Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Friday, July 31, 2020

New PyKCS11 1.5.9 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction" or "PyKCS11’s documentation".

The project is registered at Pypi: https://pypi.org/project/PyKCS11/

Changes

1.5.9 - July 2020, Ludovic Rousseau
  • call C_GetSlotList() with a NULL parameter to correctly initialize some PKCS#11 lib conforming to PKCS#11 version 2.40.

Thursday, July 30, 2020

Smart card and blockchain?

I received my first ATR description containing the word "blockchain". It is for ATR 3B 89 80 01 66 49 46 58 42 53 32 47 6F 32.

The card description is "Blockchain Security 2Go (JavaCard)" and refer to https://github.com/Infineon/Blockchain "Infineon's Blockchain Security 2Go Starter Kit".

The license of the github project is MIT License but the project does not contain any source code. So I am not sure what this github project is about.

Note: I do not have such a smart card. So I can't write much more about this card and project.

Tuesday, July 7, 2020

Smart card Usage in Debian: applications


The last layer above the smart card reader driver, the PC/SC resource manager and the middleware are user applications.

I updated the list when writing this blog article. New Debian packages have been added, and others have been removed.

ausweisapp2: Official authentication app for German ID cards and residence permits


cardpeek: Tool to read the contents of ISO7816 smartcards


connman-gtk: fully-featured GUI for ConnMan with systray support


entropybroker: infrastructure for distributing random numbers (entropy data)


gnokii-cli: Datasuite for mobile phone management (console interface)


gnokii-smsd: SMS Daemon for mobile phones


gnome-boxes: Simple GNOME app to access remote or virtual systems


gnome-phone-manager: control aspects of your mobile phone from your GNOME 2 desktop


gnupg: GNU privacy guard - a free PGP replacement


golang-pault-go-ykpiv-dev: high level cgo wrapper around libykpiv.so.1


network-manager-openconnect: network management framework (OpenConnect plugin core)


network-manager-openconnect-gnome: network management framework (OpenConnect plugin GNOME GUI)


nitrokey-app: Application to manage the Nitrokey


openconnect: open client for Cisco AnyConnect, Pulse, GlobalProtect VPN


opensc: Smart card utilities with support for PKCS#15 compatible cards


pcsc-tools: Some tools to use with smart cards and PC/SC


plasma-nm: Plasma5 networkmanager library.


python3-yubikey-manager: Python 3 library for configuring a YubiKey


qemu-system-arm: QEMU full system emulation binaries (arm)


qemu-system-mips: QEMU full system emulation binaries (mips)


qemu-system-misc: QEMU full system emulation binaries (miscellaneous)


qemu-system-ppc: QEMU full system emulation binaries (ppc)


qemu-system-sparc: QEMU full system emulation binaries (sparc)


qemu-system-x86: QEMU full system emulation binaries (x86)


rdesktop: RDP client for Windows NT/2000 Terminal Server and Windows Servers


spice-client-gtk: Simple clients for interacting with SPICE servers


srsue: User Equipment implementation for LTE


virt-viewer: Displaying the graphical console of a virtual machine


vinagre: remote desktop client for the GNOME Desktop


wpasupplicant: client support for WPA and WPA2 (IEEE 802.11i)


x2gothinclient-chroot: Install X2Go Thin Client chroot (metapackage)


xgnokii: Datasuite for mobile phone management (X interface)


ykcs11: PKCS#11 module for the YubiKey PIV applet


yubico-piv-tool: Command line tool for the YubiKey PIV applet


yubikey-manager: Python library and command line tool for configuring a YubiKey


yubioath-desktop: Graphical interface for displaying OATH codes with a Yubikey


Installations

Package # of installation % of Debian systems
gnupg18985396,29 %
wpasupplicant10066651,06 %
vinagre4942425,07 %
opensc2433612,34 %
qemu-system-x86182929,28 %
plasma-nm174978,87 %
rdesktop105755,36 %
virt-viewer96384,89 %
qemu-system-arm47082,39 %
qemu-system-ppc40992,08 %
qemu-system-mips40962,08 %
qemu-system-misc40702,06 %
qemu-system-sparc40072,03 %
openconnect36791,87 %
network-manager-openconnect24571,25 %
network-manager-openconnect-gnome18320,93 %
pcsc-tools17430,88 %
gnome-boxes14460,73 %
spice-client-gtk7910,40 %
python3-yubikey-manager3380,17 %
xgnokii3190,16 %
yubikey-manager2980,15 %
gnokii-cli2880,15 %
cardpeek1760,09 %
yubico-piv-tool1650,08 %
gnome-phone-manager1550,08 %
yubioath-desktop1150,06 %
nitrokey-app1030,05 %
connman-gtk730,04 %
ausweisapp2690,03 %
gnokii-smsd470,02 %
ykcs11360,02 %
entropybroker190,01 %
srsue20,00 %
golang-pault-go-ykpiv-dev10,00 %
x2gothinclient-chroot00,00 %

Conclusion

The first real smart card application with the most installations is OpenSC with 12% of Debian systems. Hello and well done to my OpenSC developers collegues.

The use of smart card is not developed. Maybe it is more deployed in enterprises since "many" business laptops have an integrated smart card reader. So there must be market and customer demand for these configurations. But maybe also these enterprises systems do not have the popularity-contest package installed so are not visible in the statistics here.

Smart card Usage in Debian: middleware

See "Smart card Usage in Debian: pcscd and drivers" for the previous article.

The next layer above the smart card reader driver and PC/SC resource manager are middleware. These software are between PC/SC and the user application.

I updated the list when writing this blog article. New Debian packages have been added, and others have been removed.

cackey: CAC and PIV Smartcard PKCS #11 cryptographic module



coolkey: Smart Card PKCS #11 cryptographic module



libckyapplet1: Smart Card Coolkey applet


libckyapplet1 is a dependency of coolkey. So they are both installed at the same time.

libckyapplet1-dev: Smart Card Coolkey applet development files



libcacard0: Virtual Common Access Card (CAC) Emulator (runtime library)


libcacard0 is a dependency of all the qemu-system-* packages. That can explain why this package is installed in so much systems.

libcacard-dev: Virtual Common Access Card (CAC) Emulator (development files)


libchipcard6: library for accessing smartcards



libchipcard-data: configuration files for libchipcard



libchipcard-dev: API for smartcard readers



libchipcard-tools: tools for accessing chipcards



libengine-pkcs11-openssl: OpenSSL engine for PKCS#11 modules



libgnokii7: Gnokii mobile phone interface library



libopenconnect5: open client for Cisco AnyConnect, Pulse, GlobalProtect VPN - shared library


libopenconnect5 is a dependency of plasma-nm (Plasma5 networkmanager library). Plasma is the KDE graphical workspaces environment.

libosmosim0: Osmo SIM library


Part of libosmocore: Open Source MObile COMmunications CORE library (metapackage)

libpam-p11: PAM module for using PKCS#11 smart cards


Part of pam-p11: PAM module for using PKCS#11 smart cards

libpam-pkcs11: Fully featured PAM module for using PKCS#11 smart cards



libpam-poldi: PAM module allowing authentication using a OpenPGP smartcard



libpcscada0.7.5: Ada bindings to PC/SC middleware



libspice-client-glib-2.0-8: GObject for communicating with Spice servers (runtime library)

libspice-client-glib-2.0-8 is a dependency of vinagre: remote desktop client for the GNOME Desktop

libspice-client-gtk-3.0-5: GTK3 widget for SPICE clients (runtime library)

libspice-client-gtk-3.0-5 is also a dependency of vinagre: remote desktop client for the GNOME Desktop

libykpiv1: Library for communication with the YubiKey PIV smartcard



openjdk-8-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)



openjdk-11-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)


We can see that openjdk-8-jre-headless has been replaced by openjdk-11-jre-headless.

openjdk-13-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)


openjdk-13-jre-headless is not yet in Debian stable. So the number of installation is low. This version is also replaced by openjdk-14-jre-headless since 2020.

openjdk-14-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)



openjdk-15-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)


openjdk-15-jre-headless is very new. It is in Debian unstable but has not yet migrated to Debian testing. So the number of installation is very low.

opensc-pkcs11: Smart card utilities with support for PKCS#15 compatible cards



python3-pykcs11: PKCS#11 wrapper for Python



python3-pyscard: Python3 wrapper above PC/SC API


python3-pyscard is a dependency of python3-yubikey-manager. Users are installing this package not because they love this software (I am the upstream maintainer) but because they use a yubikey.

Installations

Package # of installation % of Debian systems
libcacard05487827,83 %
libspice-client-glib-2.0-85393527,35 %
openjdk-11-jre-headless5145526,10 %
libspice-client-gtk-3.0-54902924,87 %
openjdk-8-jre-headless4292121,77 %
opensc-pkcs112437512,36 %
libopenconnect5190349,65 %
python3-pyscard3690,19 %
openjdk-14-jre-headless3400,17 %
libengine-pkcs11-openssl3120,16 %
openjdk-13-jre-headless3000,15 %
libchipcard-data1990,10 %
libckyapplet11930,10 %
coolkey1900,10 %
libchipcard61820,09 %
libykpiv11780,09 %
libcacard-dev1350,07 %
libchipcard-tools1310,07 %
libpam-pkcs11900,05 %
openjdk-15-jre-headless780,04 %
libpam-poldi390,02 %
libpam-p11330,02 %
libosmosim0290,01 %
python3-pykcs11190,01 %
libchipcard-dev180,01 %
cackey120,01 %
libckyapplet1-dev30,00 %
libpcscada0.7.530,00 %
libgnokii720,00 %

Conclusion

Many (all?) smartcard middleware packages with an important installation base are not installed for themselves but because they are a dependency of another package.

So users are installing packages with smart card features or services but without any need or use of the smart card features.
It is not a problem. It is how dependencies works.