I now have 42 answers. I think 42 is a good number.
My survey had 4 open questions. Some of you entered very specific
and personal information. I will try to not include personal
information in the results. But I am very thankful for your confidence
and the details you shared with me.
Since how long do you use smart cards?
Since how long do you use smart cards?
#
< 1 year
4
1 to 5 years
7
6 to 10 years
10
11 to 15 years
4
16 to 20 years
5
> 20 years
11
I am surprised to have so many users of smart cards for such a long time.
Maybe I should have been more explicit in my question. I have been using
smart cards myself since around 1990 with French public phone cards and
bank cards as a normal user. My question was more, since when do you use
smart cards as a professional?.
It is interesting to see very experienced smart card users and also all
the possible groups of experiences.
Since how long do you read my blog?
Since how long do you read my blog?
#
< 1 year
10
1 to 5 years
8
6 to 10 years
10
11 to 15 years
10
> 16 years
3
This question has a trap. My blog started in 2000, so the oldest article
is 15 years old. It is not possible to read it since more than 16 years.
The distribution of results is fairly even.
What is your activity?
What is your activity?
#
%
developer
32
78,0 %
Other
10
24,4 %
project manager
5
12,2 %
sales
1
2,4 %
CEO
1
2,4 %
With no real surprise, the vast majority of my readers are developers.
This is not surprising since the majority of the blog content is about
programs and programming interfaces.
In the "other" category, we have:
sysadmin
manufacturer
functional and technical expert
driver packager
How do you read/find my blog?
How do you read/find my blog?
#
%
Redirected by a search engine
17
41,5 %
Redirected by an email
13
31,7 %
RSS feed
9
22,0 %
Redirected from a web page
9
22,0 %
Other
5
12,2 %
Many readers find the articles using a search engine. I guess it's the
normal way to find a solution to a problem or some documentation.
I will continue to include references to my blog articles in the emails I
send. I find that writing a blog article is a good way to not write
again and again the same thing.
Firefox Update Scanner (maybe the RSS feed could be used instead?)
What content do you like?
What content do you like?
#
%
technical explanation of a new feature
39
95,1 %
new software release announcement
25
61,0 %
how to use a function
21
51,2 %
sample codes
20
48,8 %
macOS issues
17
41,5 %
Windows issues
13
31,7 %
pictures of my holidays
4
9,8 %
No surprise, with a large part of developers, the main interest is in
technical explanations and new software announcements.
I am happy to see that few people are looking for content about Windows
issues.
Some people are looking for news about my holidays. That is nice, but I
do not plan to share many photos here. Great game contest: Where was
the picture below taken?
Free form
Thanks for your answers in the free forms.
What content would you like to find on my blog?
In no specific order:
news about pcsc-lite
more details about PC/SC and Smartcard
sample code and technical explanations
Yes, of course.
more card specific stuff like reading passport information or
discussing a bit about EMV processing
My expertise lies more in PKI cards. I agree that it's interesting to have
more details on common cards like EMV, passport or ID cards.
chart of specifics/features/bugs between smartcard readers, cards and
OS/driver versions
I started in the smart card industry in 1997. At first, it was
difficult to use a smart card on a GNU/Linux system. I started by
writing a driver for a serial smart card reader, then submitted
patches to pcsc-lite and continued developing different smart card
related software.
Conclusion
Do not expect posts about my holidays or my life.
I will continue to publish technical articles. If you know about a subject
and want to share your knowledge, I am open to co-author articles. If you
wrote a Free Software program or library that uses a smart card, I can
take a look and write about it.
In any case you can contact me. My e-mail address is available from
About me.
RSS (RDF Site Summary or Really Simple Syndication) is a web feed
that allows users and applications to access updates to websites in
a standardized, computer-readable format. Subscribing to RSS feeds
can allow a user to keep track of many different websites in a
single news aggregator, which constantly monitors sites for new
content, removing the need for the user to manually check them. News
aggregators (or "RSS readers") can be built into a browser,
installed on a desktop computer, or installed on a mobile device.
If you don't want to miss any article from my blog then RSS is a very
good solution for that.
For example I use NewsBlur to read my
different RSS feeds either on my desktop browsers or on my smart phone.
NewsBlur manages the status of all the articles so I do not see again an
article I have already read.
You can also use RSS Parot (Turn Mastodon
into your feed reader) if you want to be notified on your Fediverse account (Mastodon for
example) of new publications.
I prepared a short survey at blog.apdu.fr readers (thanks to
Framasoft for the
survey/Framaforms service). Please take a
few minutes to answer the survey so I can improve the blog.
I plan to keep the survey open for about one month. After that I will
publish a summary here. If you want me to keep your answers private
please indicate it.
Since May 2023 I host the blog myself (on my own server using my own
domain name) and no more on Google blogger servers. I am very happy
with this change.
Statistics
For 2024 the blog served 225977 pages (~25 pages per hour) for a total of 26.41 GB.
More and more applications are using smart cards. So they all need to
behave cooperatively to share the access to the card.
PC/SC provides a way to connect to a smart card and get an exclusive
access to it. That is the parameter dwShareMode of SCardConnect(). It
can take 3 values:
SCARD_SHARE_SHARED - This application will allow others to share the reader.
SCARD_SHARE_EXCLUSIVE - This application will NOT allow others to
share the reader.
SCARD_SHARE_DIRECT - Direct control of the reader, even without a
card. SCARD_SHARE_DIRECT can be used before using SCardControl()
to send control commands to the reader even if a card is not present
in the reader. Contrary to Windows winscard behavior, the reader is
accessed in shared mode and not exclusive mode.
If you use SCARD_SHARE_EXCLUSIVE then no other application can use the
reader, and the card inserted in the reader, until the application calls
SCardDisconnect().
If you try to use SCARD_SHARE_EXCLUSIVE while another application already
has a connection to the reader then your own call fails with
SCARD_E_SHARING_VIOLATION. Only one application can connect to the
reader when SCARD_SHARE_EXCLUSIVE is used.
$ gpg2--card-status
gpg: selecting card failed: No such devicegpg: OpenPGP card not available: No such device
I tried to reproduce the problem and log the GnuPG PC/SC calls as
described in PCSC API spy using LIBPCSCLITE_DELEGATE.
Unfortunately the environment variable LIBPCSCLITE_DELEGATE is
ignored by scdaemon (GnuPG program used to access the smart card). I
guess that is because scdaemon sanitizes its environment to limit
attacks.
I had to slightly modify pcsc-lite to force the use of the spying
library:
SCardEstablishContext i dwScope: SCARD_SCOPE_SYSTEM (0x00000002) o hContext: 0x43293756
=> SCARD_S_SUCCESS [0x00000000] [0.010792]
SCardListReaders i hContext: 0x43293756 i mszGroups: (null) o pcchReaders: 0x0000001A o mszReaders: NULL
=> SCARD_S_SUCCESS [0x00000000] [0.000161]
SCardListReaders i hContext: 0x43293756 i mszGroups: (null) o pcchReaders: 0x0000001A o mszReaders: Alcor Micro AU9540 00 00 o mszReaders:
=> SCARD_S_SUCCESS [0x00000000] [0.000287]
SCardConnect i hContext: 0x43293756 i szReader Alcor Micro AU9540 00 00 i dwShareMode: SCARD_SHARE_EXCLUSIVE (0x00000001) i dwPreferredProtocols: 0x00000003 (T=0, T=1) i phCard 0x00000000 (0) i pdwActiveProtocol 0x00000000 (0) o phCard 0x00000000 (0) o dwActiveProtocol: T=1 (0x00000002) => SCARD_E_SHARING_VIOLATION [0x8010000B] [0.007124]
SCardReleaseContext i hContext: 0x43293756
=> SCARD_S_SUCCESS [0x00000000] [0.000101]
The call to SCardConnect() fails with SCARD_E_SHARING_VIOLATION.
I then modified my ~/.gnupg/scdaemon.conf file to contain:
disable-ccid
pcsc-shared
And it now works better:
SCardEstablishContext i dwScope: SCARD_SCOPE_SYSTEM (0x00000002) o hContext: 0x4EFB8700
=> SCARD_S_SUCCESS [0x00000000] [0.011911]
SCardListReaders i hContext: 0x4EFB8700 i mszGroups: (null) o pcchReaders: 0x0000001A o mszReaders: NULL
=> SCARD_S_SUCCESS [0x00000000] [0.000177]
SCardListReaders i hContext: 0x4EFB8700 i mszGroups: (null) o pcchReaders: 0x0000001A o mszReaders: Alcor Micro AU9540 00 00 o mszReaders:
=> SCARD_S_SUCCESS [0x00000000] [0.000162]
SCardConnect i hContext: 0x4EFB8700 i szReader Alcor Micro AU9540 00 00 i dwShareMode: SCARD_SHARE_SHARED (0x00000002) i dwPreferredProtocols: 0x00000003 (T=0, T=1) i phCard 0x00000000 (0) i pdwActiveProtocol 0x00000000 (0) o phCard 0x1EF6C421 (519488545) o dwActiveProtocol: T=1 (0x00000002)
=> SCARD_S_SUCCESS [0x00000000] [0.009658]
SCarControl i hCard: 0x1EF6C421 i dwControlCode: CM_IOCTL_GET_FEATURE_REQUEST (0x42000D48) i bSendLength 0x00000000 (0) i bSendBuffer i NULL o bRecvLength 0x00000006 (6) o bRecvBuffer o 0000 12 04 42 33 00 12 ..B3..
=> SCARD_S_SUCCESS [0x00000000] [0.000267]
parsing CM_IOCTL_GET_FEATURE_REQUEST results:
Tag FEATURE_GET_TLV_PROPERTIES is 0x42330012
[...]
The call to SCardConnect() now works ang GnuPG continues with
SCarControl(), etc.
Author: Werner Koch <wk@gnupg.org>
Date: Fri Mar 12 09:21:57 2021 +0100
scd: New option --pcsc-shared.
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (cache_pin): Bypass in shared mode.
(verify_chv2: Do not auto verify chv1 in shared mode.
* scd/app-piv.c (cache_pin): By pass caceh in shared mode.
--
This option should in general not be used. The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.
err = pcsc_connect (pcsc.context,
reader_table[slot].rdrname,
- PCSC_SHARE_EXCLUSIVE,
+ opt.pcsc_shared? PCSC_SHARE_SHARED:PCSC_SHARE_EXCLUSIVE,
PCSC_PROTOCOL_T0|PCSC_PROTOCOL_T1,
&reader_table[slot].pcsc.card,
&reader_table[slot].pcsc.protocol);
Temporary exclusive access
It is possible to get an exclusive access to a card but still share the
reader with other applications.
The idea is to request an exclusive access for a short time, only when
needed, using PC/SC transactions.
SCardBeginTransaction()
Establishes a temporary exclusive access mode for doing a series
of commands in a transaction.
You might want to use this when you are selecting a few files
and then writing a large file so you can make sure that another
application will not change the current file. If another
application has a lock on this reader or this application is in
SCARD_SHARE_EXCLUSIVE the function will block until it can
continue.
SCardEndTransaction()
Ends a previously begun transaction.
The calling application must be the owner of the previously
begun transaction or an error will occur.
The application connects to the reader using SCARD_SHARE_SHARED. And
then uses SCardBeginTransaction()/SCardEndTransaction()
to send a list of APDU without any interruption. Typically the
application does something like:
start a transaction
submit the user PIN code
perform a protected operation like signing
invalidate the user PIN code
end the transaction
With this algorithm another application cannot inject a command between
steps 1 and 5 and benefit from the verified user PIN.
GnuPG and transactions
I had a look at the GnuPG source code and no PC/SC transaction is ever used.
Conclusion
Using an exclusive access at SCardConnect() is problematic in a multi
applications system.
Using the static library libpcsclite.a instead of the dynamic one
libpcsclite.so.1 has pros and cons.
Pros
The application binary does not depend on an external library. It is
then easier to use on a minimal system that works on "any" x86_64
GNU/Linux distribution.
If the library libpcsclite.a uses a protocol version that is
different from the protocol version used by the installed pcscd
server then client/server communication will fail. It will not "run
everywhere". (See Accessing smart cards from inside a flatpak sandbox).
Conclusion
The Debian package does NOT provide the static version of the library
because of the cons listed above.
But it may make sens for Alpine Linux or another specialized
distribution to provide a static version of the library.