Ludovic Rousseau's blog

Tuesday, November 29, 2022

PC/SC sample in TypeScript (Deno)

To continue the list of PC/SC wrappers initiated in 2010 with "PC/SC sample in different languages" I now present a new sample code in Deno a modern runtime for JavaScript and TypeScript.

pcsc-deno

The wrapper is available at https://github.com/cryptographix/pcsc-deno and https://deno.land/x/pcsc

The author is Sean Michael Wykes.

The license is MIT.

I used version 0.4.
This version includes the fixes I proposed for GNU/Linux.

Deno

From Wikipedia Deno article:

Deno is a runtime for JavaScript, TypeScript, and WebAssembly that is based on the V8 JavaScript engine and the Rust programming language. Deno was co-created by Ryan Dahl, who also created Node.js.

Deno explicitly takes on the role of both runtime and package manager within a single executable, rather than requiring a separate package-management program.

Installation

Installation is very easy. First install Deno as documented in https://deno.land/#installation

The PC/SC wrapper will be downloaded and installed automatically at run time.

Source code

import {
  CommandAPDU,
  ContextProvider,
  ISO7816,
  PCSC,
} from 'https://deno.land/x/pcsc/mod.ts';

try {
  // establish a PC/SC context
  const context = ContextProvider.establishContext();

  // get all available readers
  const readers = context.listReaders();

  for (const reader of readers) {
    console.log(`Using reader: ${reader.name}`);
    if (reader.isMute) {
      console.log(`Reader ${reader.name}: MUTE`);
    } else if (reader.isPresent) {
      // connect
      const card = await reader.connect();

      // send Select Applet APDU
      const selectApplet = CommandAPDU
        .from([ISO7816.CLA.ISO, ISO7816.INS.SelectFile, 0x04, 0x00]) // ISO SELECT
        .setData([0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01]);

      const resp = await card.transmitAPDU(selectApplet);

      // check for 0x90 0x00
      if (resp.SW == ISO7816.SW.SUCCESS) {
        // success ..
        console.log(`Reader ${reader.name}: applet successfully selected`);

        // send Test APDU
        const command = CommandAPDU
          .from([ISO7816.CLA.ISO, 0, 0, 0]);

        const resp = await card.transmitAPDU(command);
        if (resp.SW == ISO7816.SW.SUCCESS) {
          // success ..
          console.log(`Reader ${reader.name}: Test command successful`);

          // convert from bytes to string and display
          console.log(String.fromCharCode.apply(null, resp.data));
        } else {
          // something went wrong ..
          console.error(
            `Reader ${reader.name}: error SW=${resp.SW.toString(16)}`,
          );
        }
      } else {
        // something went wrong ..
        console.error(
          `Reader ${reader.name}: error SW=${resp.SW.toString(16)}`,
        );
      }

      // unpower and disconnect
      await card.disconnect(PCSC.Disposition.UnpowerCard);
    } else {
      console.log(`Reader ${reader.name}: NO CARD`);
    }
  }
  // release the PC/SC context
  context.shutdown();
} catch (e: PCSCException) {
  console.log(e, "error");
}

Output

$ deno run --unstable --allow-ffi blog.ts
Using reader: Gemalto PC Twin Reader (F8345B4A) 00 00
Reader Gemalto PC Twin Reader (F8345B4A) 00 00: applet successfully selected
Reader Gemalto PC Twin Reader (F8345B4A) 00 00: command successful
Hello world!

Conclusion

Nothing special to say. Thanks Sean for the wrapper.

If you work on a Free Software PC/SC wrapper that is not yet in my list please let me know.

Wednesday, November 16, 2022

Share a smart card reader between a host and its guest VM(s)

As I wrote in "One smart card reader accessible from many computers" it is possible to share a smart card reader between 2 or more systems.

Problem

I recently received a bug report about a problem between pcsc-lite and VirtualBox. When the smart card reader is connected to the VM guest then the kernel on the host reports errors like:

2022-11-11T14:25:01.186983-08:00 track pcscd[2474]: 00000001 eventhandler.c:336:EHStatusHandlerThread() Error communicating to: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311514247933) 00 00

2022-11-11T14:25:01.186993-08:00 track pcscd[2474]: 00000005 ccid_usb.c:1356:InterruptRead() libusb_submit_transfer failed: LIBUSB_ERROR_IO

2022-11-11T14:25:01.188050-08:00 track kernel: [ 1247.705353][ T2521] usb 1-2: usbfs: process 2521 (pcscd) did not claim interface 0 before use

2022-11-11T14:25:01.188053-08:00 track kernel: [ 1247.705386][ T2521] usb 1-2: usbfs: process 2521 (pcscd) did not claim interface 0 before use

2022-11-11T14:25:01.587034-08:00 track pcscd[2474]: 00400173 ccid_usb.c:865:WriteUSB() write failed (1/2): -1 LIBUSB_ERROR_IO

2022-11-11T14:25:01.587076-08:00 track pcscd[2474]: 00000008 ifdwrapper.c:364:IFDStatusICC() Card not transacted: 612

And after some times (in days) the host kernel crashes.

A Linux kernel crash is never a good thing. pcsc-lite may be very powerful but it can't crash the Linux kernel. Only a bug in the kernel itself can generate a crash. Here I suspect the VirtualBox Linux kernel module to do something bad.

Solution

Instead of connecting the USB smart card reader in the guest VM (and disconnecting it from the host) it is possible to share the smart card reader(s) between the host and guest with some help from pcsc-lite.

Setup

My demo setup:

Host: Debian testing system
Guest: NetBSD 9.3 running inside KVM (Kernel Virtual Machine).

I use 2 very different operating systems, GNU/Linux and NetBSD, on purpose. It is to show it is possible to mix systems.

Host

In the host, no change to the configuration. But we will redirect (inject) /run/pcscd/pcscd.comm in the virtual machine.

On the Debian host I run:

$ ssh -N -R/tmp/pcscd.comm:/run/pcscd/pcscd.comm VMNetBSD

Guest

On the NetBSD VM I use:

$ export PCSCLITE_CSOCK_NAME=/tmp/pcscd.comm

Then I can run any application using pcsc-lite and get access to the smart card(s) and reader(s) from the host. For example:

$ pcsc_scan -c

Wed Nov 16 17:26:55 2022
 Reader 0: Alcor Micro AU9540 00 00
  Event number: 0
  Card state: Card inserted, 
  ATR: 3B A7 00 40 18 80 65 A2 08 01 01 52

With a screenshot:

Limitations

pcsc-lite to pcsc-lite

As I demonstrated the solution is not limited to GNU/Linux. Any Unix system using pcsc-lite can be used. But you must use the same pcsc-lite protocol on both sides.

For example the current protocol version used by pcsc-lite 1.9.9 (current version) is 4.4. It is the same protocol version since pcsc-lite 1.8.24 released in Oct 2018.

macOS or Windows host

It should be technically possible to use Windows or macOS as the host OS. That would involve a new development. Contact me if you need something like that.

Conclusion

No need to disconnect/reconnect the USB reader in the VM. Just share it with the host.

You will be able to use the same smart card at the same time on the two sides. Isn't it nice?

Tuesday, November 15, 2022

macOS Ventura and smart cards status

Ventura (macOS 13.0) is now available since October, 2022.

I will compare this version to the previous one in Monterey I presented in macOS Monterey and smart cards status.

CCID

$ grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist
	<key>CFBundleShortVersionString</key>
	<string>1.5.0</string>

The CCID driver has been upgraded from version 1.4.34 as in Monterey to version 1.5.0.

Apple Open Source

The Open Source components included in macOS are listed at https://opensource.apple.com/releases/

In addition to a .tar.gz archive, the source code is also available in a github (acquired by Microsoft in 2018) repository at https://github.com/apple-oss-distributions/SmartcardCCID.

It is then easy to see the patches applied by Apple to the CCID driver:

But the patches have no documentation on the why the patches are needed.

The only obvious patch is ccid-info-plist.patch that changes the value of ifdLogLevel from Info.plist configuration file from 3 (CRITICAL + INFO) to 1 (CRITICAL) in order to generate less logs.

It is also easy to compare two versions. For example the differences between the version for Monterey and the version for Ventura is available as a github diff between tags SmartcardCCID-55028 and SmartcardCCID-55031.

Crypto Token Kit

Nothing special to say. The source code of this part is not available.

My Objective-C sample "PC/SC" sample in Objective-C (synchronous) still builds and works fine.

Security message on first connection

On the first connection of my USB smart card reader I got this dialogue box:

It is nice to see the security improvements.

As expected, I do not get the dialogue box again after I selected "Allow".

Conclusion

No big changes in Ventura for the smart card world.

Monday, November 14, 2022

New version of libccid: 1.5.1

I just released version 1.5.1 of libccid the Free Software CCID class smart card reader driver.

Changes:

1.5.1 - 14 November 2022, Ludovic Rousseau

Add support of

Access IS ATR220 with idProduct: 0x0184
Alcor Link AK9567
Alcor Link AK9572
BLUTRONICS TAURUS NFC
CHERRY SmartTerminal ST-1144
CREATOR CRT-603(CZ1) CCR
Dexon Tecnologias Digitais LTDA DXToken
ESMART Reader ER433x ICC
ESMART Reader ER773x Dual & 1S
Flight system consulting Incredist
Ledger Nano S
Ledger Nano S Plus
Ledger Nano SP
Ledger Nano X
SafeNet eToken Fusion
Sensyl SSC-NFC Reader

Adjust USB drivers path at run-time via environment variable PCSCLITE_HP_DROPDIR
configure.ac: add --enable-strict option
Fix a problem with AUTO PPS readers and ATR convention inverse cards
examples/scardcontrol:

add support of 6A xx error codes
check WinSCard error early
parse wLcdLayout & bEntryValidationCondition

macOS: log non sensitive strings as "%{public}s"
Some other minor improvements

Monday, November 7, 2022

Updated CCID driver for UEFI

In 2015 (7 years ago) I ported my CCID driver to UEFI (Unified Extensible Firmware Interface). For example read "UEFI Smart Card Reader Protocol implementation" and "PCSC sample in C for UEFI".

New version

I now updated the driver to use:

source code from CCID driver 1.5.0
source code from pcsc-lite 1.9.9
build using edk2 stable version edk2-stable202208

The driver is no more a patch for edk2 but an independent UEFI driver in its own repository UEFI-SmartCardReader. It should now be easier to build.

I also updated my samples applications in UEFI-SmartCardReader-Samples.

Conclusion

This driver will not be used by a lot of people. The driver is for applications that are run in the UEFI (i.e. before the main operating system is started) and with a need to access smart cards.

If you use it and want to have new features, or just want to discuss, you can contact me. I am curious to know what people can do with it.

Friday, October 28, 2022

Ubuntu 22.04 and pcscd auto start failure

Problem

Since Ubuntu 22.04 LTS there is a problem with PC/SC daemon automatic start. pcscd is supposed to start when an application makes the first PC/SC call. See "pcscd auto start using systemd". In some cases pcscd will not start and SCardEstablishContext() will receive the error SCARD_E_NO_SERVICE.

A ticket is opened at Ubuntu with bug #1971984: pcscd 1.9.5-3 do not start automatically, only manual

The problem is present on some configurations only. I have no idea why on some systems it works fine and on some others we have the problem.

For an unknown reason pcscd.socket is inactive.

$ systemctl status pcscd.socket
○ pcscd.socket - PC/SC Smart Card Daemon Activation Socket
     Loaded: loaded (/lib/systemd/system/pcscd.socket; disabled; vendor preset: enabled)
     Active: inactive (dead)
   Triggers: ● pcscd.service
     Listen: /run/pcscd/pcscd.comm (Stream)

Fix

The fix is easy:

sudo systemctl enable pcscd.socket

And reboot.

No problem on Debian

The same pcscd package has no problem on Debian.

I compared the configuration scripts between the Ubutun and Debian packages and they are the same. I guess the problem comes from systemd or dpkg on Ubuntu and the systemd configuration files are not always installed correctly. Again, no idea why.

Conclusion

The bug is opened since 2022-05-06. I don't know if someone at Ubuntu is working on it.

The pcscd package is in the section Universe (Community-Maintained, Open-Source Software) at Ubuntu. It is not in the section Main (Officially Supported, Open-Source Software) so maybe no engineer from Ubuntu is looking at this issue.

The problem may not be fixed until Ubuntu 24.04, the next LTS version.

Wednesday, September 28, 2022

PySCard 2.0.5 released

I just released a new version 2.0.5 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:

This version is a not even a bug fix release. No code has changed.

The problem is that for the previous version, 2.0.4, I uploaded a incorrect source archive to Pypi. I inadvertently included some generated files in the .tar.gz archive. I discovered the problem while creating the Debian package. I removed the incorrect file from Pypi. But then it is not possible to upload a new file with a name that was already present on Pypi.

The source .tar.gz is already present in the pyscard project on sourceforge.net so I thought it was OK.

But then I received bug reports like Missing source release for 2.0.4? or pyscard 2.0.4 not available on linux from pypi so I had to do something.