Wednesday, October 11, 2017

New PyKCS11 1.4.4 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

Changes:
1.4.4 - October 2017, Ludovic Rousseau
  • getAttributeValue(): handle CKR_ARGUMENTS_BAD error
  • seedRandom: fix the seed conversion
  • Add vendor errors support to PyKCS11Error
  • samples/getinfo & dumpit: list only slots with a token present by default
  • run_test: add support of OpenSC PKCS#11 spy
  • ckbytelist: update __repr__()
  • include tests files in the archive
  • dumpit: display the error if getAttributeValue() fails
  • some minor improvements

Source code available on:

New version of libccid: 1.4.28

I just released a version 1.4.28 of libccid the Free Software CCID class smart card reader driver.

Changes:
1.4.28 - 11 October 2017, Ludovic Rousseau
  • Add support of
    • Athena IDProtect Flash
    • Elatec TWN4/B1.06/CPF3.05/S1SC1.32/P (Beta 3)
    • HID Global OMNIKEY 5122 Dual
    • HID Global OMNIKEY 5122 Smartcard Reader
    • IIT E.Key Crystal-1
    • KRONEGGER Micro Core Platform
    • KRONEGGER NFC blue Reader Platform
    • Ledger Nano S
    • REINER SCT cyberJack RFID standard
    • REINER SCT cyberJack one
    • SAFETRUST SABRE SCR
    • SafeNet eToken 5300
    • Unicept GmbH AirID USB Dongle
    • Watchdata USB Key
    • mCore SCard-Reader
  • Disabled readers
    • Jinmuyu Electronics Co., Ltd. MR800
  • Fix non-pinpad HID global devices
  • udev rules:
    • allow rule overwrite
    • Disable USB autosuspend on C3PO LTC31 v1 reader
  • Some minor improvements

Friday, October 6, 2017

Oracle javax.smartcardio is bogus (at least with pcsc-lite)

In "PCSC sample in Java" I presented the javax.smartcardio wrapper to access smart cards from Java.

Problem

One big problem with the Oracle implementation is that only one PC/SC context is created and used for all the javax.smartcardio calls.

The pcsc-lite documentation says for SCardEstablishContext():
Each thread of an application shall use its own SCARDCONTEXT, unless calling SCardCancel(), which MUST be called with the same context as the context used to call SCardGetStatusChange().

The effect is that you can get dead locks in your Java application if you uses smartcardio in different threads.

Solution

One solution can be to use an alternative implementation of javax.smartcardio. One is available at intarsys smartcard-io. It uses the BSD 3-clauses license.

The differences compared to the Oracle implementation are documented in javax.smartcardio Provider:

The library comes with an alternative javax.smartcardio provider. There are a couple of things to consider:
  • Intended differences
    • dedicated PCSC context for terminals, terminal and card
    • waitForChange(timeout) semantics improved(?), state change is reset even in case of timeout
    • reader insertion is handled, too
    • no finalizer for card!

Conclusion

I wrote this blog article to document the problem and so that people can find the solution by themselves.