By re-reading the presentation "Working with Smart Cards: macOS and Security" by Richard Purves I discovered a new command.
I already knew "
system_profiler SPUSBDataType
" to list the USB devices. I mentioned it in "Level 1 smart card support on Mac OS X" to check the USB reader is seen by the system. But system_profiler
provides a better command for smart cards.SPSmartCardsDataType
system_profiler has another very interesting command:system_profiler SPSmartCardsDataType
Clean macOS installation
Example 1:$ system_profiler SPSmartCardsDataType SmartCards: Readers: #01: Cherry KC 1000 SC (ATR:<3b7f9600 00803180 65b08441 3df612ff fe829000>) Reader Drivers: #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle) Tokend Drivers: SmartCard Drivers: #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex) Available SmartCards (keychain): Available SmartCards (token):
You get a lot of useful information:
- list of smart card readers
- list of installed reader drivers
- list of tokend drivers
- list of smart card drivers
- available smart cards (keychain)
- available smart cards (token)
What you can see in my example:
- I use a Cherry KC 1000 SC reader. A card is inserted in the reader and you see the ATR.
- by default Apple provides a CCID driver
- by default Apple provides a PIV CryptoTokenKit token to support Personal Identity Verification cards
Using SafeNet Authentication Client
Example 2:$ system_profiler SPSmartCardsDataType SmartCards: Readers: #01: Gemalto PC Twin Reader (ATR:<3b7f9600 00803180 65b08503 00ef120f fe829000>) Reader Drivers: #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle) #02: com.SafeNet.eTokenIfdh:9.0.0.0 (/Library/Frameworks/eToken.framework/Versions/A/aks-ifdh.bundle) #03: com.gemalto.ifd-bccid:1.0 (/usr/local/libexec/SmartCardServices/drivers/ifd-bccid.bundle) #04: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/local/libexec/SmartCardServices/drivers/ifd-ccid-SafeNet-eToken5300.bundle) #05: (null):(null) (/Library/Frameworks/eToken.framework/Versions/A/ikey-ifdh.bundle) Tokend Drivers: #01: com.Safenet.eTokend:9.0 (/Library/Frameworks/eToken.framework/Versions/A/eTokend.tokend) SmartCard Drivers: #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex) #02: com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:1.0 (/Library/Frameworks/eToken.framework/Versions/A/SafeNet Authentication Client.app/Contents/PlugIns/PKCS11 Token.appex) Available SmartCards (keychain): com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:9A522A4489DFA3DE: #01: Kind: private RSA 2048-bit, Certificate: <1cc4a99c 25e2b4eb 381850d2 e8e7a9a8 8d258b31>, Usage: Sign Decrypt Unwrap #02: Kind: private RSA 2048-bit, Certificate: <425fa8c1 27ad75a1 aec73183 2b053b41 38befe7f>, Usage: Sign Decrypt Unwrap #03: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap #04: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap #05: Kind: private RSA 2048-bit, Certificate: <31fde547 b4ca58d4 7b6231c2 62730efd 8c7538a1>, Usage: Sign Derive Decrypt Unwrap Available SmartCards (token): com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:9A522A4489DFA3DE: #01: Kind: private RSA 2048-bit, Certificate: <1cc4a99c 25e2b4eb 381850d2 e8e7a9a8 8d258b31>, Usage: Sign Decrypt Unwrap #02: Kind: private RSA 2048-bit, Certificate: <425fa8c1 27ad75a1 aec73183 2b053b41 38befe7f>, Usage: Sign Decrypt Unwrap #03: Kind: private RSA 4096-bit, Certificate: <16b5321b d4c7f3e0 e68ef3bd d2b03aee b23918d1>, Usage: Sign Decrypt Unwrap #04: Kind: private RSA 2048-bit, Certificate: <31fde547 b4ca58d4 7b6231c2 62730efd 8c7538a1>, Usage: Sign Derive Decrypt Unwrap #05: Certificate <1a222d8f 7458d082 d413fbdb 40c85f56 f48def63>
In this second example I installed SAC (SafeNet Authentication Client) from Gemalto. You can see some differences:
- more reader drivers are installed
- a tokend driver is installed
- another SmartCard (Crypto Token Kit or CTK) driver is installed
- the card inserted in the reader is available in the keychain
Conclusion
This command provides information of a higher level thatpcsctest
.You know what drivers (for readers and for cards) are installed.