Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Monday, December 13, 2010

Configuring your system for pcscd auto-start

Since pcsc-lite 1.6.5 it is possible to start pcscd on demand and run it with less privileges than root.

System configuration


pcscd group

pcscd is run as a user in the pcscd group. So you need to create this group.

$ sudo addgroup --system pcscd

/var/run/pcscd directory

Since pcscd is no more running as root it cannot create the /var/run/pcscd directory itself. The directory must be created as root and the correct permissions must be set:

  • group = pcscd group
  • access rights = rwx

$ sudo mkdir /var/run/pcscd
$ sudo chgrp pcscd /var/run/pcscd
$ sudo chmod g+w /var/run/pcscd

udev rule


pcscd is no more running as root so need permissions changed on the reader device. For USB readers this is done via a udev rule file.

A previous blog entry described such a udev rule file.
libccid provides a udev rule file. I guess other drivers does not (yet) provide one.

Example:

# If not adding the device, go away
ACTION!="add", GOTO="pcscd_ccid_rules_end"
SUBSYSTEM!="usb", GOTO="pcscd_ccid_rules_end"
ENV{DEVTYPE}!="usb_device", GOTO="pcscd_ccid_rules_end"

ATTRS{idVendor}=="0x08E6", ATTRS{idProduct}=="0x0430", GROUP="pcscd"

# All done
LABEL="pcscd_ccid_rules_end"


This example if for the Gemplus GemPC430 reader. It is an old reader and is not CCID. Just replace the idVendor and idProduct by the value of your own USB reader.

Debian


All these steps are already in place for the pcscd and libccid packages in Debian (in experimental for now). The packages for the other drivers should follow.

Conclusion


The auto-start feature needs some configuration before it can be used.
If you do not want to follow all the steps described in this article you can continue to run pcscd as root as before.


Flattr this

Sunday, December 12, 2010

New version of pcsc-lite: 1.6.6

I just released new version of pcsc-lite 1.6.6. This version does not bring new feature bug fixes two bugs.
The version is available here.

Changelog


pcsc-lite-1.6.6: Ludovic Rousseau
12 December 2010
  • SCardGetStatusChange(): fix a bug on 64-bits systems
  • Fix another bug because of a regression in the internal list manager


Flattr this

Friday, December 3, 2010

New version of libccid: 1.4.1

I just released a new version of libccid.

Changelog


1.4.1 - 3 December 2010, Ludovic Rousseau

  • Add support of Gemalto Smart Guardian (SG CCID), ReinerSCT cyberJack RFID basis, Akasa AK-CR-03, BZH uKeyCI800-K18, Free Software Initiative of Japan Gnuk token readers
  • Remove O2 Micro Oz776 and Blutronics Bludrive II CCID since they are no more supported since version 1.4.0
  • SecurePINVerify & SecurePINModify: Accept big and little endian byte orders for multibytes fields. The application should not use HOST_TO_CCID_16() and HOST_TO_CCID_32() any more and just use the normal byte order of the architecture.
  • Need pcsc-lite 1.6.5 for TAG_IFD_POLLING_THREAD_WITH_TIMEOUT
  • Add --enable-embedded (default is no) to build libccid for an embedded system. This will activate the NO_LOG option to disable logging and limit RAM and disk consumption.
  • Remove --enable-udev option since it is not used anymore with libhal. The udev rules file is now used to change the access rights of the device and not send a hotplug signal to pcscd. See http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html
  • some minor bugs removed

Flattr this

New version of pcsc-lite: 1.6.5

I just released new version of pcsc-lite. Some of the improvements or changes have already been described in previous blog articles.

Changelog


pcsc-lite-1.6.5: Ludovic Rousseau
3 December 2010
  • Power on the card _only_ if an application requests a connection. You can disable the feature using DISABLE_ON_DEMAND_POWER_ON in src/pcscd.h.in If DISABLE_AUTO_POWER_ON is defined then do not automatically power on the card. The card will be powered on on the first SCardConnect() See http://ludovicrousseau.blogspot.com/2010/10/card-auto-power-on-and-off.html
  • SCardReconnect(): return SCARD_E_NO_SMARTCARD when card is removed and SCARD_W_UNRESPONSIVE_CARD when card is unresponsive instead of SCARD_E_PROTO_MISMATCH
  • Install pcscd as sgid pcscd instead of suid root See http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html
  • SCardSetTimeout() is no more provided. This function is not provided by Microsoft and is deprecated since 2004 in pcsc-lite.
  • SCardCancelTransaction() is no more provided. This function is not provided by Microsoft and is deprecated since 2005 in pcsc-lite.
  • Parsing the CCID Info.plist (159 readers supported) was, on a i386 machine, done in 264306 s and is now done 5547 s => gain x47 or 4600% See http://ludovicrousseau.blogspot.com/2010/08/ram-and-cpu-improvements-in-pcsc-lite.html
  • It is now possible to configure the local socket name to use using the environment variable PCSCLITE_CSOCK_NAME See http://ludovicrousseau.blogspot.com/2010/11/pcsc-client-and-server-on-two-different.html
  • Wait until all connected readers have a chance to power up a possibly inserted card before accepting clients.
  • restrict pcscd features when not run by root (so using suid): APDU logging or setting parameters are disabled for example
  • fix compilation problem on kfreebsd-* systems
  • PCSC/reader.h: HOST_TO_CCID_16() and HOST_TO_CCID_32() are now identity functions Since libccid 1.4.1 (revision 5252) the byte order is no more important
  • If you want to use IFDHCreateChannel() instead of IFDHCreateChannelByName() then do not use any DEVICENAME line in the configuration file. IFDHCreateChannel() will then be called with the CHANNELID parameter.
  • the CHANNELID parameter can also be a decimal number.
  • Remove the support of IFDHandler v1 API. I don't know any driver using this API. See http://ludovicrousseau.blogspot.com/2010/10/ifdhandler-version-1-support-removed.html
  • avoids a buffer overflow with badly formed ATR
  • some other minor improvements and bug corrections
Flattr this

New PyKCS11 1.2.3 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

Changelog


1.2.3 - December 2010, Ludovic Rousseau

  • Add new classes CK_SLOT_INFO, CK_INFO, CK_SESSION_INFO, CK_MECHANISM_INFO and CK_TOKEN_INFO instead of the low level ones to have a __repr__() method. It is now possible to just print an object of these classes and have a human readable version.
  • Add a new class CK_OBJECT_HANDLE() to replace the low level one and have a __repr__() method for objects returned by findObjects()
  • Move initToken() from class Session to class PyKCS11Lib and add a slot parameter.
  • Add generateKeyPair() and destoryObject() support in high level interface

What next?


This new release should restart the publication of articles on this wrapper. I have not published anything since June.

This new version 1.2.3 is more easy and fun to use in an interactive Python interpreter. You can just display objects using print. More to come...


Flattr this