New version of pcsc-tools: 1.5.3

I just released a new version of pcsc-tools, a suite of tools for PC/SC.

The main changes are for the pcsc_scan command.

Changes:
1.5.3 - 15 April 2018, Ludovic ROUSSEAU

• 253 new ATRs
• pcsc_scan (thanks to Pascal J. Bourguignon):
• add -v argument (default) for verbose
• add -q argument for quiet
• add -r argument to display the reader list
• allow to use Control-C to break execution

New PyKCS11 1.5.2 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction".

Changes:

1.5.2 - April 2018, Ludovic Rousseau

• Fix initPin()
• add tests for initPin(), setPin(), initToken()

New PyKCS11 1.5.1 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction".

Changes:

1.5.1 - March 2018, Ludovic Rousseau

• Fix "pip install"

New PyKCS11 1.5.0 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction".

Changes:

1.5.0 - March 2018, Ludovic Rousseau

• Python 3: use strings instead of binary buffers for CK_UTF8CHAR PKCS#11 types. The behaviour is now the same as with Python 2
• allow non string PIN values (binary PIN) for login(), initToken(), initPin(), setPin()
• fix support of RSA PKCS PSS mechanism
  The mechanism object now uses a parameter "mechanism" instead of hard coding the mechanism value to CKM_RSA_PKCS_PSS.
• add support of Python 2.7 on Windows
• add AppVeyor configuration (automatic Windows builds)
• ckbytelist: remove possibility to give a initial size
• samples/getinfo: do not list the mechanisms by default
• samples/events:
• do not list the mechanisms by default
• add support of pinpad readers
• some minor improvements

Windows

If you are a Windows user and you want binary packages then please work on the AppVeyor configuration:

• Configuration file: appveyor.yml
• Results: PyKCS11

MUSCLE web sites moved to .apdu.fr

With the decommissioning of alioth.debian.org I had to move the web site to a new place.

• https://pcsclite.alioth.debian.org/ moved to https://muscle.apdu.fr/
• https://pcsclite.alioth.debian.org/pcsclite.html moved to https://pcsclite.apdu.fr/
• https://pcsclite.alioth.debian.org/ccid.html moved to https://ccid.apdu.fr/

Update your bookmarks.

I also upgraded the HTML pages to Boostrap 4.0.

Please report any issue you may find.

Level 1.5 smart card support on macOS

In a previous article "Level 1 smart card support on Mac OS X" I described some simple commands to check if the smart card stack is working correctly on a macOS system.

By re-reading the presentation "Working with Smart Cards: macOS and Security" by Richard Purves I discovered a new command.

I already knew "system_profiler SPUSBDataType" to list the USB devices. I mentioned it in "Level 1 smart card support on Mac OS X" to check the USB reader is seen by the system. But system_profiler provides a better command for smart cards.

SPSmartCardsDataType

system_profiler has another very interesting command: system_profiler SPSmartCardsDataType

Clean macOS installation

Example 1:

$ system_profiler SPSmartCardsDataType
SmartCards:

    Readers:

      #01: Cherry KC 1000 SC (ATR:<3b7f9600 00803180 65b08441 3df612ff fe829000>)

    Reader Drivers:

      #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)

    Tokend Drivers:

    SmartCard Drivers:

      #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)

    Available SmartCards (keychain):

    Available SmartCards (token):

You get a lot of useful information:

1. list of smart card readers
2. list of installed reader drivers
3. list of tokend drivers
4. list of smart card drivers
5. available smart cards (keychain)
6. available smart cards (token)

What you can see in my example:

• I use a Cherry KC 1000 SC reader. A card is inserted in the reader and you see the ATR.
• by default Apple provides a CCID driver
• by default Apple provides a PIV CryptoTokenKit token to support Personal Identity Verification cards

Using SafeNet Authentication Client

Example 2:

$ system_profiler SPSmartCardsDataType 
SmartCards:

    Readers:

      #01: Gemalto PC Twin Reader (ATR:<3b7f9600 00803180 65b08503 00ef120f fe829000>)

    Reader Drivers:

      #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)
      #02: com.SafeNet.eTokenIfdh:9.0.0.0 (/Library/Frameworks/eToken.framework/Versions/A/aks-ifdh.bundle)
      #03: com.gemalto.ifd-bccid:1.0 (/usr/local/libexec/SmartCardServices/drivers/ifd-bccid.bundle)
      #04: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/local/libexec/SmartCardServices/drivers/ifd-ccid-SafeNet-eToken5300.bundle)
      #05: (null):(null) (/Library/Frameworks/eToken.framework/Versions/A/ikey-ifdh.bundle)

    Tokend Drivers:

      #01: com.Safenet.eTokend:9.0 (/Library/Frameworks/eToken.framework/Versions/A/eTokend.tokend)

    SmartCard Drivers:

      #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)
      #02: com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:1.0 (/Library/Frameworks/eToken.framework/Versions/A/SafeNet Authentication Client.app/Contents/PlugIns/PKCS11 Token.appex)

    Available SmartCards (keychain):

        com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:9A522A4489DFA3DE:

          #01: Kind: private RSA 2048-bit, Certificate: <1cc4a99c 25e2b4eb 381850d2 e8e7a9a8 8d258b31>, Usage: Sign Decrypt Unwrap 
          #02: Kind: private RSA 2048-bit, Certificate: <425fa8c1 27ad75a1 aec73183 2b053b41 38befe7f>, Usage: Sign Decrypt Unwrap 
          #03: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #04: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #05: Kind: private RSA 2048-bit, Certificate: <31fde547 b4ca58d4 7b6231c2 62730efd 8c7538a1>, Usage: Sign Derive Decrypt Unwrap 

    Available SmartCards (token):

        com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:9A522A4489DFA3DE:

          #01: Kind: private RSA 2048-bit, Certificate: <1cc4a99c 25e2b4eb 381850d2 e8e7a9a8 8d258b31>, Usage: Sign Decrypt Unwrap 
          #02: Kind: private RSA 2048-bit, Certificate: <425fa8c1 27ad75a1 aec73183 2b053b41 38befe7f>, Usage: Sign Decrypt Unwrap 
          #03: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #04: Kind: private RSA 2048-bit, Certificate: <31fde547 b4ca58d4 7b6231c2 62730efd 8c7538a1>, Usage: Sign Derive Decrypt Unwrap 
          #05: Certificate <1a222d8f 7458d082 d413fbdb 40c85f56 f48def63>

In this second example I installed SAC (SafeNet Authentication Client) from Gemalto. You can see some differences:

• more reader drivers are installed
• a tokend driver is installed
• another SmartCard (Crypto Token Kit or CTK) driver is installed 
• the card inserted in the reader is available in the keychain

Conclusion

This command provides information of a higher level that pcsctest.
You know what drivers (for readers and for cards) are installed.

New version of libccid: 1.4.29

I just released a version 1.4.29 of libccid the Free Software CCID class smart card reader driver.

Changes:
1.4.29 - 21 February 2018, Ludovic Rousseau

• Add support of
• Access IS NFC Smart Module (With idProduct 0x0164)
• Bit4id Digital-DNA Key
• Bit4id Digital-DNA Key BT
• Bluink Ltd. Bluink CCID
• Chicony HP Skylab USB Smartcard Keyboard
• HID Global OMNIKEY 5023 Smart Card Reader
• HID Global OMNIKEY 5027CK CCID CONFIG IF
• KeyXentic Inc. KX906 Smart Card Reader
• Spyrus Inc Rosetta USB
• Spyrus Inc WorkSafe Pro
• Watchdata USB Key (idProduct: 0x0418)
• The C3PO LTC31 v2 wrongly declares PIN support
• Remove extra EGT patch because if has bad side effects