New version of libccid: 1.4.21

I just released a version 1.4.21 of libccid the Free Software CCID class smart card reader driver.

Direct download here.

Changes:
1.4.21 - 21 October 2015, Ludovic Rousseau

• Add support of
  
  • ACS ACR1252 Dual Reader
  • Chicony HP USB Smartcard CCID Keyboard JP
  • Chicony HP USB Smartcard CCID Keyboard KR
  • FT ePass2003Auto
  • Feitian bR301 BLE
  • Feitian iR301 (ProductID 0x0619)
  • Feitian iR301 (ProductID 0x061C)
  • Identiv @MAXX ID-1 Smart Card Reader
  • Identiv @MAXX Light2 token
  • Identiv CLOUD 2980 F Smart Card Reader
  • Identiv Identiv uTrust 4701 F Dual Interface Reader
  • Identiv SCR3500 A Contact Reader
  • Identiv SCR3500 B Contact Reader
  • Identiv SCR35xx USB Smart Card Reader
  • Identiv uTrust 2900 R Smart Card Reader
  • Identiv uTrust 2910 R Smart Card Reader
  • Identiv uTrust 2910 R Taglio SC Reader
  • Identiv uTrust 3512 SAM slot Token
  • Identiv uTrust 3522 embd SE RFID Token
  • Identiv uTrust 3700 F CL Reader
  • Identiv uTrust 3701 F CL Reader
  • Identive Identive CLOUD 4000 F DTC
  • Liteon HP SC Keyboard - Apollo (Liteon)
  • Liteon HP SC Keyboard - Apollo JP (Liteon)
  • Liteon HP SC Keyboard - Apollo KR (Liteon)
  • Nitrokey Nitrokey HSM
  • Nitrokey Nitrokey Pro
  • Nitrokey Nitrokey Start
  • Rocketek RT-SCR1
  • VASCO DIGIPASS 875
  • WatchCNPC USB CCID Key
• Remove support of
  
  • Crypto Stick Crypto Stick v1.4 is an old version of Nitrokey Nitrokey Pro
  • Free Software Initiative of Japan Gnuk Token is an old version of Nitrokey Nitrokey Start
• Add Feitain R502 dual interface (composite) reader on Mac OS X
• display a human readable version of the error code returned by libusb
• Mac OS X: wait until libusb/the reader is ready
• some minor bugs fixed

My blog Google+ page

You are now more than 200 to follow my blog Google+ page at https://plus.google.com/u/0/b/105951035108309096272/105951035108309096272/posts

Comments

I disabled comments on the blog in 2013. See why at "Comments are now disabled". Technical questions should go on the MUSCLE mailing list.

The goal of the Google+ page is to allow you to leave comments about my blog articles.

If you just want to know when a new article is available maybe you should subscribe to my blog RSS feed instead. It looks like many people are doing that because I have much more readers of my blog than subscribers of my blog Google+ page.

Conclusion

Feel free to leave comments related to the articles on Google+.

If you want to contact me directly you should use email instead of comments. You can reach me at ludovic.rousseau@free.fr or ludovic.rousseau@gmail.com.

Evolution of the number of CCID readers

Regularly I add support of new smart card readers in the list of CCID devices. I wanted to know how regularly I did that over the lifetime of the project (more than 12 years now).
So I extracted some numbers from the CCID driver git repository to generate a graphic.

Graph

I am really surprised by the linearity of the curve.



The linear correlation equation is (according to Numbers): y = 1.132e-6 x -159.63
That is a growth rate of 1.132x10^-6 readers per second or 36.7 readers per year.


The curve is even better approximated by a polynomial equation in x². The coefficient of determination R² is then equal to 0.9949 (closer to 1.0) instead of 0.9753 for the linear correlation.

Accidents

I note 3 "accidents" or fast evolutions:

• A is 2012-01-27 with 31 readers added
  It correspond to the date I stopped editing the file by hand and generate it using the Python script generate_supported_readers.py
  Commit 54792337e5c0aea467ffbfeeb96a2503c930077a
  
• B is 2013-04-16 with 16 readers added
  This time I added support of composite devices. Each composite device with N CCID interfaces count as N readers.
  commit f431eb4b08be4f6b0a1a95a033827c82d218c81b
  
• C is 2013-08-05 with 27 readers removed
  This time I removed the duplicated entries (2 readers with the same VendorID and ProductID).
  commit 13294eb66c52beff755048c1e0c18309710a4cd8

Conclusion

The number of supported CCID readers continues to grow. I do not expect the growth rate to decrease.

I guess some very old smart card reader models are no more sold. And are, or not, replaced by new newer models.
You can list the readers sorted by "seniority" using the Readers sorted by 'release' field page and discover the first 7 readers included in version 0.1.0 of the driver.

OS X El Capitan and smart cards status

El Capitan (OS X 10.11) is now out since 30th September, 2015.

As I did with the previous major versions of Mac OS X Yosemite, Mavericks, Mountain Lion (and Lion) I will list changes in El Capitan regarding the smart card world.

API Differences between 10.10 and 10.11

The differences are listed in the developer page OS X El Capitan v10.11. The page only document big changes. The smart card changes are not listed there :-)

A complete list of API changes is at OS X v10.11 API Diffs. Regarding the smart card world we have:

• CryptoTokenKit Changes for Objective-C
• CryptoTokenKit Changes for Swift

The CryptoTokenKit API has changed. Some methods have been modified, some methods have been added.

I note two sets of new methods: TKSmartCardPIN* and TKSmartCardUserInteractionFor*. It looks like Apple wants to provide a nice User eXperience regarding PIN management.

I hope Apple will provide more documentation than the .h header file and some code samples.
I will try to rebuild my Crypto Token Kit Objective-C and Swift examples on El Capitan to check if they still work.

PC/SC

Since Yosemite (10.10) the PC/SC layer is no more a fork of pcsc-lite. So comparing versions with pcsc-lite is useless.

$ cat /System/Library/Frameworks/PCSC.framework/Versions/A/Resources/version.plist 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
 <key>BuildAliasOf</key>
 <string>CryptoTokenKit</string>
 <key>BuildVersion</key>
 <string>13</string>
 <key>CFBundleShortVersionString</key>
 <string>8.0</string>
 <key>CFBundleVersion</key>
 <string>1</string>
 <key>ProjectName</key>
 <string>SmartCardServices</string>
 <key>SourceVersion</key>
 <string>79001001000000</string>
</dict>
</plist>

The BuildVersion changed from 1 on Yosemite to 13 on El Capitan, and SourceVersion changed from 22020004000000 to 79001001000000. I have no idea what the SourceVersion "number" is.

It looks like Apple made 12 builds of the PC/SC framework since Yosemite 10.10.

Bugs fixed

• SCardGetAttrib
• SCardTransmit (pioSendPci not checked)
• SCardGetStatusChange blocks forever
• OS X Yosemite bug: SCardConnect blocks in SCARD_SHARE_SHARED mode

At least one bug remains: PC/SC functions crash after a fork(2). But this bug may be hard to fix.

I updated my blog article OS X Yosemite and smart cards: known bugs.

Maybe new bugs will be found on El Capitan. But I have not yet found any after just a few hours of tests.

CCID driver

Driver version 1.4.14.
No change since Yosemite.

$ grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist
 <key>CFBundleShortVersionString</key>
 <string>1.4.14</string>

New driver location

The System Integrity Protection (SIP) introduced in El Capitan impose that custom PC/SC drivers are now installed in /usr/local/libexec/SmartCardServices/drivers/.

Only the CCID driver provided by Apple is still in /usr/libexec/SmartCardServices/drivers/.

Tokend

Because of SIP, the tokend needs to be installed in /Library/Security/tokend/ now instead of /System/Library/Security/tokend/.

The tokend and CDSA are still usable. I just fixed the PKCS11.tokend so that it looks for PKCS#11 libraries in /usr/local/lib/pkcs11/ if /usr/lib/pkcs11/ does not exist (as it is the case on El Capitan because of SIP again).

Conclusion

Most of the remaining PC/SC bugs fixed.
tokend still usable.
Some new Crypto Token Kit methods.