Saturday, April 1, 2017

Google Open Source Peer Bonus winner

I am pleased to announce that I am one of the 2017 "Google Open Source Peer Bonus winners" for my work on pcsc-lite and the CCID driver.

The latest round of Google Open Source Peer Bonus winners

Monday, March 27, 2017
Google relies on open source software throughout our systems, much of it written by non-Googlers. We’re always looking for ways to say “thank you!” so 5 years ago we started asking Googlers to nominate open source contributors outside of the company who have made significant contributions to codebases we use or think are important. We’ve recognized more than 500 developers from 30+ countries who have contributed their time and talent to over 400 open source projects since the program’s inception in 2011. Today we are pleased to announce the latest round of awardees, 52 individuals we’d like to recognize for their dedication to open source communities. The following is a list of everyone who gave us permission to thank them publicly:
Name Project Name Project
Philipp Hancke Adapter.js Fernando Perez Jupyter & IPython
Geoff Greer Ag Michelle Noorali Kubernetes & Helm
Dzmitry Shylovich Angular Prosper Otemuyiwa Laravel Hackathon Starter
David Kalnischkies Apt Keith Busch Linux kernel
Peter Mounce Bazel Thomas Caswell matplotlib
Yuki Yugui Sonoda Bazel Tatsuhiro Tsujikawa nghttp2
Eric Fiselier benchmark Anna Henningsen Node.js
Rob Stradling Certificate Transparency Charles Harris NumPy
Ke He Chromium Jeff Reback pandas
Daniel Micay CopperheadOS Ludovic Rousseau PCSC-Lite, CCID
Nico Huber coreboot Matti Picus PyPy
Kyösti Mälkki coreboot Salvatore Sanfilippo Redis
Jana Moudrá Dart Ralf Gommers SciPy
John Wiegley Emacs Kevin O'Connor SeaBIOS
Alex Saveau FirebaseUI-Android Sam Aaron Sonic Pi
Toke Hoiland-Jorgensen Flent Michael Tyson The Amazing Audio Engine
Hanno Böck Fuzzing Project Rob Landley Toybox
Luca Milanesio Gerrit Bin Meng U-Boot
Daniel Theophanes Go programming language Ben Noordhuis V8
Josh Snyder Go programming language Fatih Arslan vim-go
Brendan Tracey Go programming language Adam Treat WebKit
Elias Naur Go on Mobile Chris Dumez WebKit
Anthonios Partheniou Google Cloud Datalab Sean Larkin Webpack
Marcus Meissner gPhoto2 Tobias Koppers Webpack
Matt Butcher Helm Alexis La Goutte Wireshark dissector for QUIC
Congratulations to all of the awardees, past and present! Thank you for your contributions.
By Helen Hu, Open Source Programs Office

The bonus (I should receive) is a credit card with 250$.

That is not much compared to Google annual profit. Google operating profit for 2016 was 30 419 M$.
My bonus part is 250 / 30 419 000 000 = 0.000 000 008 218 548.

That is not much for Google, but this is twice the amount I received in bitcoin for now ("How to help my projects? Send me bitcoins!").

Friday, March 31, 2017

"PC/SC" sample in Objective-C (synchronous)

To continue the list of PC/SC wrappers initiated in 2010 with "PC/SC sample in different languages" I now present a new sample in Objective-C using the Apple Crypto Token Kit API.

I already proposed a sample code in Objective-C in "PCSC sample in Objective-C". This code used the asynchronous version of sendIns. The API is:
- (void)sendIns:(UInt8)ins 
           data:(NSData *)requestData 
             le:(NSNumber *)le 
          reply:(void (^)(NSData *replyData, UInt16 sw, NSError *error))reply;

The method returns immediately and a callback reply block is executed when the card response is received.

We will now use the synchronous version of sendIns. The API is:
- (NSData *)sendIns:(UInt8)ins 
               data:(NSData *)requestData 
                 le:(NSNumber *)le 
                 sw:(UInt16 *)sw 
              error:(NSError * _Nullable *)error;

Crypto Token Kit API

In Yosemite (Mac OS X 10.10) Apple introduced a new API to access smart cards. See OS X Yosemite and smart cards status.
This API is not a wrapper above PC/SC. It is the native API to be used on macOS. You do not need to install it, it comes with the OS.

Since PC/SC is not used here the blog title may be misleading. So I used " " around PC/SC this time.

Source code

Create a new Cocoa application in Xcode. You need to enable the App Sandbox and add/set the entitlement to yes.

My sample HellloWorld application does not use Cocoa. It is a text only application.

#import <CryptoTokenKit/CryptoTokenKit.h>

int main(int argc, const char * argv[])
    TKSmartCardSlotManager * mngr;
    mngr = [TKSmartCardSlotManager defaultManager];

    // Use the first reader/slot found
    NSString *slotName = (NSString *)mngr.slotNames[0];
    NSLog(@"slotName: %@", slotName);

    dispatch_semaphore_t sem = dispatch_semaphore_create(0);

    // connect to the slot
    [mngr getSlotWithName:slotName reply:^(TKSmartCardSlot *slot)
         // connect to the card
         TKSmartCard *card = [slot makeSmartCard];
         if (nil == card)
             NSLog(@"No card found");

             // signals end of getSlotWithName block


         // begin a session
         [card beginSessionWithReply:^(BOOL success, NSError *error)
              if (success)
                  NSData *response;
                  UInt16 sw;
                  NSString *newString;

                  // explicitly set the CLA byte even if 0 is already the default value
                  card.cla = 0x00;

                  // send 1st APDU
                  uint8_t aid[] = {0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01};
                  NSData *data = [NSData dataWithBytes:aid length:sizeof aid];

                  response = [card sendIns:0xA4 p1:0x04 p2:0x00 data:data le:nil sw:&sw error:&error];

                  if (nil == response)
                      NSLog(@"sendIns error: %@", error);
                      goto out;

                  NSLog(@"Response: %@ 0x%04X", response, sw);

                  // send 2nd APDU
                  response = [card sendIns:0x00 p1:0x00 p2:0x00 data:nil le:@0 sw:&sw error:&error];

                  if (nil == response)
                      NSLog(@"sendIns error: %@", error);
                      goto out;

                  NSLog(@"Response: %@ 0x%04X", response, sw);

                  newString = [[NSString alloc] initWithData:response encoding:NSASCIIStringEncoding];
                  NSLog(@"%@", newString);

                  // end the session
                  [card endSession];
                  NSLog(@"Session error: %@", error);

              // signals end of beginSessionWithReply block

    // wait for the asynchronous blocks to finish
    dispatch_semaphore_wait(sem, DISPATCH_TIME_FOREVER);

    return 0;


2017-03-31 10:54:24.990581+0200 HelloWorld[19931:85555] slotName: Gemalto PC Twin Reader
2017-03-31 10:54:25.103855+0200 HelloWorld[19931:85584] Response: <> 0x9000
2017-03-31 10:54:25.115946+0200 HelloWorld[19931:85584] Response: <48656c6c 6f20776f="" 726c6421=""> 0x9000
2017-03-31 10:54:25.115993+0200 HelloWorld[19931:85584] Hello world!


Compared to the previous Objective-C sample in "PCSC sample in Objective-C" this code has some improvements/bugs fixes:
  • [card endSession]; is called.
    This is needed to close the session started by [card beginSessionWithReply:...].
  • The main thread is waiting for the callbacks from [mngr getSlotWithName:...] and [card beginSessionWithReply:...] to finish using a semaphore (instead of a sleep()).

The CryptoTokenKit API provides a in​Session​With​Error:​execute​Block: to synchronously begin a session instead of using begin​Session​With​Reply:​ and end​Session. But this method has some limitations/bugs and is not (yet) easy to use. I may use it in a next sample code when it will be fixed (in macOS 10.13?).


In general, I prefer to use synchronous calls. So the possibility to use a synchronous sendIns: method is nice.
Depending on your needs, the CryptoTokenKit TKSmart​Card API offers you the choice between a synchronous or asynchronous version.

Wednesday, March 22, 2017

Gemalto IDBridge K30, K50, CT30 and Zero Length Packet issue

Some Gemalto smart card readers with a specific firmware version have a problem and send bogus USB frames.

Possibly affected devices

Some firmware versions of the following devices are affected
  • K30
  • CT30


If you generate a pcscd log as described in "How to get support" and see:
00000023 commands.c:2251:SetParameters() length: 7 bytes
00000037 -> 000000 61 07 00 00 00 00 0E 01 00 00 18 10 02 58 00 FE 00
00001776 <- 000000
00000025 commands.c:2271:SetParameters() Not enough data received: 0 bytes

Then your reader may suffer from the Zero Length Packet issue. The reader, sometimes, sends a USB packet with no data (so a size of 0 bytes).


The problem is that it is not possible to specifically and uniquely identify the problematic devices.

In the CCID driver version 1.4.11 (12 June 2013) I added two patches ("ReadUSB: Zero Length Packet (ZLP) support", "Add Zero Length Packet (ZLP) support for Gemalto IDBridge CT30 and K30") to circumvent the problem.

But this code caused problem with some smart card reader that had not the problem and failed to work with the "fix" ("[#314691] Gemalto ID Bridge K50 Smart card Reader does not work on USB2 with ZLP fix").

So in CCID driver version 1.4.19 (13 May 2014) I removed the patch in "Remove ZLP patch for Gemalto IDBridge CT30 and K30.".


I added the patch again in the CCID driver ("Add Zero Length Packet (ZLP) support for Gemalto IDBridge CT30 and K30", "ZLP: enable the patch only if --enable-zlp is used") but this time the patch is disabled by default. So no bad side effect can happen.

You have to build the driver using the configure option --enable-zlp to explicitly enable the modification.

The new code will be provided in the next CCID driver release: 1.4.27 (not yet released).


I am sorry to not be able to correctly circumvent the problem in the CCID driver itself.

If your reader has the problem then you will have to (re)build the CCID driver yourself at each new CCID driver upgrade.

Friday, March 17, 2017

PC/SC sample in Rust

To continue the list of PC/SC wrappers initiated in 2010 with "PC/SC sample in different languages" I now present a sample in Rust.


pcsc-rust is written by Ran Benita since January 2017 and uses the MIT license.

Project web site:


pcsc-rust is easy to use. Installation is automatic using cargo (the Rust package manager).

Source code

You only need 2 files: one file Cargo.toml indicating the dependency on pcsc-rust, and the source code itself in the default file src/

File Cargo.toml:

name = "hello_world"
version = "0.1.0"
authors = ["Your Name <>"]

pcsc = "0.1"

File src/

extern crate pcsc;

use pcsc::*;
use std::str;

fn main() {
    // Establish a PC/SC context.
    let ctx = Context::establish(Scope::User)
        .expect("failed to establish context");

    // List available readers.
    let mut readers_buf = [0; 2048];
    let mut readers = ctx.list_readers(&mut readers_buf)
        .expect("failed to list readers");

    // Use the first reader.
    let reader =
        .expect("no readers are connected");
    println!("Using reader: {:?}", reader);

    // Connect to the card.
    let card = ctx.connect(reader, ShareMode::Shared, PROTOCOL_ANY)
        .expect("failed to connect to card");

    // Send an SELECT APDU command.
    let apdu = b"\x00\xA4\x04\x00\x0A\xA0\x00\x00\x00\x62\x03\x01\x0C\x06\x01";
    let mut rapdu_buf = [0; MAX_BUFFER_SIZE];
    let rapdu = card.transmit(apdu, &mut rapdu_buf)
        .expect("failed to transmit APDU to card");
    println!("{:?}", rapdu);

    // Send an COMMAND APDU command.
    let apdu = b"\x00\x00\x00\x00";
    let mut rapdu_buf = [0; MAX_BUFFER_SIZE];
    let rapdu = card.transmit(apdu, &mut rapdu_buf)
        .expect("failed to transmit APDU to card");
    println!("{:?}", rapdu);

    // remove the extra 2 SW bytes at the end
    let text = &rapdu[0 .. rapdu.len()-2];

    // convert to UTF-8 (ASCII in fact)
    println!("{}", str::from_utf8(&text).unwrap());

The source code is an adaptation of the already existing pcsc-rust project example:


$ cargo build
   Compiling pkg-config v0.3.9
   Compiling bitflags v0.7.0
   Compiling pcsc-sys v0.1.0
   Compiling pcsc v0.1.0
   Compiling hello_world v0.1.0 (file:///Users/rousseau/Documents/sc/HelloWorld%20Rust)
    Finished debug [unoptimized + debuginfo] target(s) in 3.4 secs


$ ./target/debug/hello_world
Using reader: "Gemalto PC Twin Reader"
[144, 0]
[72, 101, 108, 108, 111, 32, 119, 111, 114, 108, 100, 33, 144, 0]
Hello world!


pcsc-rust API seems complete, is easy to use and is well documented.

If you know a PC/SC wrapper that is not yet in my list then please contact me.

Tuesday, March 14, 2017

ATR statistics: TC2 - Specific to T=0

Article from the series "ATR statistics"

TC2 - Specific to T=0

If present in the Answer-to-Reset, the interface byte TC2 encodes the waiting time integer WI over the eight bits, except the value '00' reserved for future use. If TC2 is absent, then the default value is WI = 10.

188991.17 %
0x0A472.27 %
0xFF200.97 %
0x10190.92 %
0x14180.87 %
0x0F140.68 %
0x96110.53 %
0x20100.48 %
0x8090.43 %
0x6050.24 %
0x1840.19 %
0x1E40.19 %
0x2A30.14 %
0x7830.14 %
0x0020.10 %
0x2320.10 %
0x3220.10 %
0x3E20.10 %
0xF020.10 %
0x0910.05 %
0x1C10.05 %
0x2810.05 %
0x6410.05 %
0xFA10.05 %
0xFE10.05 %

TC2 is only for T=0 cards.
It is surprising that 47 cards declare TC2=0x0A knowing that this is the default value.
It is also surprising that 2 cards (3B 95 15 40 00 68 01 02 00 00 and 3B A7 00 40 00 80 65 A2 08 00 00 00) are using the reserved value 0.

PC/SC sample in Smart Card Connector on Chromebook

To continue the list of PC/SC wrappers initiated in 2010 with "PC/SC sample in different languages" I now present a sample in Smart Card Connector on Chromebook (or Chrome browser).

Smart Card Connector

Smart Card Connector is a Chrome extension developed by Google and available at

It allows to use the PC/SC API from a JavaScript application in a Chromebook. The project is a port of pcsc-lite, libccid and libusb to ChromeOS and is available at chromeos_smart_card_connector under the Apache v2 license.

I do not have a Chromebook myself but it is possible to use the Chrome browser instead (with some limitations).


Go to and select "Add to Chrome".

You should see the "Smart Card Connector" application in your chrome://apps/.

If you click on the application icon you should see something like:

Since the "Smart Card Connector" application completely replaces pcsc-lite and the CCID driver the normal pcsc-lite provided by the system must be stopped. See "Troubleshooting Apps under desktop OSes" to know how to stop pcscd.

Sample application

I created a simple test application for ChromeOS. The application is available from google-smart-card-client-library-hello-world.

You need to fetch a client library google-smart-card-client-library.js from Google and also jQuery. Just follow the Building instructions.

My sample application is greatly inspired from the Hello World Chrome application and Example JavaScript Smart Card Client app. My contribution is (mainly) the last 4 JavaScript functions.

Sample source code

I only provide the source code for the file pcsc_appli.js.

/** @license
 * Copyright 2017 Google Inc. All Rights Reserved.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * See the License for the specific language governing permissions and
 * limitations under the License.

 * @fileoverview Entry point of the Smart Card Client App background script (see
 * <>).

 * Client title for the connection to the server App.
 * Currently this is only used for the debug logs produced by the server App.
 * @const
var CLIENT_TITLE = 'example_js_client_app';

 * Context for talking to the Smart Card Connector app for making PC/SC API
 * requests.
 * @type {GoogleSmartCard.PcscLiteClient.Context}
var apiContext = null;

 * Object that allows to make PC/SC API requests to the Smart Card Connector
 * app.
 * @type {GoogleSmartCard.PcscLiteClient.API}
var api = null;

var API = GoogleSmartCard.PcscLiteClient.API;

 * PC/SC-Lite SCard context.
 * @type {int}
var sCardContext = null;

function initialize() {
  myLog('Establishing connection to the Connector app...');
  console.log('Establishing connection to the Connector app...');
  apiContext = new GoogleSmartCard.PcscLiteClient.Context(CLIENT_TITLE);

function onInitializationSucceeded(constructedApi) {
  myLog('Successfully connected to the Connector app');
  console.log('Successfully connected to the Connector app');
  api = constructedApi;

function establishContext() {
  myLog('Establishing PC/SC-Lite context...');
  console.log('Establishing PC/SC-Lite context...');
      GoogleSmartCard.PcscLiteClient.API.SCARD_SCOPE_SYSTEM, null, null).then(
      function(result) {
        result.get(onContextEstablished, onPcscLiteError);
      }, onRequestFailed);

/** @param {int} establishedSCardContext PC/SC-Lite SCard context. */
function onContextEstablished(establishedSCardContext) {
  myLog('Established PC/SC-Lite context ' + establishedSCardContext);
  console.log('Established PC/SC-Lite context ' + establishedSCardContext);
  sCardContext = establishedSCardContext;

function listReaders() {
  myLog('Obtaining list of PC/SC-lite readers...');
  console.log('Obtaining list of PC/SC-lite readers...');
  api.SCardListReaders(sCardContext, null).then(function(result) {
    result.get(onReadersListed, onPcscLiteError);
  }, onRequestFailed);

/** @param {!Array.<string>} readers List of reader names. */
function onReadersListed(readers) {
  myLog('List of PC/SC-Lite readers: ' + readers);
  console.log('List of PC/SC-Lite readers: ' + readers);

    // Use the 1st reader
    reader = readers[0];
    myLog('Using reader: ' + reader);


function contextDisposedListener() {
  myLog('Connection to the server app was shut down');
  console.warn('Connection to the server app was shut down');
  sCardContext = null;
  api = null;
  apiContext = null;

/** @param {int} errorCode PC/SC-Lite error code. */
function onPcscLiteError(errorCode) {
  myLog('PC/SC-Lite request failed with error code ' + errorCode);
  console.warn('PC/SC-Lite request failed with error code ' + errorCode);

/** @param {*} error The exception that happened during the request. */
function onRequestFailed(error) {
  myLog('Failed to perform request to the Smart Card Connector app: ' +
  console.warn('Failed to perform request to the Smart Card Connector app: ' +

function myLog(text)

function myCode(readerName)
    myLog('Connect to the reader: ' + readerName);
        API.SCARD_PROTOCOL_ANY).then(function(result) {
            result.get(onConnected, onPcscLiteError);
    }, onRequestFailed);

function onConnected(cardHandle, protocol)
    APDU_SELECT = [0x00, 0xA4, 0x04, 0x00, 0x0A, 0xA0, 0x00, 0x00, 0x00,
        0x62, 0x03, 0x01, 0x0C, 0x06, 0x01];

    myLog('Sending ' + dump(APDU_SELECT));
      protocol == API.SCARD_PROTOCOL_T0 ?
      APDU_SELECT).then(function(result) {
        result.get(function (ioRecvPci, response) {
            myLog('response: ' + dump(response));

            // get the 2 last bytes
            sw = response.slice(-2);
            if (sw[0] == 0x90 && sw[1] == 0x00)
                APDU_COMMAND = [0x00, 0x00, 0x00, 0x00];
                myLog('Sending ' + dump(APDU_COMMAND));
                    protocol == API.SCARD_PROTOCOL_T0 ?
                    API.SCARD_PCI_T0 : API.SCARD_PCI_T1,
                    APDU_COMMAND).then(function(result) {
                        result.get(function(ioRecvPci, response) {
                            myLog('response: ' + dump(response));

                            // get the 2 last bytes
                            sw = response.slice(-2);
                            if (sw[0] == 0x90 && sw[1] == 0x00)
                                // convert to an ASCII string
                                result = "";
                                for (var i = 0; i < response.length; i++)
                                    result += String.fromCharCode(response[i]);
                                myLog('response: ' + result);
                        }, onPcscLiteError);
                    }, onRequestFailed);
            }, onPcscLiteError);
      }, onRequestFailed);

function dump(bytes)
    return ( (x) {
        return ('00' + x.toString(16).toUpperCase()).substr(-2)
    })).join(" ");

window.onload = initialize;


This API is very verbose and low level. You can compare it to the node-pcsclite project API, also in JavaScript, I used in a previous article "PCSC sample in JavaScript (Node.js)".

The API uses a lot of call back functions. But that is not surprising for a JavaScript code.


To install the application in Chrome go to chrome://extensions/ and click on the "Load non packaged extension" button (label translated from French so the real English text may be different) and select the root directory of the sample application.

You should then see a new "Hello World PC/SC" extension in the list. Click on the "Run" link to start the extension. A new window should be created as displayed in the Output section bellow.



This API is useful mainly/only on Chromebook computers. I guess it is the only smart card interface for this kind of computer.

If you know a PC/SC wrapper that is not yet in my list then please contact me.

Monday, March 6, 2017

macOS Sierra bug: SCardTransmit() silently truncates the card response

This is the first new PC/SC bug I find in macOS Sierra.
I imagine this bug is also present in El Capitan and Yosemite but I have not checked.

SCardTransmit() returns SCARD_S_SUCCESS when it should return SCARD_E_INSUFFICIENT_BUFFER

SCardTransmit() is used to transfer a command to the smart card and get the smart card answer.

If the reception buffer is not large enough to contain the card answer the PC/SC error SCARD_E_INSUFFICIENT_BUFFER should be returned and the expected size indicated in the pcbRecvLength parameter.

Instead, on macOS Sierra, SCARD_S_SUCCESS is returned and the card response is truncated with no indication that something went wrong.

See also

Apple bug report #30868184 "PC/SC SCardTransmit() silently truncates the smart card response".

Sample code

#include <stdio.h>
#include <string.h>

#ifdef __APPLE__
#include <PCSC/winscard.h>
#include <PCSC/wintypes.h>
#include <winscard.h>

#define CHECK_RV(fct) if (SCARD_S_SUCCESS != rv) { printf(fct"() failed: %s\n", pcsc_stringify_error(rv)); ret = 0; goto error; } else { printf(fct"(): OK\n"); }

int main(void)
    int ret = 1;
    SCARDCONTEXT hContext;
    DWORD dwActiveProtocol;
    LONG rv;
    char mszReaders[1024];
    DWORD dwReaders = sizeof(mszReaders);
    SCARD_IO_REQUEST ioRecvPci = *SCARD_PCI_T0; /* use a default value */
    unsigned char bSendBuffer[MAX_BUFFER_SIZE];
    unsigned char bRecvBuffer[MAX_BUFFER_SIZE];
    DWORD send_length, length;

    rv = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);

    rv = SCardListReaders(hContext, NULL, mszReaders, &dwReaders);

    rv = SCardConnect(hContext, mszReaders, SCARD_SHARE_SHARED,

    send_length = 5;
    /* GET RANDOM for a GPK card */
    memcpy(bSendBuffer, "\x80\x84\x00\x00\x20", send_length);

    /* expected size is 0x20 + 2 = 34 bytes */
    length = 2;
    printf("Given length: %d\n", length);
    rv = SCardTransmit(hCard, SCARD_PCI_T0, bSendBuffer, send_length,
        &ioRecvPci, bRecvBuffer, &length);
    printf("Expected length: %d\n", length);
        printf("test PASS. Insufficient buffer is expected\n");
        printf("test FAIL\n");
    if (SCARD_S_SUCCESS == rv)
        size_t i;

        for (i=0; i<length; i++)
            printf("%02X ", bRecvBuffer[i]);

    rv = SCardDisconnect(hCard, SCARD_UNPOWER_CARD);

    rv = SCardReleaseContext(hContext);

    return ret;

The program sends a GET RANDOM command to a GPK card (very old card from Gemplus). The card will answer with 32 random bytes + 2 bytes for SW.

You can use any command that sends at least one bye of data instead.

Result (on Sierra)

$ cc -framework PCSC -g -Wall main.c -o main

SCardEstablishContext(): OK
SCardListReaders(): OK
SCardConnect(): OK
Given length: 2
Expected length: 2
test FAIL
SCardTransmit(): OK
5B 8F 
SCardDisconnect(): OK
SCardReleaseContext(): OK

The value "5B 8F" is just the 2 first bytes returned by the card. The other 30 bytes and the status word (SW) are lost.

I note that if I use the values 0 or 1 for length then SCardTransmit() correctly returns SCARD_E_INSUFFICIENT_BUFFER. So the Sierra code has a check to reject a buffer of smaller than 2 bytes. The code should check the given size compared to the real card answer.

Expected result (on Debian)

$ CFLAGS=`pkg-config --cflags libpcsclite` LDFLAGS=`pkg-config --libs libpcsclite` make main
cc -pthread -I/usr/include/PCSC   -lpcsclite   main.c   -o main

SCardEstablishContext(): OK
SCardListReaders(): OK
SCardConnect(): OK
Given length: 2
Expected length: 34
test PASS. Insufficient buffer is expected
SCardTransmit() failed: Insufficient buffer.

On Debian we get the expected SCARD_E_INSUFFICIENT_BUFFER error. And we also get the correct length value to store the complete card answer. Here 34 bytes.

Known workaround

Be sure your reception buffer is large enough to contain the card answer + 2 bytes for SW.

This should be the case for all correctly written application. That explains why nobody found the bug earlier.

I found the problem while playing with a particular PC/SC Unitary Test (for pcsc-lite) on macOS: BufferOverflow_SCardTransmit.c

Friday, February 17, 2017

PySCard 1.9.5 released

I just released a new official version 1.9.5 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:


1.9.5 (Feb 2017)
  • SCardGetStatusChange(): fix a memory leak with Python 3
  • SCardTransmit(): use SCARD_PCI_RAW for undefined protocol
  • Improve epydoc documentation

Saturday, February 11, 2017

New PyKCS11 1.4.1 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

See PyKCS11 introduction for more details about PyKCS11.

1.4.1 - February 2017, Ludovic Rousseau
  • fix compilation under Python 3
  • add rsa encryption sample program

Sunday, February 5, 2017

Mostly CCID driver for some Morpho devices

Some devices from Morpho are mostly CCID compliant. The devices are too far from the CCID specification so I do not plan to add support of these devices in my CCID driver.


Morpho sent me (untested) patches:
These patches for for the CCID driver version 1.4.3 (released in April 2011) and may not apply correctly on the latest CCID driver.


Morpho devices supported by the patches:
MORPHO TOKEN EM0x67670x0104

The token "MORPHO TOKEN EM" is also known as "Morpho ypsID Key E". This device is in my "Disabled CCID readers" list.

No support from me

I do not support these devices or the patches. Do not request help from me, contact Morpho instead.

I just make the patches public and document them so you may have a chance to use your Morpho token.

Saturday, February 4, 2017

New PyKCS11 1.4.0 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

See PyKCS11 introduction for more details about PyKCS11.

1.4.0 - February 2017, Ludovic Rousseau
  • fix closeAllSessions() and move it from Session to PKCS11Lib
  • add RSAOAEPMechanism to support RSA Encryption
  • add DigestSession which enables multi-part digesting
  • add Elliptic Curve keypair generating mechanism
  • fix bug in Templates using booleans CK_TRUE/CK_FALSE
    Templates are used by generateKey(), generateKeyPair(), findObjects() createObject(), unwrapKey()
  • fix sample for Python 3

I also noticed that I forgot to blog about the previous version: 1.3.3

1.3.3 - November 2016, Ludovic Rousseau
  • PKCS#11 definitions: sync with Cryptoki version 2.40
    • add missing CKM_* and CKP_* defines
  • Add generateKey() with default mechanism CKM_AES_KEY_GEN
  • Make sure the PyKCS11Lib is referenced as long as Session object is live
  • Fix OverflowError on Windows
  • Attribute CKA_WRAP_WITH_TRUSTED is bool
  • samples
    • dumpit: ask to enter the PIN on the pinpad if needed
    • getinfo & dumpit: add --slot= parameter
  • some minor improvements

Monday, January 16, 2017

macOS Sierra and (legacy) smart card login

It is easy to configure a user account to use a smartcard to login with macOS Sierra. Some steps are not easy to guess so I wrote this documentation for me to remember.

System configuration

Enable smart card login

$ security authorizationdb smartcard enable
YES (0)

Check configuration

$ security authorizationdb smartcard status
Current smartcard login state: enabled (system.login.console enabled, authentication rule enabled)
YES (0)

Note: you will also get the "YES (0)" result if the smartcard login is disabled. You must check the "enabled" in the output.

User configuration

You need to generate a key pair and a certificate in your smartcard. I used as it is a free CA.

The tokend system is read only so you can't enrol with Safari. You need to use Firefox and the smartcard PKCS#11 library to enrol your card.

After that your smartcard should be visible in the Keychain Access application:

List the possible hashes

$ sc_auth hash
4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C CAcert WoT User

I want to use the CAcert certificate and key.

Configure the hash

$ sudo sc_auth accept -u lroussea -h 4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C

Check it worked:
$ sc_auth list 
Hash (legacy): 4AB9854A2FFFCFC18EDA76B10B2A7EDCB028300C

Certification Authority configuration

One major problem with CAcert is that this CA is not recognised as trusted by (major) operating systems and (major) web browsers. That is why you get a red warning "This certificate was signed by an unknown authority" in the Keychain Access application.

You need to import and trust the CAcert root certificate. You can get CAcert root certificate from I fetched the root certificate in PEM format and saved it as root.cer.

Import CAcert root certificate

You can import the CACert root certificate using the Keychain Access application but the certificate would not get the needed trust level. You need to use the command line (I got the command from Adding new trusted root certificates to System.keychain):
$ sudo security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" root.cer

Note: I had to use -r trustAsRoot instead of -r trustRoot as in the Adding new trusted root certificates to System.keychain web page. Maybe the CAcert root certificate is not considered as a real root certificate.

The CAcert root certificate should be trusted and should not display any blue mark.


User certificate validity

Check your certificate in the smartcard is now considered as valid (with no special blue mark on it):

The certificate must be valid for any user, not just yourself. A good way to check that is to verify the certificate is also valid from another user account. The certificate must be valid before the user is logged so must not have a special (trust) configuration for a particular user.

You can get more details by evaluating the certificate from Keychain Access application.
  1. Control-click on the certificate
  2. Select "Evaluate ..." from the popup menu

  3. Click "Continue" in the next dialog box
  4. Check the certificate status


You can now logout to go back to the login screen. After inserting your smartcard your user should be selected and the prompt should display "PIN code:" instead of the classic "Password:".

You may want to update your default keychain password to be the same as your PIN code so can access your saved password automatically after login using the smartcard.


Using a smartcard to login in macOS Sierra is easy to configure. But you have to take great care about the certificate chain between the CA and your certificate.

I used and described the legacy smart card authentication system. macOS Sierra introduced a new "smart card token" mechanism to replace tokend. That is for another blog article.