macOS Big Sur and smart cards status

macOS Big Sur (macOS 11.0) is now available since November, 2020.

tokend

A tokend is a piece of software used to bridge a cryptographic device (like a smart card) and the CDSA (Common Data Security Architecture) architecture.

Since macOS Lion (10.7 in 2011) the CDSA/tokend technology is deprecated. See "Mac OS X Lion and tokend".

tokend was disabled by default in Catalina but it was still possible to enable it again.

With macOS Big Sur tokend is now completely removed. The manpage SmartCardServices-legacy(7) is also no more present.

PC/SC

Since Yosemite (macOS 10.10 in 2014) the PC/SC layer is no more a fork of pcsc-lite. So comparing versions with pcsc-lite is useless.

% cat /System/Library/Frameworks/PCSC.framework/Versions/A/Resources/version.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BuildAliasOf</key>
	<string>CryptoTokenKit</string>
	<key>BuildVersion</key>
	<string>25</string>
	<key>CFBundleShortVersionString</key>
	<string>8.0</string>
	<key>CFBundleVersion</key>
	<string>1</string>
	<key>ProjectName</key>
	<string>SmartCardServices</string>
	<key>SourceVersion</key>
	<string>487040010000000</string>
</dict>
</plist>

The CFBundleShortVersionString is still 8.0 as for Mojave and Catalina. The SourceVersion changed from 408011002000000 to 487040010000000. But I have no idea what that means :-).

 

I have not yet made many tests of the PC/SC layer. So far it works fine.

Crypto Token Kit

CryptoTokenKit is the native smart card API since the complete rewrite in macOS Yosemite 10.10 (OS X Yosemite BETA and smart cards status).

The directory /System/Library/Frameworks/CryptoTokenKit.framework/CryptoTokenKit/ changed a bit between Catalina and Big Sur. For example the file CryptoTokenKit is no more present.

I tried my Objective-C sample and the code still works fine (as expected) even if the binary is now linked to a non-existent library file.

% otool -L ./blog.app/Contents/MacOS/blog
./blog.app/Contents/MacOS/blog:
	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1673.126.0)
	/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.0.0)
	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1673.126.0)
	/System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit (compatibility version 1.0.0, current version 1.0.0)

% ls /System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit
ls: /System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit: No such file or directory

CCID

% grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist
	<key>CFBundleShortVersionString</key>
	<string>1.4.32</string>

Apple updated the CCID driver from version 1.4.31 in Catalina to 1.4.32 in Big Sur.

Version 1.4.32 is not the latest version available. I released this version on April, 22th 2020.

The latest version (for now) of the CCID driver is 1.4.33 released on June 25th, 2020. 

Apple Silicon

macOS Big Sur is also the operating system for the new Apple computers using the Apple Silicon CPU (an ARM based CPU). The binaries provided with macOS Big Sur are now also compiled for ARM.

For example with the CCID driver:

% cd /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/MacOS/
% file libccid.dylib 
libccid.dylib: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit dynamically linked shared library x86_64] [arm64e:Mach-O 64-bit dynamically linked shared library arm64e]
libccid.dylib (for architecture x86_64):	Mach-O 64-bit dynamically linked shared library x86_64
libccid.dylib (for architecture arm64e):	Mach-O 64-bit dynamically linked shared library arm64e

My CCID driver works fine with GNU/Linux on a RaspberryPi with an ARM CPU. So it is not surprising that it works also fine with an Apple Silicon CPU.

When Apple will publish the patches they made to Free Software programs used in Big Sur at https://opensource.apple.com we will see if some modifications were needed.

Conclusion

No big changes in Big Sur for the smart card world.

How to get smart card support

I, more and more, receive direct emails asking for help about a general question about smart cards.

 

Free support

It is OK to send me an email or create a github, salsa, etc. ticket if you find a bug in a software I maintain. But it is, in general, not OK to contact me directly because you have a problem with your smart card project.

I do provide Free Software (as in free speech), not free support (as in free beer). If you really want support from me then contact me, we can agree on something.

pcsclite-muscle mailing list

For community support you should use the pcsclite-muscle mailing list. You can register to the list at https://lists.infradead.org/mailman/listinfo/pcsclite-muscle and access to the archives at http://lists.infradead.org/pipermail/pcsclite-muscle/.

On the mailing list you will find many smart card experts. Some of them know much more about some smart card details than me. Most of the time I will answer your question. But some other people may have a better/different answer.

One major benefit of using a public mailing list is that you can find answers about already known problems in the mailing list archives. So the more users use the mailing list the richer the archives will be.

 

Mailing list success

Since 2009 I publish the mailing list statistics for the previous year. For example read "MUSCLE mailing list statistics for 2019".

The number of messages on the list is declining. In part because people use other ways to get answers: direct email to me, github issues, etc.

Conclusion

Email is an old technology. Mailing list is an old technology. You have to fight against spam, etc.

But I think it is a nice way to get free support.

Unhappy user

 I just received this email:

Subject: I have a question with your library

Your library is garbage.  

It's too unstable, sometimes it works, sometimes it doesn't.
 Why do you publicize your library, as if it really works?

I've just wasted time configuring, fixing bugs, reading your old recommendations.

This is horrible. The version of pcsc lite has failed, I have sometimes failed to read nfc or newly released readers. Even your makefile for C fails. It is impossible to maintain your library. Sometimes it has worked, but I restart the pc and it no longer works. It's terrible.

 I just wasted my time with your library trash.  

First I thought it was just a spam. But then it talks about pcsc-lite so it must really be for me.

I don't find any question in the text. I also do not find any specific issue or problem to fix.

It is strange to take the time to write such an email. I think that is the first time I receive this kind of email.

I do not include the author name or email address. But if you (the author of the email) read this I propose you to join the pcsclite-muscle mailing list and report your problems there. I am sure someone can help you.

sysmoOCTSIM: 8 slots reader

Sysmocom designed and sells a smart card reader with 8 slots for SIM sized cards (2FF form factor). It is the sysmoOCTSIM

 

I received such a reader a few days ago (thanks Harald W.). In my case the reader has a nice aluminium casing to protect the electronic.

I added the reader in my list at: sysmocom_sysmoOCTSIM.

 

8 slots

The reader has 8 slots. From the CCID USB descriptor:

  bMaxSlotIndex: 0x07

The index starts at 0 so a maximum of 7 indicates 8 slots.

 

And it declares that it can support 8 slots busy at the same time.

  bMaxCCIDBusySlots: 8

So it is possible to use the 8 slots at the same time.

This device is the only one to have 8 slots in my list: https://ccid.apdu.fr/select_readers/?bMaxSlotIndex=7

You can also display the reader list sorted by bMaxSlotIndex field to easily see the other readers that have more than 1 slot.

 

Free Software Firmware

The reader firmware is free software (or open source if you prefer this denomination). The license is GNU GPL 2 or a later version.

The git repository is https://git.osmocom.org/osmo-ccid-firmware/
The bug tracker is https://osmocom.org/projects/osmo-ccid-firmware

The only other free software CCID firmware I know of is Tian Tian Xiang Shang used in the GnuK project (An Implementation of USB Cryptographic Token for GnuPG).

CCID driver limitation

My CCID driver does support multi-slots readers since version 0.9.2 released in 2004.

But the driver is limited because it does not support using the slots at the same time, even if the reader declares it supports it.

pcsc-lite has support for simultaneous multi-slot. But the driver tells pcsc-lite that simultaneous multi-slot is not supported. See this code: https://salsa.debian.org/rousseau/CCID/-/blob/master/src/ifdhandler.c#L490

Of course I tried to modify the code of the CCID driver to tell pcsc-lite that simultaneous multi-slot can be used. But then the driver is confused by mixed USB frames. I then remembered why this support was disabled.

 

Improvement

Adding support of simultaneous multi-slots is possible. That will require some work on the CCID driver.

If you want or plan to use such a reader with pcsc-lite on GNU/Linux or another Unix system then contact me so we can discuss what you can do.

Conclusion

I sometimes receive requests about configurations with a lot of smart card readers. Using an 8 slots reader can be part of the solution. This reader requires the use of only one USB port and has its own power supply unit.

The reader firmware is Free Software and I like that. It can only be a good point in the selection of a smart card reader.

GitHub Sponsors: US$ 20 per month

Since January 2020 I participate in the GitHub Sponsors. See my post "GitHub Sponsors".

I received the first payment in May 2020. See "GitHub Sponsors: first payment".

You can see my public GitHub sponsor page at "Become a sponsor to LudovicRousseau".

New sponsor

I now have a new sponsor at $10 per month. That will double my Sponsors revenue. Yeah!
Thanks a lot to the existing 6 sponsors. You are wonderful.

I added a new tier at $20/month in case someone want to be even more generous.

Bitcoin

It is also possible to send me bitcoins. See "How to help my projects? Send me bitcoins!".

Someone sent me some BTC cents (or micro cents) just a few days ago. Thanks to you anonymous.

Conclusion

I plan to make a status in next January for the 1st anniversary of my participation to the GitHub Sponsors program.

PySCard 2.0.0 released

 I just released a new version 2.0.0 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The version is 2.0.0 because after 1.9.9 I had not so many choices. This version does not bring any new feature. It is a bug fix release.

The PySCard project is available at:

• pypi
• github
• sourceforge

Changes

2.0.0 (September 2020)

• SCardStatus(): Fix a crash in case of PC/SC error
• toASCIIString(): replace non-ASCII characters by '.'
• remove i386 (32-bits) support on macOS

New PyKCS11 1.5.9 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction" or "PyKCS11’s documentation".

The project is registered at Pypi: https://pypi.org/project/PyKCS11/

Changes

1.5.9 - July 2020, Ludovic Rousseau

• call C_GetSlotList() with a NULL parameter to correctly initialize some PKCS#11 lib conforming to PKCS#11 version 2.40.