Monday, November 3, 2014

OS X Yosemite and smart cards status

Yosemite (OS X 10.10) is now out since October 16th, 2014.

This article is the continuation of "OS X Yosemite BETA and smart cards status".

CCID driver

The CCID driver is still in /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle.

The driver has been updated from version 1.3.11 (released 28 July 2009) in Mavericks to version 1.4.14 (released 25 November 2013).
$ grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist 
 <key>CFBundleShortVersionString</key>
 <string>1.4.14</string>

See the CCID driver README file for a list of the changes between 1.3.11 and 1.4.14. I will not list 4 years of changes here.

New readers supported

121 readers have been added between 1.3.11 and 1.4.14. They are:
  • Access IS ePassport Reader
  • ACS ACR101 ICC Reader
  • ACS AET65
  • ACS APG8201 PINhandy 1
  • ACS APG8201 USB Reader with PID 0x8202
  • ACS CryptoMate64
  • Akasa AK-CR-03, BZH uKeyCI800-K18
  • Aktiv Rutoken lite readers
  • Aktiv Rutoken PINPad Ex
  • Aktiv Rutoken PINPad In
  • Alcor Micro AU9522
  • Alcor Micro AU9540
  • Ask CPL108
  • Atmel AT90SCR050
  • Atmel AT90SCR100
  • Atmel VaultIC420
  • Atmel VaultIC440
  • Atmel VaultIC460
  • Avtor SC Reader 371
  • Avtor SecureToken
  • BIFIT iBank2Key
  • BIFIT USB-Token iBank2key
  • Bit4id CKey4
  • Bit4id cryptokey
  • Bit4id iAM
  • Bit4id miniLector
  • Bit4id miniLector-s
  • Broadcom 5880
  • C3PO LTC36
  • CCB eSafeLD
  • Cherry SmartTerminal XX7X
  • Covadis Auriga
  • Dectel CI692
  • DIGIPASS KEY 202
  • Feitian ePass2003 readers
  • Feitian SCR310 reader (also known as 301v2)
  • Free Software Initiative of Japan Gnuk token readers
  • Fujitsu SmartCase KB SCR eSIG
  • Gemalto Ezio CB+
  • Gemalto Ezio Shield
  • Gemalto Ezio Shield Branch
  • Gemalto Ezio Shield PinPad
  • Gemalto Ezio Shield PinPad reader
  • Gemalto GemCore SIM Pro firmware 2.0 (using USB)
  • Gemalto Hybrid Smartcard Reader
  • Gemalto IDBridge CT30
  • Gemalto IDBridge K30
  • Gemalto IDBridge K3000
  • Gemalto SA .NET Dual
  • Gemalto Smart Guardian (SG CCID)
  • German Privacy Foundation Crypto Stick v1.2
  • Giesecke & Devrient StarSign CUT
  • GIS Ltd SmartMouse USB
  • GoldKey PIV Token
  • HID OMNIKEY 5127 CK
  • HID OMNIKEY 5326 DFR
  • HID OMNIKEY 5427 CK
  • id3 CL1356T5
  • Identive CLOUD 2700 F Smart Card Reader
  • Identive CLOUD 2700 R Smart Card Reader
  • Identive CLOUD 4500 F Dual Interface Reader
  • Identive CLOUD 4510 F Contactless + SAM Reader
  • Identive CLOUD 4700 F Dual Interface Reader
  • Identive CLOUD 4710 F Contactless + SAM Reader
  • Ingenico WITEO USB Smart Card Reader (Base and Badge)
  • Inside Secure AT90SCR050
  • Inside Secure AT90SCR100
  • Inside Secure AT90SCR200
  • Inside Secure VaultIC 420 Smart Object
  • Inside Secure VaultIC 440 Smart Object
  • Inside Secure VaultIC 460 Smart Object
  • Kingtrust Multi-Reader
  • KOBIL mIDentity 4smart
  • KOBIL mIDentity 4smart AES
  • KOBIL mIDentity 4smart fullsize AES
  • KOBIL mIDentity fullsize
  • KOBIL mIDentity visual
  • KOBIL Smart Token
  • KOBIL Systems IDToken
  • Macally NFC CCID eNetPad reader
  • Neowave Weneo
  • new Neowave Weneo token
  • NXP PR533
  • Oberthur ID-ONE TOKEN SLIM v2
  • OmniKey 6321 USB
  • Planeta RC700-NFC CCID
  • Precise Sense MC reader (with fingerprint)
  • REINER SCT cyberJack go
  • ReinerSCT cyberJack RFID basis
  • SafeTech SafeTouch
  • SCM Microsystems Inc. SCL010 Contactless Reader
  • SCM Microsystems Inc. SDI011 Contactless Reader
  • SCM SCL011
  • SCM SCR3500
  • SCM SDI 011
  • SCR3310-NTTCom USB SmartCard Reader
  • SCR3310-NTTCom USB (was removed in version 1.4.6)
  • SDS DOMINO-Key TWIN Pro
  • SecuTech SecuTech Token
  • Smart SBV280
  • SpringCard H512 Series
  • SpringCard H663 Series
  • SpringCard NFC'Roll
  • Teridian TSC12xxF
  • THRC reader
  • Tianyu Smart Card Reader
  • Todos AGM2 CCID
  • Todos CX00
  • Ubisys 13.56MHz RFID (CCID)
  • Vasco DIGIPASS 920
  • Vasco DIGIPASS KEY 101
  • Vasco DIGIPASS KEY 200
  • Vasco DIGIPASS KEY 200
  • Vasco DIGIPASS KEY 860
  • Vasco DIGIPASS KEY 860
  • Vasco DP855
  • Vasco DP865
  • Xiring Leo v2
  • Xiring MyLeo
  • Yubico Yubikey NEO CCID
  • Yubico Yubikey NEO OTP+CCID

PC/SC known bugs fixed in Yosemite

This new version of PC/SC fixes some bugs present in the previous version of OS X (Mavericks and before).

This list is not exhaustive. I had a look at the bugs I reported at https://bugreport.apple.com/ (also known as radar) and that were closed by Apple.
Maybe you reported to Apple some PC/SC problems I do not know and these problems are now fixed in Yosemite. Feel free to tell me about it.

Extended APDU case 2 no more limited to 1958 bytes

It is now possible to get up to 64k bytes from a card using an extended APDU.
(radar bug #9983001)

Possibility to use composite CCID devices

It is now possible to use a USB device with more than 1 CCID interface.

For example the Gemalto Prox Dual USB PC Link Reader provides 2 CCID interfaces (1 contact interface and 1 contactless interface). In previous Mac OS X versions only the first interface was usable (unless you use a specially compiled CCID driver).
(radar bugs #17841224, #10469006)


Suspend/resume with 2 readers connected

Suspend and resume now works when you have 2 readers connected.

With the previous OS X versions the pcscd daemon was sometimes locked in a bad state at resume. You had to do a card movement to "wake up" pcscd.
(radar bug #16711906)


No more limited to 16 PC/SC card contexts

It is now possible to call SCardConnect() more than 16 times consecutively.

My test program now blocks at around 750 simultaneous opened card contexts. The application should get a PC/SC error instead of blocking. Still a bug but this one should not happen often in the field.

(radar bug #10038432 and https://smartcardservices.macosforge.org/trac/ticket/76)

PC/SC new internal Architecture

Maybe I am completely wrong about my interpretation. We will know for sure when/if the source code of PC/SC is published at http://opensource.apple.com/.

This is what I found for now.

pcscd

The daemon /usr/sbin/pcscd is no more present and has been replaced by something more complex (and with new bugs).

PCSC framework

Binary is /System/Library/Frameworks/PCSC.framework/PCSC.

This file is still present and is used by a PC/SC application. It is the entry point for any PC/SC application on OS X.

com.apple.ctkpcscd.xpc

Binary is /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd.

The process com.apple.ctkpcscd is started (directly or indirectly) by the PC/SC framework linked to the application.

For example when the (still present) test program pcsctest.
$ ps -Aj | grep pcsc
root              110     1   110      0    0 Ss     ??    0:00.02 /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd
lroussea         2282     1  2282      0    0 Ss     ??    0:00.01 /System/Library/Frameworks/PCSC.framework/Versions/A/XPCServices/com.apple.ctkpcscd.xpc/Contents/MacOS/com.apple.ctkpcscd
lroussea         2281  1410  2281      0    1 S+   s002    0:00.00 pcsctest

One com.apple.ctkpcscd is run by root (process id 110) and is started at boot.

One com.apple.ctkpcscd is run by lroussea (process id 2282). pcsctest (process id 2281) is also run by lroussea.

Using the strings(1) command line tool on the com.apple.ctkpcscd binary we note some results:
  • /SourceCache/SmartCardServices/CryptoTokenKit-22.1.3/PCSC/ctkpcscd/main.m
    I guess the source code of com.apple.ctkpcscd will be published (soon?) in the SmartCardServices project.
  • It looks like Apple completely rewrote pcsc-lite, and in Objective C this time (.m file extension).
  • "Refusing sandboxed PCSC.framework client without com.apple.security.smartcard entitlement"
    A new entitlement is necessary to use the PC/SC API? Or just to use CryptoTokenKit?
  • TKPcscContext, TKPcscChangeItem, TKPcscStateChangeItem, TKPcscSlotArrivalItem, TKPcscChangeSet, TKPcscCard are new functions. See below.
The process uses the libray com.apple.CryptoTokenKit (binary /System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit).

com.apple.ifdreader.slotd


Binary is /System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader.

This process loads the smart card reader driver (for example ifd-ccid.bundle in /usr/libexec/SmartCardServices/drivers/) and is in relation with com.apple.ctkpcscd.xpc.

This process also uses the library com.apple.CryptoTokenKit (binary /System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit).

problems

How to get logs from a reader driver? It was easy to use /usr/sbin/pcscd --debug --forground to get the driver debug messages in the terminal. It is no more available :-(

PC/SC in JavaScriptAppleEvents?

I found the file /System/Library/PrivateFrameworks/JavaScriptAppleEvents.framework/Versions/A/Resources/BridgeSupportCache/PCSC.plist. This file contains a description of the PC/SC functions (like SCardTransmit) and also old libMuscleCard functions (like MSCWriteObject).

I don't know yet what can be done with this file. But since it is in PrivateFrameworks I do not expect to find much documentation.

CryptoTokenKit

As presented in the previous article  "OS X Yosemite BETA and smart cards status" a new framework is provided: CryptoTokenKit

API

The headers files are in /System/Library/Frameworks/CryptoTokenKit.framework/Headers. The API is in Objective C language. I would have preferred the new Apple programming language Swift (or just plain C).

Dirk-Willem van Gulik provides a sample application CryptoTokenKit-TrivialExample-OpenSC.

Relation with PC/SC

When running the sample application mentioned above I note that no com.apple.ctkpcscd.xpc is started. So the CryptoTokenKit library may talk directly to com.apple.ifdreader.slotd and not use PC/SC at all.
Apple wants to replace PC/SC by a new API?

The CryptoTokenKit API definesTKSmartCard* functions. But not TKPcsc* functions as found in
com.apple.ctkpcscd.xpc. What are these TKPcsc* functions?

It looks like CryptoTokenKit will replace PC/SC on OS X. I was hopping for a replacement of tokend and CDSA that are deprecated since Lion (3 OS X versions from now).

PC/SC evolutions

When I wrote "Evolution of Apple pcsc-lite (from Jaguar to Mavericks)" and "Differences between Apple pcsc-lite and the "official" pcsc-lite" I was still expecting a merge of Apple pcsc-lite and the offcial pcsc-lite. Now my hopes are over. A merge will be very hard since the two projects have diverge so much.

CryptoTokenKit is a new API. Maybe it will be available on other systems than OS X (like GNU/Linux). But since the API is in Objective C I don't think it will interest much people to work on such an API.

It will be more difficult to write a project that would build and run on Windows, GNU/Linux and OS X if the smart card API is not the same on the 3 systems. The PC/SC API has not yet been deprecated. So it is still possible to use this API for now.

PC/SC new bugs

Apple made big changes in the smart card layer. With big changes comes bugs and regression.

I plan to list the known bugs and regressions in another article (this one is already too long). If you know a regression in Yosemite regarding the smart card layer, please tell me so I can add it to the list.

Conclusion

Still a lot of unanswered questions. Some new bugs in the new PC/SC layer. And no news about the tokend replacement.

The main question is: why has Apple replaced PC/SC by a new API? What is the plan? Will CryptoTokenKit be available also on iOS to talk to a secure element?