Monday, July 4, 2016

macOS Sierra and PIVToken source code

Deprecated tokend API is now replaced

In "macOS Sierra and CryptoTokenKit API" I presented the updated CryptoTokenKit API. This API is not completely new but was not really used.

Apple now provides the source code of PIVToken: a token for PIV (Personal Identity Verification) smart cards using the new API instead of the old tokend/CDSA API.

PIVToken : short source code

The code is available at Code sample: PIVToken: Using CryptoTokenKit to add support for new types of tokens.

I used the tools sloccount to count the number of lines of code.

$ sloccount .
SLOC Directory SLOC-by-Language (Sorted)
493     PIVToken        objc=493

Totals grouped by language (dominant language first):
objc:           493 (100.00%)

$ scloccunt --details .
227 objc PIVToken PIVToken/Token.m
162 objc PIVToken PIVToken/TokenSession.m
50 objc PIVToken PIVToken/NSData_Zip.m
14 objc PIVToken PIVToken/TokenSession.h
36 objc PIVToken PIVToken/Token.h
4 objc PIVToken PIVToken/NSData_Zip.h

The token is only 493 lines of Objective-C.

I am not a PIV expert or even user so I can't really tell if all the PIV features are supported in this token.

Subject to changes

" This sample demonstrates how to write an extension for CryptoTokenKit framework to support new types of SmartCards or any other cryptographic token. "

I would not be surprised if the code changes before the final macOS Sierra release.

Conclusion

It is time to study the sample code and work on replacement of existing tokend tokens.

Saturday, July 2, 2016

New version of pcsc-tools: 1.4.27

I just released a new version of pcsc-tools, a suite of tools for PC/SC.

Changes:
1.4.27 - 2 July 2016, Ludovic ROUSSEAU
  • 72 new ATRs
  • ATR_analysis: propose to submit the ATR if not known
  • pcsc_scan: Handle "simultaneous" readers removal

Saturday, June 25, 2016

macOS Sierra and CryptoTokenKit API

macOS Sierra

Apple presented macOS Sierra 10.12 during the World Wide Developer Conference (WWDC) 2016 in June 13, 2016.

https://en.wikipedia.org/w/index.php?curid=50807596

I could not find information about smart cards or CryptoTokenKit API in Apple Sierra preview page or Wikipedia Sierra page. I am not surprised. Smart cards are far less used than Siri for example :-)

I already wrote about the CryptoTokenKit API when this API has been introduced in "OS X Yosemite BETA and smart cards status" in July 2014, 2 years ago.

It looks like the CryptoTokenKit API is more mature now since the documentation is available as web pages (and not just .h header files).

CryptoTokenKit

The API documentation web page is "CryptoTokenKit Access Smart Cards and manage user interactions."

A lot of functions are marked as Beta. So I would expect some/many changes between the beta version(s) of Sierra and the official Sierra release planned for fall 2016.

Beta Software

This documentation contains preliminary information about an API or technology in development. This information is subject to change, and software implemented according to this documentation should be tested with final operating system software.

Conclusion

Only Apple developers have access to this first Sierra beta version. Because of the Apple NDA I can't write about information not already public.

A new beta version of macOS Sierra should be available in July 2016. This time it will be a public beta for everyone. More information to come...

Wednesday, June 8, 2016

UEFI Smart Card Reader Protocol implementation

Last year (May 2015) I presented the new UEFI (Unified Extensible Firmware Interface Specification) protocol called "Smart Card Reader Protocol" in the article "UEFI Smart Card Reader Protocol".

I also presented a sample Hello World application in "PCSC sample in C for UEFI".

Source code

The source code of my implementation of the protocol is available in my github edk2 project. Be sure to use the SmartCard branch.

The source code of the Hello World application and some other test/debug tools is available in my github UEFI-SmartCardReader-Samples project.

Integration in TianoCore

My "Smart Card Reader Protocol" implementation is a port of my CCID driver. So the core of the driver uses the same GNU LGPL v2+ license.
I proposed my implementation on the edk2-devel mailing list in "[edk2] [PATCH 0/4] Add an implementation of EFI_SMART_CARD_READER_PROTOCOL".

Unfortunately the copyleft license GNU LGPL v2+ is a problem for some TianoCore members. So my code was not integrated in TianoCore (a reference implementation of UEFI) and I moved to something else.

Conclusion

You can use my implementation of the "Smart Card Reader Protocol". Be careful the GNU LGPL v2+ license is fine with your project.

Sunday, May 29, 2016

New version of pcsc-lite: 1.8.17

I just released a new version of pcsc-lite 1.8.17.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.

Changes:
1.8.17: Ludovic Rousseau
29 May 2016
  • Fix SCardEndTransaction() issue with a SCARD_SHARE_EXCLUSIVE connection
  • Fix an issue when used with systemd (problem in signal handler)
  • SCardGetAttrib(): set pcbAttrLen when buffer is too small
  • Doxygen: SCardGetAttrib() pbAttr can be NULL
  • Doxygen: SCardGetAttrib() *pcbAttrLen contains the buffer size
  • fix compilation warnings and link errors on SunOS
  • Some other minor improvements

Friday, May 27, 2016

PySCard 1.9.4 released

I just released a new official version 1.9.4 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:

Changes

1.9.4 (May 2016)
  • Fix installation using pip and easy_install
  • Avoid El Capitan SCardGetAttrib bug
  • CardConnection: Add context management
  • PCSCCardConnection: raise NoCardException if SCARD_E_NO_SMARTCARD
  • Stop CardMonitor monitor thread after traceback print.
  • minor improvements

1.9.3 (March 2016)
  • Fix SCardControl() on Windows 7
  • Fix installation using pip and easy_install

Monday, May 23, 2016

OS X El Capitan 10.11.5 and CCID driver fix

As explained in my previous article "OS X El Capitan 10.11.5 and CCID driver still broken" the upgrade to 10.11.5 did not fix the CCID driver issue.

To fix the issue you have to download and install the "OS X El Capitan 10.11.5 Combo Update".

The file size is 1.5 GB. You can install it even if you already upgraded your system to 10.11.5.

Fixed CCID driver

Now I have:
$ pwd
/usr/libexec/SmartCardServices/drivers
$ ls -lR ifd-ccid.bundle/
total 0
drwxr-xr-x  5 root  wheel  170 23 mai 18:54 Contents

ifd-ccid.bundle//Contents:
total 24
-rw-r--r--  1 root  wheel  36860 21 déc 06:05 Info.plist
drwxr-xr-x  6 root  wheel    204 23 mai 18:54 MacOS
-rw-r--r--  1 root  wheel    470 21 déc 06:05 version.plist

ifd-ccid.bundle//Contents/MacOS:
total 512
lrwxr-xr-x  1 root  wheel      20 23 mai 18:52 libccid.dylib -> libccid.dylib.1.4.21
-rwxr-xr-x  1 root  wheel  165888 17 sep  2015 libccid.dylib.1.4.14
-rwxr-xr-x  1 root  wheel  166096  3 déc 07:33 libccid.dylib.1.4.20
-rwxr-xr-x  1 root  wheel  166096  5 mai 08:02 libccid.dylib.1.4.21

Note that the symbolic link libccid.dylib now points to the latest driver version.

The files libccid.dylib.1.4.14 and libccid.dylib.1.4.20 are now useless and could be removed. But because of System Integrity Protection it is not easy and I think I will not remove them.

Conclusion

The problem should now be fixed.

If you installed a copy of the CCID driver in /usr/local/libexec/SmartCardServices/drivers/ as suggested by some people you may want to remove it now to avoid conflicts with the Apple provided CCID driver.