Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Wednesday, December 18, 2019

New PyKCS11 1.5.7 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction" or "PyKCS11’s documentation".

Changes:

1.5.7 - December 2019, Ludovic Rousseau
  • add missing files in the .tar.gz

1.5.6 - December 2019, Ludovic Rousseau
  • AppVeyor:
    • generate bdist_wheel
    • add Python 3.7 and 3.8
  • Sample events.py: add a -f/--full argument
  • Add support of CKM_AES_GCM mechanism
  • CPKCS11Lib::Load(): return different error codes
  • minor improvements

Thursday, December 12, 2019

tokend support is NOT broken Catalina

Upgrade regression

3 weeks ago I wrote the article "tokend support is broken Catalina 10.15.1" because I could no more use the tokend I am working on after the upgrade from Catalina 10.15.0 to Catalina 10.15.1.

Fake news?

Today I upgraded to Catalina 10.15.2 and the problem is still present.
To be sure I installed OpenSC and the tokend from OpenSC works fine on Catalina 10.15.2. Good job OpenSC team.

So the problem is not Catalina but my tokend.
I then noticed a line in the system logs:
kernel Sandbox: securityd(638) deny(1) process-exec* [...]

I have a problem with the tokend sandbox and need to fix it. The problem is on my side :-(

Conclusion

I wrongly accused Apple to have introduced a bug in macOS. I am sorry for that.
Next time I will double check the problem is really not on my side.

Saturday, November 23, 2019

tokend support is broken Catalina 10.15.1

Catalina

The tokend technology is deprecated since macOS Lion (10.7 in 2011). With macOS Catalina (10.15 in 2019) the support of tokend is disabled by default. But Apple provides a way to enable it again.

See my previous article "macOS Catalina and smart cards status".

Catalina, first minor update

With the first minor update of Catalina (10.15.1) the support of tokend seems to be broken (not just disabled).

I reported the problem to Apple (feedback FB7455638) but have no news since then.
You can also report the same problem to Apple to give the issue a higher priority.

My recommendations

If you depend on a working tokend support then do not upgrade to Catalina and stay with Mojave (for now).

While in Mojave migrate from tokend to a CryptoTokenKit plugin equivalent. The CryptoTokenKit plugin is the new technology introduced (in macOS Sierra 10.12 in 2016 "macOS Sierra: Smart Card Driver Extensions") to replace tokend.
Once your CTK plugin configuration is working fine you can migrate to Catalina.

Update: December 12, 2019

See the update: "tokend support is NOT broken Catalina".

Monday, October 14, 2019

macOS Catalina and smart cards status

macOS Catalina (macOS 10.15) is now available since 7th October, 2019.


API Differences between 10.14 and 10.15

The differences should be listed in the "What's New in macOS" developer page for macOS Catalina 10.15.

The changes for Mojave are still not yet available. So maybe the changes for Catalina will also not be listed. The latest macOS version listed is 10.13.

tokend

A tokend is a piece of software used to bridge a cryptographic device (like a smart card) and the CDSA (Common Data Security Architecture) architecture.

Since macOS Lion (10.7 in 2011) the CDSA/tokend technology is deprecated. See "Mac OS X Lion and tokend".

Tokend are now disabled by default in macOS Catalina. See the Apple page "Prepare for smart card changes in macOS Catalina":
macOS includes a modern architecture that supports smart cards. This architecture is based on the CryptoTokenKit framework, which supports authentication, encryption, and signing functions, plus MDM controls for managing smart cards within Enterprise environments. Starting with macOS Catalina, legacy smart card support that uses TokenD will be disabled by default.

It is still possible to enable support of tokend. See SmartCardServices-legacy(7) manpage:

sudo defaults write /Library/Preferences/com.apple.security.smartcard Legacy -bool true

My guess is that tokend support will be completely removed in the next major macOS version (10.16 released in 2020).
It is really time to move away from tokend and migrate to CryptoTokenKit.

PC/SC

Since Yosemite (macOS 10.10 in 2014) the PC/SC layer is no more a fork of pcsc-lite. So comparing versions with pcsc-lite is useless.

% cat /System/Library/Frameworks/PCSC.framework/Versions/A/Resources/version.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
 <key>BuildAliasOf</key>
 <string>CryptoTokenKit</string>
 <key>BuildVersion</key>
 <string>2</string>
 <key>CFBundleShortVersionString</key>
 <string>8.0</string>
 <key>CFBundleVersion</key>
 <string>1</string>
 <key>ProjectName</key>
 <string>SmartCardServices</string>
 <key>SourceVersion</key>
 <string>408011002000000</string>
</dict>
</plist>

The CFBundleShortVersionString is still 8.0 as for Mojave.
The SourceVersion changed from 281200021000000 to 408011002000000. But I have no idea what that means :-).

I know Apple made changes in the PC/SC layer in Catalina because I identified and reported a bug in PC/SC during the beta. The bug has been fixed.

Crypto Token Kit

CryptoTokenKit is the native smart card API since the complete rewrite in macOS Yosemite 10.10 (OS X Yosemite BETA and smart cards status).

% strings /System/Library/Frameworks/CryptoTokenKit.framework/CryptoTokenKit | grep BuildRoot
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKToken.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKSmartCard.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKTokenConfiguration.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKClientToken.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKTokenKeychainItem.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKTokenConnection.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKTokenSession.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit_Client/CryptoTokenKit-408.11.2/ctkclient/ctkclient.m

In Catalina CryptoTokenKit source code is at version 408.11.2.
It was at version 281.200.21 in Mojave 10.14.0, 281.1.1 in High Sierra 10.13.0 and 281.50.22 in High Sierra 10.13.6.

Since the source code is not available I can't write much more than that.

CCID


% grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist
 <key>CFBundleShortVersionString</key>
 <string>1.4.31</string>

Apple updated the CCID driver from version 1.4.27 in Mojave to 1.4.31 in Catalina.

Version 1.4.31 is the latest version available. I released this version on August 10th 2019.

Conclusion

The smart card integration changed in macOS Catalina.

I may write about more specific details in other articles.

Wednesday, October 9, 2019

Parsing an ATR: old site decommisionned

I modified the web site at https://smartcard-atr.appspot.com/ to automatically redirect to https://smartcard-atr.apdu.fr/ (after 10 seconds so you have some time to read the message).

The idea is to tell people that the service has moved. You should use only the new site now. See also "Parsing an ATR: new web site URL".

I do not want to use Google App Engine (GAE) any more and do not plan to maintain the old web site (hosted at GAE). So instead of giving access to an unmaintained code I redirect to the new and maintained web site.

Please update your bookmarks.

Friday, September 6, 2019

Parsing an ATR: new web site URL

History

Since the beginning (in 2009) the Smart card ATR parsing service was hosted on Google App Engine. This is because the Google service is/was free of charge and was a new technology to discover.

You can see the GUI evolution of the ATR parsing service in time from my previous blog articles:

Then I received an email from Google:
We’re writing to you to let you know that the legacy standalone App Engine SDK (appcfg) will be deprecated as of July 30, 2019, in favor of the Generally Available Google Cloud SDK (Cloud SDK).

You will need to migrate your projects off the legacy standalone SDK (appcfg) before the shutdown date of July 30, 2020. Projects included in this email will be whitelisted to use the legacy standalone SDK (appcfg) until July 30, 2020, but any new projects will not be able to use the legacy standalone SDK (appcfg) from July 30, 2019.

Migration

In the migration to the Google Cloud SDK I wanted to also migrate from Python 2 to Python 3, and from Bootstrap 3 to Bootstrap 4.  But then I discovered that I would have to migrate from webapp to Flask (not a bad idea) and that some Google API I used were not available for Python 3:
  • user identification
  • sending email
I also discovered that it is not possible to deploy an application using the new SDK without creating a billing account. I had to give my credit card number to Google. Google offers US $300 for 1 year but I do not plan to play extra money for this free service.

Note: if you want to help me see "How to help my projects? Send me bitcoins!" or contact me directly.

Problem

The problem is that I use mail service to send me an email when a new ATR is submitted, and I use the user identification service to get the user login so I can contact him/her in case the card description is incorrect.

Backup plan

I tried to use the smtplib Python module to send emails. The code works fine in local/debug mode but not when deployed in Google cloud. I have no idea why it failed.
Problem: I deployed the non-working solution over the normal service (yes, bad idea). So the service was broken and I needed a solution (very) quickly.

Self hosting

Since no Google services I used was available any more, the new solution was using only free software dependencies. And the smtplib solution was not working on Google cloud.

The solution was to host the ATR parsing service myself.

New service

The service is now available at https://smartcard-atr.apdu.fr/.

The old URL https://smartcard-atr.appspot.com/ is still available for now. I plan to change the main page with a redirection to the new URL at some point.

Contact me if you find a problem or want to discuss an evolution of the service.

Conclusion

Google forced me to migrate.
I don't think it was in their plans to force me to migrate outside of their cloud services 😉.

Thursday, August 22, 2019

Improved security of {muscle,pcsclite,ccid}.apdu.fr websites

I recently discovered the Mozilla Observatory service:
The Mozilla HTTP Observatory is a set of tools to analyze your website and inform you if you are utilizing the many available methods to secure it.

Before

Initially the 3 websites https://muscle.apdu.fr/, https://ccid.apdu.fr/ and https://pcsclite.apdu.fr/ I manage had a very bad score of F or 20/100.

F is is worst score. So I needed to do something to improve the situation and the security a bit.

After

After some configuration of the web server and some minor update of the web pages I now get a score of A+ or 110/100.

If you find something broken on the web sites please tell me. I may have missed something.

Conclusion

I think I could still improve the security. If you have ideas of what to do just tell me.

Monday, August 12, 2019

ISO 7816-4 spy using Wireshark

In a previous blog article "CCID USB spy using Wireshark" I documented how to use Wireshark to analyse USB CCID packets.

It is also possible to continue the packet decoding to show ISO 7816-4 format commands.

Raw USB packets

By default you will get USB packets.



CCID packets

Enable the USBCCID decoder in the Wireshark menu Analyze -> Decode as...
You will then see CCID packets.
But APDUs sent to the reader may be hard to read is you do not decode ISO 7816-4 directly in your head.
All we get here is Data: 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00

ISO 7816 commands

Now enable the ISO 7816 decoder.
And you will see ISO 7816-4 command names.
Here you see that the APDU 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00 is a "Select file" (the second byte, INS byte, is 0xA4)

Limitations

Not all the CCID packets are decoded.

For example the Secure command (0x69) is not (yet) decoded.
Only the first CCID byte is decoded as "Message Type: PC_to_RDR_Secure (0x69)". The remaining of the CCID frame is not decoded. And this command is not easy to decode by hand without the CCID specification.

This CCID Secure command is used with a pinpad reader to make the user enter its PIN code in the pinpad and not on the computer keyboard. See here for a list of pinpad readers working with my CCID driver.
The Secure command uses parameters to set the PIN padding, the messages displayed to the user, the min and max PIN lengths, the validation conditions and some other parameters. Not all pinpad readers support the same set of parameters so the situation is complex.

Windows support

In my previous article "CCID USB spy using Wireshark" I make the USB trace acquisition on a GNU/Linux system.

This time I made the capture on Windows, saved the file on disk (.pcapng format) and used Wireshark on macOS to study the file. Yes, I prefer to NOT use Windows as much as possible.

So whatever the system you are using (GNU/Linux, macOS or Windows, and maybe others) Wireshark can help you.

Conclusion

Wireshark is a very nice tool. I should use it more often to debug issues and understand why a program is working on Windows and not on GNU/Linux. It can be used to do some reverse engineering, especially with complex CCID commands like the Secure command.

Saturday, August 10, 2019

New version of libccid: 1.4.31

I just released a version 1.4.31 of libccid the Free Software CCID class smart card reader driver.

Changes:

1.4.31 - 10 August 2019, Ludovic Rousseau
  • Add support of
    • ACS ACR1252 Reader
    • Aladdin R.D. JaCartaReader
    • Alcor Link AK9563
    • AvestUA AvestKey
    • Avtor SecureToken (idProduct: 0x0020)
    • Bit4id TokenME EVO v2
    • Bit4id miniLector AIR EVO
    • Bit4id miniLector Blue
    • Broadcom Corp 58200 (idProduct: 0x5843)
    • Broadcom Corp 58200 (idProduct: 0x5844)
    • Broadcom Corp 58200 (idProduct: 0x5845)
    • Certgate GmbH ONEKEY ID 2 USB
    • HID Global Crescendo Key 0x0028
    • HID Global Crescendo Key 0x0029
    • HID Global Crescendo Key 0x002B
    • HID Global Crescendo Key 0x002D
    • Identiv SCR3500 C Contact Reader
    • InfoCert WirelessKey
    • NXP PN7462AU CCID
    • Route1 MobiKEY Fusion3
    • SPECINFOSYSTEMS DIAMOND token
  • MacOSX/configure: fix checking error for dynamic library libusb
  • Some minor improvements for debug

Friday, August 9, 2019

PySCard 1.9.9 released

I just released a new version 1.9.9 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:


Changes

1.9.9 (August 2019)
  • Makefile: use twine to upload to pypi.python.org
  • test: fix Exception test on 32-bits CPU
  • test: correctly handle macOS versions older than 10.10

Wednesday, June 26, 2019

GnuPG and PC/SC conflicts

GnuPG

" GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications. "

GnuPG provides support of smart card using the OpenPGP application in the card or token. See "How to use the Fellowship Smartcard" for more details.

PC/SC

PC/SC (defined by the PC/SC workgroup) is the "standard" way to access smart cards and smart card readers.

pcsc-lite is a Free Software implementation of the PC/SC standard often used in Unix systems.
pcscd is a daemon, part of pcsc-lite, accessing the smart card readers.

The problem

By default GnuPG has its own way to access smart cards with the help of the scdaemon helper process.

If you use GnuPG and also PC/SC on the same system you may have problems.

scdaemon get access

If scdaemon is started before pcscd then the smart card reader will not be available at the PC/SC level.
In pcscd logs you get the error:
ccid_usb.c:653:OpenUSBByName() Can't claim interface 1/12: LIBUSB_ERROR_BUSY

pcscd get access

If pcscd is started before scdaemon then the smart card will not be available at the GnuPG level.
You get the error:
$ gpg --card-status 
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

It is becoming a FAQ (Debian bug #925312, github issue) so I decided to document possible solutions.

The solutions

Remove pcscd from your system

The obvious solution to avoid the conflict is to remove one of the two participants.
If you use your smart card only with GnuPG then you can remove pcscd entirely.

But if you have pcscd installed it may be for a good reason. You may want/need to use PC/SC for other applications.

Tell GnuPG to use PC/SC

Another solution is to make GnuPG and pcscd collaborate to work together.
Luckily it is possible to do that using the scdaemon option --disable-ccid

From the documentation:
--disable-ccid


Disable the integrated support for CCID compliant readers. This allows falling back to one of the other drivers even if the internal CCID driver can handle the reader. Note, that CCID support is only available if libusb was available at build time.

With this option scdaemon will use PC/SC to talk to the smart card and the conflict is solved.

It is possible to tell scdaemon to always use this option by editing the scdaemon configuration file. By default it is ~/.gnupg/scdaemon.conf and it should contain the line:
disable-ccid

If you try to make it work be sure to kill any running scdaemon process so that it is restarted with the new option.

Conclusion

I don't know if the problem comes from pcscd or from GnuPG.

The good news is that there is a solution.

Saturday, June 15, 2019

https://www.pcscworkgroup.com/ is back

After few days the PC/SC work group web site is available again.
https://www.pcscworkgroup.com/

One week ago in "http://www.pcscworkgroup.com is gone" I announced that the website was dead. It has now resurrected.

PC/SC specifications copies

I will keep my PC/SC specifications copies at https://muscle.apdu.fr/www.pcscworkgroup.com/ just in case the official web site disappears again.

WHQL test cards

It is now also possible to order the "PC/SC Test Card Set V2.0" from https://www.pcscworkgroup.com/product/pcsc-test-card-set-v2-0/.
The price is $1000 for 5 cards.

I am not sure I will buy some sets just to speculate on the death again of the PC/SC website. 😏

Monday, June 10, 2019

PC/SC workgroup and WHQL test cards

PC/SC work group

The PC/SC work group was not only used for updating and distributing the PC/SC specification. It was also the reseller of a set of smart cards used by the WHQL process.

WHQL

WHQL is Windows Hardware Quality Labs. I am not a Windows user (and even less an expert) so I may be wrong here.

It looks like that smart card reader drivers need to go through the WHQL process to be signed by Microsoft and accepted by Windows systems.
The WHQL process for smart card reader driver required the use of a specific set of cards. This set of cards was sold by the PC/SC work group.

Test cards set

Since the PC/SC work group is now dead (see "http://www.pcscworkgroup.com is gone") it is no more possible to buy such cards set.

The Internet archive service do not have a copy of the "Test Cards" or "Test Cards Ordering" pages. I never used such test cards for my own use. I don't know what the procedure was to order such a Test Cards set.

Solution

I can't help here.
The best I can think of is to contact Microsoft so they provide the Test Cards set themselves or change the WHQL process to use something else.

Maybe some company that have one (or more) complete Test Cards set can rent the set for a good amount of money. If the set is rare it should be expensive (supply and demand). Why don't I have such set myself? 😀

Friday, June 7, 2019

http://www.pcscworkgroup.com is gone

Since a few days/weeks the web site http://www.pcscworkgroup.com is no more available (HTTP Error 404).
This web site hosted the PC/SC specification. This specification is implemented as WinSCard API for Windows and pcsc-lite on Unix.

PC/SC is the standard way to access smart card readers and smart cards from a Windows of Unix system.
See "PC/SC sample in different languages" for some examples.

Last days

The death of the web site was not announced on any PC/SC mailing list I know.

The latest meeting of the PC/SC members was in December 2016.
The latest email I received from the pcscmembers mailing list was in January 2018.
 
I guess the group went out of money (not enough paying members) and the company managing the website and meetings (at a very high price) just stopped providing services.

The PC/SC specification are mature enough, or PC/SC members just moved to something else?
It is important to note that Windows never implemented the latest version of PC/SC v2 part 10 (to support pinpad readers in the Windows CCID driver for example). So working on a specification that is not implemented by the major provider is somewhat useless.

Web site copies

The web site was still available the 9th of January 2019 and it has been archived by the Internet Archive (Wayback Machine) at https://web.archive.org/web/20190109211601/https://www.pcscworkgroup.com/

The specification files are also available from the Internet Archive at https://web.archive.org/web/20170904222045/https://www.pcscworkgroup.com/specifications/download/

PC/SC specifications copies

I decided to host a copy of the PC/SC specification documents on https://muscle.apdu.fr/www.pcscworkgroup.com/.
I used the copies I made for my own use. But now that the official web site is down I make them public.

Conclusion

It is sad to see a website to disappear silently with no warnings.
If you have other PC/SC public documents you want to share just tell me.

Thursday, May 30, 2019

Surprising request from a law firm

A few weeks ago I received this email:

From: legal@axur.com
To: Ludovic.Rousseau@gmail.com
Subject: [high priority] [19444663] Content Removal - SENSITIVE DATA

Dear Sir/Madam,

Our company, AXUR, represents C.......R in issues involving the violation of intellectual property and fraud on the Internet.

C.......R is the only company authorized to use the trademark and owns or licenses numerous trademark registrations worldwide, including, but not limited to the following registration number 825503736.

The trademarks, logos, words and phrases registered by C.......R shall be exclusively used by C.......R and any other use by a third party constitutes a trademark infringement.

It has come to our attention that the reported content provides related content (see attached) to the trademark without having obtained prior written authorization from C.......R . More specifically, this content disclosures SENSITIVE DATA from our client or its customer, creating a Likelihood of Confusion between the trademark and the reported content.

Furthermore, by misusing the trademark on your website, you are also diluting its use, because it weakens the ability of brand identification as a single source of research and may lead consumers to believe that there is some association between C.......R and your website.

Official Website: https://www.c.......rsolucoes.com.br/

Considering the violation of intellectual property rights of C.......R on your website, we kindly request that you remove all content available on the attached URL(s) which use the above mentioned trademark without having obtained prior authorization.

In order to avoid a lawsuit from a federal court, please, send confirmation that this email was received along with your guarantee to comply with the requests reported above.

Under penalty of perjury, we affirm that AXUR is authorized to act on behalf of the C.......R and this notification is in accordance with International Regulations of Internet and Intellectual Property Offices.

Should you require further information or should you prefer to discuss this issue, please do not hesitate to contact us through the e-mail address listed on the signature of this message.

Sincerely,

AXUR
Legal Team
legal@axur.com

ATTACHMENT:
https://raw.githubusercontent.com/LudovicRousseau/pcsc-tools/master/smartcard_list.txt

I replaced the real trademark by "C.......R" to avoid receiving a new email asking to remove this blog article :-)

I also received the same email but with a different subject "[high priority] [19444667] Content Removal" for the same list but with a different URL: https://github.com/LudovicRousseau/pcsc-tools/blob/master/smartcard_list.txt

Actions

I updated the list of ATR to remove any mention of "C.......R".

I asked confirmation from legal@axur.com that the ATR list was OK now. I got no answer.

I also wrote them I would blog about it and got no answer as well.

Wednesday, May 22, 2019

pam_pkcs11: new version 0.6.11

About

From the project wiki page:
This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users’ certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.

The idea is to use a smart card and its corresponding PKCS#11 library to login (and more) into a GNU/Linux system.

Changes:

22 May 2019
  • Version 0.6.11
  • Support OpenSSL 1.1.0
  • use green instead of blue text for logs on the console
  • Solaris runs build process outside of srcdir
  • Fix openssh_mapper_match_keys() for OpenSSL 1.0 & 1.1
  • Fix 64-bit pkcs11_inspect(1) fails on SPARC with a SIBGUS due to misaligned access
  • Add support of ECDSA signature in addition to RSA

Download

Download the .tar.gz archive from https://sourceforge.net/projects/opensc/files/pam_pkcs11/

The .tar.gz or .zip files available from github are not complete (the ./configure script is missing for example)

History

In a previous blog article "pam_pkcs11: new/last version 0.6.9" (3 years ago) I wrote that it was my last release of pam_pkcs11.
  1. But I had to work on a problem related to the use of pam_pkcs11.
  2. I discovered that the version 0.6.10 (released by Paul Wolneykien, thanks) was not available in Debian.
  3. I decided to upgrade the Debian package.
  4. But version 0.6.10 broke support of OpenSSL 1.1.0 and the build for Debian failed.
  5. So I had to fix that and decided to also merge submitted patches and fix other reported bugs.
That is why you now have a new version of pam_pkcs11.

Wednesday, April 17, 2019

New PyKCS11 1.5.5 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction" or "PyKCS11’s documentation".

Changes:

1.5.5 - April 2019, Ludovic Rousseau
  • fix source package generation

1.5.4 - April 2019, Ludovic Rousseau
  • getTokenInfo: replace NUL char by ' ' in utcTime
  • dumpit:
    • print hardwareVersion and firmwareVersion
    • print slot flags
    • move to next slot if token not present
  • add support of CKA_WRAP_TEMPLATE/CKA_UNWRAP_TEMPLATE
  • add samples for ECC key generation and use
  • move from distutils to setuptools
  • upload of wheels to pypi on "make dist"

Monday, March 25, 2019

PySCard 1.9.8 released

I just released a new version 1.9.8 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:

Changes

1.9.8 (March 2018)

  • SmartcardException: store the PC/SC return code in hresult
  • CardMonitoring: stop the looping only if PCSC exited
  • setup: support build on OpenBSD, and other BSD
  • Fix Windows 10 SCARD_E_SERVICE_STOPPED from SCardListReaders()
  • Minor documentation improvements

New version of pcsc-lite: 1.8.25

I just released a new version of pcsc-lite 1.8.25.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.

Changes
1.8.25: Ludovic Rousseau
25 March 2019
  • Fix a socket issue when pcscd is used inside LXC container
  • pcsc-spy: always provide a total time of execution
  • Fix resource leak if SCardEstablishContext() fails
  • Fix realloc(3) error handling (possible memory leak)
  • Remove usage of function chmod(2) to use fchmod(2) (fix race condition)

Sunday, March 17, 2019

ATR statistics: TA4

Article from the series "ATR statistics"

TA4

The first TA for T=15 encodes the clock stop indicator (X) and the class indicator (Y). The default values are X = "clock stop not supported" and Y = "only class A supported".

bits 8 and 7 indicate whether the card supports clock stop (≠ 00) or not (= 00) and, when supported, which state is preferred on the electrical circuit CLK when the clock is stopped.
  • 00b: Clock stop not supported
  • 01b: State L
  • 10b: State H
  • 11b: No preference

bits 6 to 1 indicate the classes of operating conditions accepted by the card. Each bit represents a class: bit 1 for class A, bit 2 for class B and bit 3 for class C.
  • 00 0001b: A only
  • 00 0010b: B only
  • 00 0100b: C only
  • 00 0011b: A and B
  • 00 0110b: B and C
  • 00 0111b: A, B and C
  • Any other value: RFU

TA4#%
200996.96 %
0x03271.30 %
0x83150.72 %
0xC3120.58 %
0x0760.29 %
0x4320.10 %
0xC710.05 %



Clock stop#%
not supported3352.38 %
state L23.17 %
state H1523.81 %
no preference1320.63 %

The class defines the current voltage the card can use:
  • class A: 5 V
  • class B: 3 V
  • class C: 1.8 V
Some readers can't provide a tension of 5V. For example the Gemalto CT1100 reader does only provide 3 V. The default value for TA4 is "only class A supported". Some (old) cards require a voltage of 5 V to work and will not work with a CT1100. That can be surprising.

Class#%
A & B5688.89 %
A & B & C711.11 %

ATR statistics: TD3 - Structural, encodes Y4 and T

Article from the series "ATR statistics"

TD3 - Structural, encodes Y4 and T

The ISO 7816-3 specification is not public. So I can't copy/paste part of the text. I will use Wikipedia instead.

Refer to TD1 - Structural, encodes Y2 and T since the definition of TD3 is identical to TD1.

TD3#%
200996.96 %
0x1F612.94 %
0x3F20.10 %



TD3 (as the other TDi bytes) is structural and indicates:
  • How to interpret the other ATR bytes
  • What communication protocol the card wants to use

For 96.96% of the ATRs no TD3 is present. So no other TA4, TB4, TC4 or TD4 is present and no new protocol is defined so the protocol(s) defined by TD1 and TD2 will be used.

For 2.94% of the ATRs TD3 = 0x1F. The high nibble is 0001b so TA4 is present and T=15 protocol is defined. One such ATR is 3B 94 18 81 B1 80 7D 1F 03 19 C8 00 50 DC.

For 0.10% of the ATRs TD3 = 0x3F. The high nibble is 0001b so TA4 and TB4 are present and T=15 protocol is defined. One such ATR is 3B DE 18 FF 81 F1 FE 43 00 3F 07 83 44 45 53 46 69 72 65 38 20 53 41 4D 2D 58 17.

ATR statistics: TC3

Article from the series "ATR statistics".

TC3

The ISO 7816-3 specification is not public. So I can't copy/paste part of the text. I will use Wikipedia instead.

For T = 1: type of error detection code used

Bit 1 of the first TC for T=1 indicates the error detection code to be used:
  • CRC if bit 1 is set to 1;
  • LRC (default value) if bit 1 is set to 0.
Bits 8 to 2 of the first TC for T=1 are reserved for future use and shall be set to 0.

TC3#%
201797.35 %
0x00552.65 %

In my list of ATR the only redundancy code used if LRC. I found no card using CRC.

LRC is the default algorithm. But 55 cards explicitly set it. I have no explanation for that.

Tuesday, January 29, 2019

My blog source code license

The blog articles license is Attribution-NonCommercial-ShareAlike 3.0 as documented in My blog messages license.


Source code samples

I got a question about the license of the source code samples. The Creative Commons license is not really adapted to source code. To allow the reuse of my source samples in other Free Software project I decided to use the GNU GPLv3 license for source code on my blog.


Need something else?

If you need a different license or want to reuse part of my work please contact me.

Tuesday, January 1, 2019

MUSCLE mailing list statistics for 2018

As I did in 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016 and 2017 I propose some statistics of the MUSCLE mailing list usage.

Evolution

YearTotal number of messages Progression
2009603
2010718+19 %
2011999+39 %
2012207-79 %
2013198-4 %
2014194-2 %
2014194-2 %
2015120-38 %
2016125+4 %
2017128+2 %
201866-51 %

Comments

Again a decrease in number of messages.
I note that I receive many messages directly by email instead of the mailing list.

My interpretation is that the development of pcsc-lite and related software is now complete. Only rare bugs are reported.
Now users are asking for support or help and the easiest way to contact me is using one of my emails.


Statistics from 8.1.2018 to 2.11.2018
for pcsclite-muscle@lists.infradead.org



People who have written most messages:

  Author  Msg  Percent 
1ludovic.rousseau@gmail.com25 39.06 %
2dennis.rieks@agido.com3 4.69 %
3umberto.rustichelli@gt50.org3 4.69 %
4fhoerni@free.fr3 4.69 %
5martin@martinpaljak.net3 4.69 %
6trenta.sis@gmail.com2 3.12 %
7ludovic.rousseau@free.fr2 3.12 %
8rimarko@libero.it2 3.12 %
9fguzmayon@gmail.com2 3.12 %
10yusufgurkan.bor@gmail.com2 3.12 %
11wrosenauer@gmail.com2 3.12 %
12mamikhajjlov@ipmce.ru2 3.12 %
13te.mlists@googlemail.com2 3.12 %
14frankmorgner@gmail.com2 3.12 %
15jras@dia.uned.es1 1.56 %
16corcordt@me.com1 1.56 %
17tomaz.solc@tablix.org1 1.56 %
18emaxx@google.com1 1.56 %
19scolby33@gmail.com1 1.56 %
20Maximilian.Stein@secunet.com1 1.56 %
21smalder73@gmail.com1 1.56 %
22frantisek.rezac@calavera.info1 1.56 %
23andrea@gravityblast.com1 1.56 %
 other0 0.00 %

Best authors, by total size of their messages (w/o quoting):

  Author  KBytes 
1ludovic.rousseau@gmail.com 330.8
2yusufgurkan.bor@gmail.com 72.6
3dennis.rieks@agido.com 31.3
4frankmorgner@gmail.com 22.5
5ludovic.rousseau@free.fr 21.8
6fguzmayon@gmail.com 19.5
7trenta.sis@gmail.com 17.9
8corcordt@me.com 15.5
9fhoerni@free.fr 14.4
10frantisek.rezac@calavera.info 12.4
11jras@dia.uned.es 11.7
12wrosenauer@gmail.com 10.0
13tomaz.solc@tablix.org 9.9
14rimarko@libero.it 9.8
15martin@martinpaljak.net 8.7
16mamikhajjlov@ipmce.ru 4.8
17umberto.rustichelli@gt50.org 4.1
18te.mlists@googlemail.com 3.2
19smalder73@gmail.com 1.8
20scolby33@gmail.com 1.5
21Maximilian.Stein@secunet.com 1.5
22emaxx@google.com 1.5
23andrea@gravityblast.com 1.1

Best authors, by average size of their message (w/o quoting):

  Author  bytes 
1yusufgurkan.bor@gmail.com37179
2corcordt@me.com15865
3ludovic.rousseau@gmail.com13549
4frantisek.rezac@calavera.info12714
5jras@dia.uned.es12006
6frankmorgner@gmail.com11521
7ludovic.rousseau@free.fr11184
8dennis.rieks@agido.com10687
9tomaz.solc@tablix.org10091
10fguzmayon@gmail.com9986
11trenta.sis@gmail.com9155
12wrosenauer@gmail.com5131
13rimarko@libero.it5012
14fhoerni@free.fr4925
15martin@martinpaljak.net2952
16mamikhajjlov@ipmce.ru2482
17smalder73@gmail.com1796
18te.mlists@googlemail.com1635
19scolby33@gmail.com1583
20Maximilian.Stein@secunet.com1574
21emaxx@google.com1504
22umberto.rustichelli@gt50.org1396
23andrea@gravityblast.com1126

Table showing the most successful subjects:

  Subject  Msg  Percent 
1[Pcsclite-muscle] DUAli DE-620 Smart Card Reader Connection
5 7.81 %
2[Pcsclite-muscle] Dual Interface Reader
3 4.69 %
3[Pcsclite-muscle] Rare race condition in SCardGetStatusChange()
3 4.69 %
4[Pcsclite-muscle] issues with OmniKey 3121 and InCard cards
3 4.69 %
5[Pcsclite-muscle] closing client cancels ongoing transaction
3 4.69 %
6[Pcsclite-muscle] nfc on android
3 4.69 %
7[Pcsclite-muscle] Baudrate change
3 4.69 %
8[Pcsclite-muscle] Free software SIM card software simulator?
3 4.69 %
9[Pcsclite-muscle] smartcard
2 3.12 %
10[Pcsclite-muscle] 20th Anniversary of MUSCLE
2 3.12 %
11[Pcsclite-muscle] Possible regression with Schlumberger egate
2 3.12 %
12[Pcsclite-muscle] Help required with Microchip SEC1210 over Serial
2 3.12 %
13[Pcsclite-muscle] Firefox does not trigger pcsc start
2 3.12 %
14[Pcsclite-muscle] MUSCLE web sites moved to .apdu.fr
2 3.12 %
15[Pcsclite-muscle] Problem with EZ100PU reader
2 3.12 %
16[Pcsclite-muscle] PCSCD partially detecting smart card readers
2 3.12 %
17[Pcsclite-muscle] New version of libccid: 1.4.30
2 3.12 %
18[Pcsclite-muscle] NXP NFC Cube on macOS Mojave
2 3.12 %
19[Pcsclite-muscle] pcsc-lite 1.8.23
1 1.56 %
20[Pcsclite-muscle] C3PO LTC31-v2 does not have a pinpad as
1 1.56 %
21[Pcsclite-muscle] SAM ISO7816 connection
1 1.56 %
22[Pcsclite-muscle] socket activation
1 1.56 %
23MUSCLE web sites moved to .apdu.fr
1 1.56 %
24New version of pcsc-tools: 1.5.3
1 1.56 %
25[Pcsclite-muscle] IDBridge K3000 is not found by pcsc_scan
1 1.56 %
26[Pcsclite-muscle] CCID has undefined symbol 'yylex' when loaded by
1 1.56 %
27[Pcsclite-muscle] CCID has undefined symbol 'yylex' when loaded
1 1.56 %
28[Pcsclite-muscle] Strange gnome/gdm behavior w/ pcsc,
1 1.56 %
29[Pcsclite-muscle] SCardCancel broken
1 1.56 %
30[Pcsclite-muscle] Czech official identity card
1 1.56 %
 other6 9.38 %

Most used email clients:

  Mailer  Msg  Percent 
1(unknown)44 68.75 %
2Mozilla/5.x11 17.19 %
3Apple Mail (2.3445.100.39)
3 4.69 %
4Apple Mail (2.3445.5.20)
2 3.12 %
5Open-Xchange Mailer v7.8.3-Rev48
2 3.12 %
6Apple Mail (2.3445.9.1)
1 1.56 %
7Apple Mail (2.3445.101.1)
1 1.56 %
 other0 0.00 %

Table of maximal quoting:

  Author  Percent 
1umberto.rustichelli@gt50.org 53.36 %
2scolby33@gmail.com 49.14 %
3emaxx@google.com 38.58 %
4te.mlists@googlemail.com 38.45 %
5mamikhajjlov@ipmce.ru 30.34 %
6Maximilian.Stein@secunet.com 25.43 %
7fhoerni@free.fr 18.63 %
8andrea@gravityblast.com 17.62 %
9martin@martinpaljak.net 15.78 %
10rimarko@libero.it 9.38 %
11trenta.sis@gmail.com 4.61 %
12fguzmayon@gmail.com 4.32 %
13ludovic.rousseau@gmail.com 3.17 %
14wrosenauer@gmail.com 3.03 %
15dennis.rieks@agido.com 0.00 %
16ludovic.rousseau@free.fr 0.00 %
17yusufgurkan.bor@gmail.com 0.00 %
18frankmorgner@gmail.com 0.00 %
19jras@dia.uned.es 0.00 %
20corcordt@me.com 0.00 %
21tomaz.solc@tablix.org 0.00 %
22smalder73@gmail.com 0.00 %
23frantisek.rezac@calavera.info 0.00 %
 average 4.68 %

Graph showing number of messages written during hours of day:

msgs
1
|
0
|
0
|
0
|
0
|
0
|
1
|
1
|
1
|
2
|
4
|
4
|
4
|
7
|
6
|
4
|
5
|
7
|
3
|
3
|
2
|
6
|
2
|
1
|
hour
01234567891011121314151617181920212223

Graph showing number of messages written during days of month:

msgs
2
|
4
|
2
|
3
|
3
|
1
|
2
|
3
|
4
|
0
|
1
|
3
|
0
|
0
|
1
|
0
|
2
|
4
|
3
|
1
|
2
|
5
|
3
|
0
|
1
|
3
|
0
|
3
|
3
|
2
|
3
|
day
12345678910111213141516171819202122232425262728293031

Graph showing number of messages written during days of week:

msgs
9
|
7
|
14
|
13
|
15
|
3
|
3
|

MonTueWedThuFriSatSun

Maximal quoting:

Author : ludovic.rousseau@gmail.com
Subject : [Pcsclite-muscle] SCardCancel broken

Date : Thu, 26 Jul 2018 11:09:43 +0200

Quote ratio: 61.36% / 3204 bytes

Longest message:

Author : ludovic.rousseau@gmail.com
Subject : [Pcsclite-muscle] DUAli DE-620 Smart Card Reader Connection
Date : Fri, 31 Aug 2018 17:28:28 +0200
Size : 79832 bytes

Most successful subject:

Subject : [Pcsclite-muscle] DUAli DE-620 Smart Card Reader Connection
No. of msgs: 5
Total size : 172375 bytes

Final summary:

Total number of messages: 64
Total number of different authors: 23
Total number of different subjects: 36
Total size of messages (w/o headers): 675021 bytes
Average size of a message: 10547 bytes