Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Friday, March 30, 2018

New PyKCS11 1.5.1 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction".

Changes:

1.5.1 - March 2018, Ludovic Rousseau
  • Fix "pip install"

Monday, March 26, 2018

New PyKCS11 1.5.0 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction".

Changes:

1.5.0 - March 2018, Ludovic Rousseau
  • Python 3: use strings instead of binary buffers for CK_UTF8CHAR PKCS#11 types. The behaviour is now the same as with Python 2
  • allow non string PIN values (binary PIN) for login(), initToken(), initPin(), setPin()
  • fix support of RSA PKCS PSS mechanism
    The mechanism object now uses a parameter "mechanism" instead of hard coding the mechanism value to CKM_RSA_PKCS_PSS.
  • add support of Python 2.7 on Windows
  • add AppVeyor configuration (automatic Windows builds)
  • ckbytelist: remove possibility to give a initial size
  • samples/getinfo: do not list the mechanisms by default
  • samples/events:
    • do not list the mechanisms by default
    • add support of pinpad readers
  • some minor improvements

Windows

If you are a Windows user and you want binary packages then please work on the AppVeyor configuration:

Sunday, March 18, 2018

MUSCLE web sites moved to .apdu.fr

With the decommissioning of alioth.debian.org I had to move the web site to a new place.


Update your bookmarks.

I also upgraded the HTML pages to Boostrap 4.0.

Please report any issue you may find.

Thursday, March 1, 2018

Level 1.5 smart card support on macOS

In a previous article "Level 1 smart card support on Mac OS X" I described some simple commands to check if the smart card stack is working correctly on a macOS system.

By re-reading the presentation "Working with Smart Cards: macOS and Security" by Richard Purves I discovered a new command.

I already knew "system_profiler SPUSBDataType" to list the USB devices. I mentioned it in "Level 1 smart card support on Mac OS X" to check the USB reader is seen by the system. But system_profiler provides a better command for smart cards.

SPSmartCardsDataType

system_profiler has another very interesting command: system_profiler SPSmartCardsDataType

Clean macOS installation

Example 1:
$ system_profiler SPSmartCardsDataType
SmartCards:

    Readers:

      #01: Cherry KC 1000 SC (ATR:<3b7f9600 00803180 65b08441 3df612ff fe829000>)

    Reader Drivers:

      #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)

    Tokend Drivers:

    SmartCard Drivers:

      #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)

    Available SmartCards (keychain):

    Available SmartCards (token):


You get a lot of useful information:
  1. list of smart card readers
  2. list of installed reader drivers
  3. list of tokend drivers
  4. list of smart card drivers
  5. available smart cards (keychain)
  6. available smart cards (token)

What you can see in my example:
  • I use a Cherry KC 1000 SC reader. A card is inserted in the reader and you see the ATR.
  • by default Apple provides a CCID driver
  • by default Apple provides a PIV CryptoTokenKit token to support Personal Identity Verification cards

Using SafeNet Authentication Client

Example 2:
$ system_profiler SPSmartCardsDataType 
SmartCards:

    Readers:

      #01: Gemalto PC Twin Reader (ATR:<3b7f9600 00803180 65b08503 00ef120f fe829000>)

    Reader Drivers:

      #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)
      #02: com.SafeNet.eTokenIfdh:9.0.0.0 (/Library/Frameworks/eToken.framework/Versions/A/aks-ifdh.bundle)
      #03: com.gemalto.ifd-bccid:1.0 (/usr/local/libexec/SmartCardServices/drivers/ifd-bccid.bundle)
      #04: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/local/libexec/SmartCardServices/drivers/ifd-ccid-SafeNet-eToken5300.bundle)
      #05: (null):(null) (/Library/Frameworks/eToken.framework/Versions/A/ikey-ifdh.bundle)

    Tokend Drivers:

      #01: com.Safenet.eTokend:9.0 (/Library/Frameworks/eToken.framework/Versions/A/eTokend.tokend)

    SmartCard Drivers:

      #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)
      #02: com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:1.0 (/Library/Frameworks/eToken.framework/Versions/A/SafeNet Authentication Client.app/Contents/PlugIns/PKCS11 Token.appex)

    Available SmartCards (keychain):

        com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:9A522A4489DFA3DE:

          #01: Kind: private RSA 2048-bit, Certificate: <1cc4a99c 25e2b4eb 381850d2 e8e7a9a8 8d258b31>, Usage: Sign Decrypt Unwrap 
          #02: Kind: private RSA 2048-bit, Certificate: <425fa8c1 27ad75a1 aec73183 2b053b41 38befe7f>, Usage: Sign Decrypt Unwrap 
          #03: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #04: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #05: Kind: private RSA 2048-bit, Certificate: <31fde547 b4ca58d4 7b6231c2 62730efd 8c7538a1>, Usage: Sign Derive Decrypt Unwrap 

    Available SmartCards (token):

        com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:9A522A4489DFA3DE:

          #01: Kind: private RSA 2048-bit, Certificate: <1cc4a99c 25e2b4eb 381850d2 e8e7a9a8 8d258b31>, Usage: Sign Decrypt Unwrap 
          #02: Kind: private RSA 2048-bit, Certificate: <425fa8c1 27ad75a1 aec73183 2b053b41 38befe7f>, Usage: Sign Decrypt Unwrap 
          #03: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap 
          #04: Kind: private RSA 2048-bit, Certificate: <31fde547 b4ca58d4 7b6231c2 62730efd 8c7538a1>, Usage: Sign Derive Decrypt Unwrap 
          #05: Certificate <1a222d8f 7458d082 d413fbdb 40c85f56 f48def63>


In this second example I installed SAC (SafeNet Authentication Client) from Gemalto. You can see some differences:
  • more reader drivers are installed
  • a tokend driver is installed
  • another SmartCard (Crypto Token Kit or CTK) driver is installed 
  • the card inserted in the reader is available in the keychain

Conclusion

This command provides information of a higher level that pcsctest.
You know what drivers (for readers and for cards) are installed.