New PyKCS11 1.5.9 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction" or "PyKCS11’s documentation".

The project is registered at Pypi: https://pypi.org/project/PyKCS11/

Changes

1.5.9 - July 2020, Ludovic Rousseau

• call C_GetSlotList() with a NULL parameter to correctly initialize some PKCS#11 lib conforming to PKCS#11 version 2.40.
  

Smart card and blockchain?

I received my first ATR description containing the word "blockchain". It is for ATR 3B 89 80 01 66 49 46 58 42 53 32 47 6F 32.

The card description is "Blockchain Security 2Go (JavaCard)" and refer to https://github.com/Infineon/Blockchain "Infineon's Blockchain Security 2Go Starter Kit".

The license of the github project is MIT License but the project does not contain any source code. So I am not sure what this github project is about.

Note: I do not have such a smart card. So I can't write much more about this card and project.

Smart card Usage in Debian: applications

See "Smart card Usage in Debian: pcscd and drivers" and "Smart card Usage in Debian: middleware" for the previous articles.

The last layer above the smart card reader driver, the PC/SC resource manager and the middleware are user applications.

I try to maintain a list of smart card applications available in Debian.

I updated the list when writing this blog article. New Debian packages have been added, and others have been removed.

ausweisapp2: Official authentication app for German ID cards and residence permits

cardpeek: Tool to read the contents of ISO7816 smartcards

connman-gtk: fully-featured GUI for ConnMan with systray support

entropybroker: infrastructure for distributing random numbers (entropy data)

gnokii-cli: Datasuite for mobile phone management (console interface)

gnokii-smsd: SMS Daemon for mobile phones

gnome-boxes: Simple GNOME app to access remote or virtual systems

gnome-phone-manager: control aspects of your mobile phone from your GNOME 2 desktop

gnupg: GNU privacy guard - a free PGP replacement

golang-pault-go-ykpiv-dev: high level cgo wrapper around libykpiv.so.1

network-manager-openconnect: network management framework (OpenConnect plugin core)

network-manager-openconnect-gnome: network management framework (OpenConnect plugin GNOME GUI)

nitrokey-app: Application to manage the Nitrokey

openconnect: open client for Cisco AnyConnect, Pulse, GlobalProtect VPN

opensc: Smart card utilities with support for PKCS#15 compatible cards

pcsc-tools: Some tools to use with smart cards and PC/SC

plasma-nm: Plasma5 networkmanager library.

python3-yubikey-manager: Python 3 library for configuring a YubiKey

qemu-system-arm: QEMU full system emulation binaries (arm)

qemu-system-mips: QEMU full system emulation binaries (mips)

qemu-system-misc: QEMU full system emulation binaries (miscellaneous)

qemu-system-ppc: QEMU full system emulation binaries (ppc)

qemu-system-sparc: QEMU full system emulation binaries (sparc)

qemu-system-x86: QEMU full system emulation binaries (x86)

rdesktop: RDP client for Windows NT/2000 Terminal Server and Windows Servers

spice-client-gtk: Simple clients for interacting with SPICE servers

srsue: User Equipment implementation for LTE

virt-viewer: Displaying the graphical console of a virtual machine

vinagre: remote desktop client for the GNOME Desktop

wpasupplicant: client support for WPA and WPA2 (IEEE 802.11i)

x2gothinclient-chroot: Install X2Go Thin Client chroot (metapackage)

xgnokii: Datasuite for mobile phone management (X interface)

ykcs11: PKCS#11 module for the YubiKey PIV applet

yubico-piv-tool: Command line tool for the YubiKey PIV applet

yubikey-manager: Python library and command line tool for configuring a YubiKey

yubioath-desktop: Graphical interface for displaying OATH codes with a Yubikey

Installations

Package	# of installation	% of Debian systems
gnupg	189853	96,29 %
wpasupplicant	100666	51,06 %
vinagre	49424	25,07 %
opensc	24336	12,34 %
qemu-system-x86	18292	9,28 %
plasma-nm	17497	8,87 %
rdesktop	10575	5,36 %
virt-viewer	9638	4,89 %
qemu-system-arm	4708	2,39 %
qemu-system-ppc	4099	2,08 %
qemu-system-mips	4096	2,08 %
qemu-system-misc	4070	2,06 %
qemu-system-sparc	4007	2,03 %
openconnect	3679	1,87 %
network-manager-openconnect	2457	1,25 %
network-manager-openconnect-gnome	1832	0,93 %
pcsc-tools	1743	0,88 %
gnome-boxes	1446	0,73 %
spice-client-gtk	791	0,40 %
python3-yubikey-manager	338	0,17 %
xgnokii	319	0,16 %
yubikey-manager	298	0,15 %
gnokii-cli	288	0,15 %
cardpeek	176	0,09 %
yubico-piv-tool	165	0,08 %
gnome-phone-manager	155	0,08 %
yubioath-desktop	115	0,06 %
nitrokey-app	103	0,05 %
connman-gtk	73	0,04 %
ausweisapp2	69	0,03 %
gnokii-smsd	47	0,02 %
ykcs11	36	0,02 %
entropybroker	19	0,01 %
srsue	2	0,00 %
golang-pault-go-ykpiv-dev	1	0,00 %
x2gothinclient-chroot	0	0,00 %

Conclusion

The first real smart card application with the most installations is OpenSC with 12% of Debian systems. Hello and well done to my OpenSC developers collegues.

The use of smart card is not developed. Maybe it is more deployed in enterprises since "many" business laptops have an integrated smart card reader. So there must be market and customer demand for these configurations. But maybe also these enterprises systems do not have the popularity-contest package installed so are not visible in the statistics here.

Smart card Usage in Debian: middleware

See "Smart card Usage in Debian: pcscd and drivers" for the previous article.

The next layer above the smart card reader driver and PC/SC resource manager are middleware. These software are between PC/SC and the user application.

I try to maintain a list of smart card middleware available in Debian.

I updated the list when writing this blog article. New Debian packages have been added, and others have been removed.

cackey: CAC and PIV Smartcard PKCS #11 cryptographic module

coolkey: Smart Card PKCS #11 cryptographic module

libckyapplet1: Smart Card Coolkey applet

libckyapplet1 is a dependency of coolkey. So they are both installed at the same time.

libckyapplet1-dev: Smart Card Coolkey applet development files

libcacard0: Virtual Common Access Card (CAC) Emulator (runtime library)

libcacard0 is a dependency of all the qemu-system-* packages. That can explain why this package is installed in so much systems.

libcacard-dev: Virtual Common Access Card (CAC) Emulator (development files)

libchipcard6: library for accessing smartcards

libchipcard-data: configuration files for libchipcard

libchipcard-dev: API for smartcard readers

libchipcard-tools: tools for accessing chipcards

libengine-pkcs11-openssl: OpenSSL engine for PKCS#11 modules

libgnokii7: Gnokii mobile phone interface library

libopenconnect5: open client for Cisco AnyConnect, Pulse, GlobalProtect VPN - shared library

libopenconnect5 is a dependency of plasma-nm (Plasma5 networkmanager library). Plasma is the KDE graphical workspaces environment.

libosmosim0: Osmo SIM library

Part of libosmocore: Open Source MObile COMmunications CORE library (metapackage)

libpam-p11: PAM module for using PKCS#11 smart cards

Part of pam-p11: PAM module for using PKCS#11 smart cards

libpam-pkcs11: Fully featured PAM module for using PKCS#11 smart cards

libpam-poldi: PAM module allowing authentication using a OpenPGP smartcard

libpcscada0.7.5: Ada bindings to PC/SC middleware

libspice-client-glib-2.0-8: GObject for communicating with Spice servers (runtime library)

libspice-client-glib-2.0-8 is a dependency of vinagre: remote desktop client for the GNOME Desktop

libspice-client-gtk-3.0-5: GTK3 widget for SPICE clients (runtime library)

libspice-client-gtk-3.0-5 is also a dependency of vinagre: remote desktop client for the GNOME Desktop

libykpiv1: Library for communication with the YubiKey PIV smartcard

openjdk-8-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

openjdk-11-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

We can see that openjdk-8-jre-headless has been replaced by openjdk-11-jre-headless.

openjdk-13-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

openjdk-13-jre-headless is not yet in Debian stable. So the number of installation is low. This version is also replaced by openjdk-14-jre-headless since 2020.

openjdk-14-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

openjdk-15-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

openjdk-15-jre-headless is very new. It is in Debian unstable but has not yet migrated to Debian testing. So the number of installation is very low.

opensc-pkcs11: Smart card utilities with support for PKCS#15 compatible cards

python3-pykcs11: PKCS#11 wrapper for Python

python3-pyscard: Python3 wrapper above PC/SC API

python3-pyscard is a dependency of python3-yubikey-manager. Users are installing this package not because they love this software (I am the upstream maintainer) but because they use a yubikey.

Installations

Package	# of installation	% of Debian systems
libcacard0	54878	27,83 %
libspice-client-glib-2.0-8	53935	27,35 %
openjdk-11-jre-headless	51455	26,10 %
libspice-client-gtk-3.0-5	49029	24,87 %
openjdk-8-jre-headless	42921	21,77 %
opensc-pkcs11	24375	12,36 %
libopenconnect5	19034	9,65 %
python3-pyscard	369	0,19 %
openjdk-14-jre-headless	340	0,17 %
libengine-pkcs11-openssl	312	0,16 %
openjdk-13-jre-headless	300	0,15 %
libchipcard-data	199	0,10 %
libckyapplet1	193	0,10 %
coolkey	190	0,10 %
libchipcard6	182	0,09 %
libykpiv1	178	0,09 %
libcacard-dev	135	0,07 %
libchipcard-tools	131	0,07 %
libpam-pkcs11	90	0,05 %
openjdk-15-jre-headless	78	0,04 %
libpam-poldi	39	0,02 %
libpam-p11	33	0,02 %
libosmosim0	29	0,01 %
python3-pykcs11	19	0,01 %
libchipcard-dev	18	0,01 %
cackey	12	0,01 %
libckyapplet1-dev	3	0,00 %
libpcscada0.7.5	3	0,00 %
libgnokii7	2	0,00 %

Conclusion

Many (all?) smartcard middleware packages with an important installation base are not installed for themselves but because they are a dependency of another package.

So users are installing packages with smart card features or services but without any need or use of the smart card features.

It is not a problem. It is how dependencies works.