls the corresponding function of the object instance of the credit and returns a response to the upper layer.

In this step, the private CP determines whether the currently registered smart card is a smart card with a fingerprint sensor according to the determination result of whether the currently registered smart card is a smart card stored in the cwrappedcreditial instance in step 206.

Specifically, the step of returning the private CP to the upper layer specifically includes returning an operation correct response to the upper layer if the private CP operates correctly in the operation; if the operation is wrong, the private CP returns a parameter error or an operation result error to an upper layer.

In step S9, the private CP sets the position of the submit button, and returns a response to the upper layer.

Specifically, the eighth interface function is a member function getsumitbutton of the cwrappedcreditial instance, that is, getsumitbutton value (__ in DWORD dwFieldID, __ out DWORD pdwadadjjacentto);

the position of the submit button may be preset, specifically, by assigning the ID of the display information control saved in step 207 to a parameter of a member function getsubmitbutyttotton of the cwrappedcreditial instance.

In this step, the example of setting the submit button behind the display information control is described.

When the member function getsumibutton of the cwrappedcreditial instance is called by the upper layer, the private CP determines whether the currently logged-in smart card is a smart card with a fingerprint sensor, and if so, sets the submit button behind the display information control, that is, assigns the ID of the display information control saved in step 207 to the parameter __ out DWORD of the member function getsumibutton of the CWrappedCredential instance.

If not, the private CP calls a member function GetSubmitButton corresponding to the object instance of the Credential, and returns a response to the upper layer.

Further, the submit button can be arranged at any position of the control, such as the front, the lower, the left, the right and the like.

In this step, the private CP determines whether the currently registered smart card is a smart card with a fingerprint sensor according to the determination result stored in the cwrappedcreditial instance in step 206.

Specifically, in the above operation, the returning of the private CP to the upper layer in response specifically includes that, if the operation is completed normally, the private CP returns a response with correct operation to the upper layer; if an error occurs in the operation, the private CP returns a parameter error or an operation result error to an upper layer.

In step S10, the private CP pops up a fingerprint verification box, prompts the user to input a fingerprint, and returns a response to the upper layer.

Specifically, the ninth interface function is a member function GetSerialization of the CWrappedCredential instance:

GetSerialization(__out CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE*pcpgsr,

__out CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION*pcpcs,

__deref_out_opt PWSTR*ppwszOptionalStatusText,

__out CREDENTIAL_PROVIDER_STATUS_ICON*pcpsiOptionalStatusIcon)；

specifically, after the upper layer receives the information that the user clicks the submit button, the upper layer calls a ninth interface function of the private CP, that is, a member function GetSerialization of the CWrappedCredential instance. When the ninth interface function is called, the private CP judges whether the currently logged-in smart card is a smart card with a fingerprint sensor, if the private CP judges that the currently logged-in smart card is the smart card with the fingerprint sensor, a fingerprint verification frame is popped up to prompt a user to verify a fingerprint; if the private CP judges that the currently logged-in smart card is not the smart card with the fingerprint sensor, the private CP directly calls the corresponding function of the object instance of the credit, returns a response to the upper layer and ends the process.

For example, in this embodiment, if the private CP determines that the currently logged smart card is not a smart card with a fingerprint sensor, the private CP directly calls the member function GetSerialization of the object instance of the creative.

Specifically, in the above operation, the returning of the private CP to the upper layer in response specifically includes that, if the operation is completed normally, the private CP returns a correct response of the operation to the upper layer; if an error occurs in the operation, the private CP returns a parameter error or an operation result error to an upper layer.

In step S11, the private CP obtains necessary data required for logging in the Windows system, returns a response to the upper layer, and sends the obtained necessary data to the lsas program.

Specifically, the tenth interface function is the member function GetSerialization of the object instance of the creatinal,

when the tenth interface function is called, the private CP acquires necessary data required for logging in the Windows system, wherein the necessary data comprises CSP name, Reader name, container name, key usage and PIN default value, namely

typedef struct_CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION{ULONGulAuthenticationPackage；GUID clsidCredentialProvider；ULONGcbSerialization；byte*rgbSerialization；}CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION；

The private CP returns a response to the upper layer and sends the acquired necessary data to lsas.

The private CP returning response upper layer specifically comprises that if the operation is normally completed, the private CP returns a correct operation response to the upper layer; if an error occurs in the operation, the private CP returns a parameter error or an operation result error to an upper layer.

Specifically, after the private CP sends the acquired necessary data to lsas.exe, lsas.exe executes the following operations:

step 1201, finding the CSP corresponding to the smart card of the fingerprint sensor by the Lsass.exe according to the name of the CSP, calling a CryptAcquireContext function in the corresponding CSP, assigning a first parameter OUTHCRYPTPROV phProv of the function as \ \ Reader name \ container name, and returning a handle to the Lsass.exe after the function is successfully executed.

Step 1202, Lsass.exe calls a CryptSetProvParam function, judges the value of a second parameter INDDWORD dwParam of the function, judges whether the currently logged smart card is a smart card with a fingerprint sensor if the value of the second parameter IN DWORDdwParam of the function is equal to a third preset value, if 32 or 33, judges whether the value of a third parameter IN BYTE pbData of the function is a preset key, directly returns a success response to the upper layer if the value of the third parameter IN BYTE pbData of the function is the preset key, and otherwise returns a failure response to the upper layer; and if the smart card is not the smart card with the fingerprint sensor, the value of the third parameter is used as a PIN code, an APDU instruction is sent to a COS system of the smart card with the fingerprint sensor, the correctness of the PIN code is verified, if the verification is successful, a response is returned to an upper layer, and if the verification is failed, an error response is returned to the upper layer.

Step 1203, lsas. exe calls a CryptSignHash function to sign a string of random numbers.

Specifically, the third parameter IN DWORD dwKeySpec of the CryptSignHash function is used as a key, the smart card with the fingerprint sensor finds a corresponding private key according to the key use, then the private key is used for signing the random number of the sixth parameter of the CryptSignHash function, lsas.

Example 3

Embodiment 3 of the present invention provides a private credential providing device, as shown in fig. 6, the private credential providing device includes: a first operating module 301, a third operating module 303, a fifth operating module 305, a ninth operating module 309, a tenth operating module 310, wherein,

a first operation module 301, configured to, when the first interface function is called by the upper layer, find a default credential provisioning device of the system from all credential provisioning devices, set the default credential provisioning device of the system to be invisible, and return a response to the upper layer;

a third operation module 303, configured to, when the third interface function is called by the upper layer, obtain the number of credentials, obtain and store the id entry box identifier, and obtain the name of the currently logged smart card and return a response to the upper layer;

a fifth operation module 305, configured to set the pin to a default value according to the pin identifier when the fifth interface function is called by the upper layer, and return a response to the upper layer;

a ninth operation module 309, configured to pop up a fingerprint verification box when the ninth interface function is called by the upper layer, prompt the user to input a fingerprint, and return a response to the upper layer;

a tenth operation module 310, configured to, when the tenth interface function is called by the upper layer, obtain credentials required for logging in the Windows system, return a response to the upper layer, and send the credentials required for logging in the Windows system to the local security authority service, where the credentials required for logging in the Windows system include a name of an encryption service provider, a name of a currently logged smart card, a name of a container, and a key usage.

Specifically, in this embodiment, the third operation module 302 may include:

the second judgment unit is used for judging whether the currently logged intelligent card is an intelligent card with a fingerprint sensor or not according to the name of the currently logged intelligent card;

a create instance unit for creating an object instance of a credential according to the number of credentials;

the storage unit is used for storing the judgment result obtained by the acquisition unit and the object examples of the certificates created by the creating example unit according to the number of the certificates into the certificate provider packaging class examples;

and the response unit is used for returning the response to the upper layer.

Specifically, in this embodiment, the third operation module 302 may further include: the first judging unit is used for judging whether the credential list of the Windows system acquired by the acquiring unit is empty or not;

the clearing unit is used for clearing the credential list of the Windows system when the judging unit judges that the acquired credential list of the Windows system is not empty;

accordingly, the method can be used for solving the problems that,

the obtaining unit is also used for obtaining a credential list of the Windows system; when the judging unit judges that the acquired credential list of the Windows system is empty, acquiring the number of credentials; and acquiring the number of the credentials after the emptying unit empties the credential list of the Windows system.

In this embodiment, the private credential provisioning device may further include,

the second operation module is used for creating and storing an example of a default credential providing device of the system when the second interface function is called by the upper layer, and returning a response to the upper layer;

the fourth operation module is used for calling the corresponding member function of the instance of the system default credential providing device when the fourth interface is called by the upper layer, and returning a response to the upper layer after the calling is finished; wherein, the corresponding member function is the member function corresponding to the fourth interface function;

the eighth operation module is used for setting the position of the submission button according to the stored identifier of the display information control when the eighth interface function is called by the upper layer, and returning a response to the upper layer;

and the third operation module is also used for acquiring and storing the identifier of the display information control.

Specifically, in this embodiment, the third operation module may further include:

accordingly, the method can be used for solving the problems that,

the obtaining unit is also used for obtaining a credential list of the Windows system; when the first judging unit judges that the acquired credential list of the Windows system is empty, acquiring the number of credentials; and after the emptying unit empties the credential list of the Windows system, acquiring the number of the credentials.

In this embodiment, the third operating module of the private credential providing device further includes

The traversal unit is used for starting traversal of all the field descriptors in sequence;

the third judging unit is used for judging whether the current control is a personal identification code input frame or not according to the descriptor of the field of the current control acquired by the acquiring unit;

the fourth judging unit is used for judging whether the number of the traversed field descriptors is equal to the total number of the field descriptors or not when the third judging unit judges that the current control is not the personal identification code input frame;

the acquisition unit is also used for acquiring the number of the field descriptors; acquiring the field descriptors of the current control according to the number of the field descriptors; the fourth judging unit is used for acquiring the field descriptors of the next control when the fourth judging unit judges that the number of the traversed field descriptors is not equal to the total number of the field descriptors, and then triggering the third judging unit;

and the storage unit is also used for storing the identification of the personal identification code input box, wherein the identification of the personal identification code input box is the self-carried identification of the personal identification code input box.

Specifically, in this embodiment, the second determining unit is configured to determine whether the type value of the field descriptor is a first preset value, and if the type value of the field descriptor is determined to be the first preset value, determine that the control is the pin input box; and if the type value of the field descriptor is not the first preset value, judging that the control is not the personal identification code input box. The first preset value can be, for example, CPFT-PASSWORD _ TEXT.

In this embodiment, the third operating module further includes:

the fourth judging unit is used for judging whether the control is the display information control or not according to the state of the control by the providing device;

the obtaining unit is also used for obtaining the state of the control corresponding to the current identifier;

and the storage unit is further used for storing the identifier of the display information control when the fourth judgment unit judges that the control is the display information control.

Specifically, the fourth judging unit is configured to judge whether the state value of the control is the second preset value, determine that the control is the display information control if the state value of the control is the second preset value, and determine that the control is not the display information control if the state value of the control is the second preset value. For example, the second preset value is CPFS _ DISPLAY _ IN _ SELECTED _ TILE or the second preset value is CPFS _ DISPLAY _ IN _ BOTH.

In this embodiment, the third module is specifically configured to, when the third interface function is called by the upper layer, obtain the number of credentials, obtain and store the id entry box identifier, call a member function of an object instance of the credentials to obtain encapsulation data submitted to a local security authorization service by a currently logged-in smart card, analyze the encapsulation data, obtain a name of the currently logged-in smart card, and return a response to the upper layer.

In this embodiment, the sixth operation module is specifically configured to set the state of the pin input box to be invisible when the sixth interface function is called by the upper layer, and return a response to the upper layer.

In this embodiment, the fifth operation module is specifically configured to, when the fifth interface function is called by the upper layer, determine that the currently logged-in smart card is a smart card with a fingerprint sensor according to a determination result stored in the credential provider package type instance, and set the personal identification number as a default value according to the personal identification number input box.

In this embodiment, the seventh operation module is specifically configured to, when the seventh interface function is called by the upper layer, determine, according to a determination result stored in the credential provider package type instance, that the currently logged smart card is a smart card with a fingerprint sensor, and then load a smart card dedicated login picture with a fingerprint sensor.

In this embodiment, the eighth operation module is specifically configured to, when the eighth interface function is called by the upper layer, determine, according to a determination result stored in the credential provider package type instance, that the currently logged-in smart card is a smart card with a fingerprint sensor, set a position of a submit button, and return a response to the upper layer.

In this embodiment, the sixth operation module is specifically configured to, when the sixth interface function is called by the upper layer, determine, according to a determination result stored in the credential provider package type instance, that the currently logged-in smart card is a smart card with a fingerprint sensor, set a state of a personal identification number input box, and return a response to the upper layer.

The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. A method for logging in a Windows system by a smart card is characterized by comprising the following steps:

the private credential provisioning device waits for an upper layer call,

2. The method of claim 1, wherein when the third interface function of the private credential provisioning device is invoked, the private credential provisioning device obtains the number of credentials, obtains and saves the pin id entry, obtains the name of the currently logged-in smart card, and returns a response to the upper layer, specifically comprising:

3. The method of claim 2, wherein the method comprises: when the second interface function of the private credential provisioning device is called, the private credential provisioning device creates and saves an instance of a system default credential provisioning device, and returns a response to an upper layer;

4. The method of claim 1, wherein the private credential provisioning device further comprises, prior to obtaining the number of credentials: the private credential providing device acquires a credential list of a Windows system and judges whether the credential list of the Windows system is empty; if so, the private credential providing device acquires the number of credentials, and if not, the private credential providing device clears the current credential list and the private credential providing device acquires the number of credentials.

5. The method of claim 3, wherein obtaining and saving the pin entry when the third interface function of the private credential provisioning device is invoked, specifically comprises:

6. The method of claim 5, wherein the private credential providing device determines whether the current control is the PIN input box according to the obtained field descriptor of the current control, wherein the private credential providing device determines whether the type value of the field descriptor is a first preset value, and if so, the current control is the PIN input box; if not, the current control is not the personal identification code input box.

7. The method of claim 3, wherein the private credential provisioning device obtaining and saving the display information control identifier specifically comprises:

8. The method of claim 7, wherein the private credential providing device determines whether the control is a display information control according to the state of the control, specifically: and the private credential providing device judges whether the value of the state of the control is a second preset value, if so, the control is determined to be an information display control, and if not, the control is determined not to be the information display control.

9. The method of claim 1, wherein obtaining the name of the currently logged-in smart card when the third interface function of the private credential providing device is invoked comprises: the private credential providing device calls a member function of an object instance of the credential, acquires encapsulation data submitted to local security authority service by the current login smart card, and analyzes the encapsulation data to acquire the name of the current login smart card.

10. The method of claim 3, wherein the setting of the status of the PIN entry box by the private credential provisioning apparatus based on the PIN entry box identifier is specifically: and the private credential providing device sets the state of the personal identification code input box to be invisible according to the personal identification code input box identifier.

11. The method of claim 3, wherein when the fifth interface function of the private credential provisioning device is invoked, the private credential provisioning device sets the pin to a default value based on the pin id, specifically: when the fifth interface function of the private credential providing device is called, the private credential providing device judges that the currently logged-in smart card is a smart card with a fingerprint sensor according to the judgment result stored in the credential provider packaging class instance, and then sets the personal identification code as a default value according to the personal identification code input box identifier.

12. The method of claim 3, wherein when the seventh interface function of the private credential provisioning device is invoked, the private credential provisioning device loads a smartcard-specific login picture with a fingerprint sensor, in particular: and the private credential providing device loads the special login picture of the smart card with the fingerprint sensor after judging that the current login smart card is the smart card with the fingerprint sensor according to the judgment result stored in the credential provider packaging type example.

13. The method of claim 3, wherein when the eighth interface function of the private credential provisioning device is invoked, the private credential provisioning device sets the location of a submit button based on the saved identity of the display information control, in particular: and the private credential providing device sets the position of a submission button according to the stored identification of the display information control after judging that the currently logged smart card is the smart card with the fingerprint sensor according to the judgment result stored in the credential provider packaging class example.

14. The method as claimed in claim 3, wherein when the sixth interface function of the private credential provisioning device is invoked, the private credential provisioning device sets the status of the pin according to the pin identifier, specifically: and the private document providing device judges that the currently logged smart card is a smart card with a fingerprint sensor according to a judgment result stored in a document provider packaging class example, and then sets the state of the personal identification code input box according to the personal identification code input box identifier.

15. A private credential provisioning apparatus, comprising:

16. The apparatus of claim 15, wherein the third operation module specifically comprises:

and the response unit is used for returning a response to the upper layer.

17. The apparatus of claim 16, wherein the private credential provisioning apparatus further comprises:

18. The apparatus of claim 15, wherein the third operational module further comprises:

accordingly, the method can be used for solving the problems that,

19. The apparatus of claim 17, wherein the third operational module further comprises:

20. The apparatus of claim 19, wherein the second determining unit is specifically configured to determine whether the type value of the field descriptor is a first preset value, and if so, determine that the current control is an id input box; otherwise, judging that the current control is not the personal identification code input box.

21. The apparatus of claim 17, wherein the third operational module further comprises:

22. The apparatus according to claim 21, wherein the fourth determining unit is specifically configured to determine whether the state value of the control is a second preset value, if so, the control is determined to be a display information control, and otherwise, the control is determined not to be the display information control.

23. The apparatus of claim 15, wherein the third operation module is specifically configured to, when the third interface function is invoked by an upper layer, obtain the number of credentials, obtain and store the id entry box identifier, obtain the package data submitted by the currently logged-in smart card to the local security authorization service by invoking the member function of the object instance of the credentials, parse the package data, obtain the name of the currently logged-in smart card, and return a response to the upper layer.

24. The apparatus of claim 17, wherein the sixth operational module is specifically configured to set the pin input box to be invisible when the sixth interface function is called by an upper layer, and return a response to the upper layer.

25. The apparatus of claim 17, wherein the fifth operation module is specifically configured to, when the fifth interface function is called by the upper layer, set the pin to a default value according to the pin identifier after determining that the currently logged-in smart card is a smart card with a fingerprint sensor according to the determination result stored in the credential provider package class instance, and return a response to the upper layer.

26. The apparatus of claim 17, wherein the seventh operating module is specifically configured to, when the seventh interface function is called by the upper layer, load a smart card specific login picture with a fingerprint sensor after determining that the currently logged-in smart card is a smart card with a fingerprint sensor according to a determination result stored in the credential provider package class instance, and return a response to the upper layer.

27. The apparatus according to claim 17, wherein the eighth operating module is specifically configured to, when the eighth interface function is called by the upper layer, set a position of a submit button according to the stored identifier of the display information control after determining that the currently logged-in smart card is a smart card with a fingerprint sensor according to the determination result stored in the credential provider package class instance, and return a response to the upper layer.

28. The apparatus according to claim 17, wherein the sixth operation module is specifically configured to, when the sixth interface function is called by the upper layer, set a state of the pin entry box according to the stored identifier of the display information control after determining that the currently logged-in smart card is a smart card with a fingerprint sensor according to the determination result stored in the credential provider package class instance, and return a response to the upper layer.