New version of pcsc-lite: 1.8.6

I just released a new version of pcsc-lite 1.8.6.

Changes:
pcsc-lite-1.8.6: Ludovic Rousseau
30 August 2012

  • Fix a problem when only serial drivers are used (no hotplug/USB driver)
  • increase log buffer size from 160 to 2048. Some "long" log lines where truncated.
  • Fix redirection of stdin, stdout and stderr to /dev/null when pcscd is started as a daemon (default)
  • Some other minor improvements and bug corrections

Comments on my blog and bug reports

I sometimes get comments on articles of my blog. I can classify them in 3 different categories:

  • spam
  • comments about the article
  • comments about something else

Spam

Spams are (manually) rejected.
I do not get many spams.

Comments about the article

I like comments about the article. I accept questions about the article or about a specific point. In general I add an answer immediately (if I know the answer).

Comments about something else

Sometimes I have to moderate comments about something not related to the article.
The blogger.com application do not allow me to reject the comment and explain why I rejected the comment to the comment author. So I reject the comment and the comment author has no idea of what happened.

Example

For example I got, for the second time, a comment on the Mac OS X Mountain Lion and smart card status article. The comment is:
" Anyone having issues with reading encrypted messages via a CAC within Mountain Lion and Outlook?

I can sign and encrypt, and people can read them, but I cannot decrypt. It is not the card or reader, it works fine on the PC.

It is very strange because if an encrypted email comes in, I briefly can read it in the window pane, but if I revisit the message or double click to open, I get an error and the message is lost forever. Everything worked fine under Lion, only appeared after ML upgrade. "
This comment is not about the article itself and is not a spam.

Problems with Mountain Lion or any other Apple components shall be reported to Apple using https://bugreport.apple.com/, or maybe the Apple CDSA mailing list in this case.

Since I cannot contact the comment author (Mike) and explain why his comment is misplaced I wrote this blog entry.

Documentation

Just above the comments text array I added a documentation:
Please, do only post comments related to the article above.

For general questions, subscribe to and use the muscle mailing list.

Your comment may be moderated and will not appear until then. No need to repost the same comment.

Maybe the documentation is not visible enough, or not clear enough. Please add your comments :-)

Conclusion

My blog is not a forum.

I do not work at Apple and do not plan to provide Apple support for free.

libPCSCv2part10

PC/SC v2 part 10 standard "Part 10 IFDs with Secure PIN Entry Capabilities" offers a way to get some information from a smart card driver.

I already blogged about this service in


Using the SCardControl(FEATURE_GET_TLV_PROPERTIES, ...) require some code to parse the result TLV buffer.

Library API

The idea of libPCSCv2part10 is to allow application programmers to use a function as simple as give_me_the_value_of_tag_x().

The library provides two functions:
  • PCSCv2Part10_find_TLV_property_by_tag_from_buffer() "low" level
  • PCSCv2Part10_find_TLV_property_by_tag_from_hcard() "high" level

The difference between the two functions is that PCSCv2Part10_find_TLV_property_by_tag_from_hcard() uses a SCARDHANDLE hCard and PCSCv2Part10_find_TLV_property_by_tag_from_buffer() uses a buffer already retrieved using SCardControl(FEATURE_GET_TLV_PROPERTIES, ...)

The API is documented at libPCSCv2part10.

The project is hosted in the contrib/libPCSCv2part10/ directory of the pcsc-lite project.

Sample code


/*
    sample.c: example of use of libPCSCv2part10 helper functions
    Copyright (C) 2012   Ludovic Rousseau

    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
    License as published by the Free Software Foundation; either
    version 2.1 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    Lesser General Public License for more details.

    You should have received a copy of the GNU Lesser General Public
    License along with this library; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
*/

/*
 * $Id: sample.c 6416 2012-08-08 09:49:00Z rousseau $
 */

#include <stdio.h>

#ifdef __APPLE__
#include <PCSC/winscard.h>
#include <PCSC/wintypes.h>
#else
#include <winscard.h>
#endif
#include <reader.h>


#include "PCSCv2part10.h"

/* PCSC error */
#define PCSC_ERROR_EXIT(rv) \
if (rv != SCARD_S_SUCCESS) \
{ \
 printf("Failed at line %d with %s (0x%lX)\n", __LINE__, pcsc_stringify_error(rv), rv); \
 goto end; \
}

int main(void)
{
 LONG rv;
 SCARDCONTEXT hContext;
 SCARDHANDLE hCard;
 int value, ret = -1;
 DWORD dwReaders, dwPref;
 char *mszReaders;

 rv = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);
 PCSC_ERROR_EXIT(rv)

 dwReaders = SCARD_AUTOALLOCATE;
 rv = SCardListReaders(hContext, NULL, (LPSTR)&mszReaders, &dwReaders);
 PCSC_ERROR_EXIT(rv)

 /* use first reader */
 printf("Using reaer: %s\n", mszReaders);

 rv = SCardConnect(hContext, mszReaders,
  SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1,
  &hCard, &dwPref);

 /* the interesting part is here */
 ret = PCSCv2Part10_find_TLV_property_by_tag_from_hcard(hCard,
  PCSCv2_PART10_PROPERTY_wIdVendor, &value);
 printf("ret: %d\n", ret);
 printf("value for PCSCv2_PART10_PROPERTY_wIdVendor: 0x%04X\n", value),

 rv = SCardDisconnect(hCard, SCARD_LEAVE_CARD);
 PCSC_ERROR_EXIT(rv)

 rv = SCardFreeMemory(hContext, mszReaders);
 PCSC_ERROR_EXIT(rv)

 rv = SCardReleaseContext(hContext);
 PCSC_ERROR_EXIT(rv)

end:
 return ret;
}

How to use it

The code is very short. I don't think it is a good idea to make a library with just two functions. My idea is that a project FooBar using the function will just integrate the two files (PCSCv2part10.c and PCSCv2part10.h) into the project FooBar.

License

The license is GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

Conclusion

Feel free to use the code, make comments or improvements.

New version of pcsc-lite: 1.8.5

I just released a new version of pcsc-lite 1.8.5.

Changes:
pcsc-lite-1.8.5: Ludovic Rousseau
4 August 2012

  • Fix crash when a reader is unplugged while pcscd is in the middle of a PC/SC function
  • SCardBeginTransaction(): fix a bug introduced in version 1.8.4 related to sharing
  • Some other minor improvements and bug corrections

Mac OS X Mountain Lion and smart card status

The new version of Mac OS X 10.8 called Mountain Lion is now available since July 25th 2012.

Mac OS X Mountain Lion

As I did with the previous major version of OS X Lion I will list changes in Mountain Lion regarding the smart card world.

pcsc-lite

Same as in Lion.

CCID driver

Same as in Lion.
CCID driver version 1.3.11.

Source code

The source code is provided by Apple from the web site Mac OS X 10.8 Source. The two components are available in:
The source code is not yet available in the subversion repository of the SmartCard Services project.

Changes

In Lion 10.7 the versions were 55000 for both SmartCardServices and SmartcardCCID.

So in Mountain Lion the CCID driver has not changed.

The SmartCardServices component (mainly pcsc-lite) has marginally changed. The source code is the same and only build files have been updated:
$ diff -ru SmartCardServices-55000 SmartCardServices-55105|diffstat 
 Info-PCSC.plist                             |    2 
 Makefile-exec.installPhase                  |only
 Makefile.installPhase                       |    3 
 SmartCardServices.xcodeproj/project.pbxproj |  939 +++++-----------------------
 config                                      |only
 5 files changed, 194 insertions(+), 750 deletions(-)

Conclusion

Apple has not updated the smart card components in Mountain Lion. No bug or limitation has been fixed. And no new bug have been introduced.

The CCID driver provided (version 1.3.11) has been released on July 2009, 3 years ago. Since this version 97 readers have been added (72% more).

New version of pcsc-lite: 1.8.4

I just released a new version of pcsc-lite 1.8.4.

Changes:
pcsc-lite-1.8.4: Ludovic Rousseau
26 June 2012

  • Add [ and ] in the list of accepted characters for a reader name
  • truncates the reader name if it is too long instead of rejecting the
    reader
  • The restriction to have to call SCardEstablishContext() in each thread
    has been removed. Threads could now share a PC/SC context.
  • Fix compiler failure for static driver
  • Update IFDHandler API Doxygen regarding the "libusb-1.0" naming scheme
  • Some other minor improvements and bug corrections

New version of libccid: 1.4.7

I just released a version 1.4.7 of libccid.

1.4.7 - 22 June 2012, Ludovic Rousseau

  • Add support of
    • ACS ACR101 ICC Reader
    • ACS CryptoMate64
    • Alcor Micro AU9522
    • Bit4id CKey4
    • Bit4id cryptokey
    • Bit4id iAM
    • Bit4id miniLector
    • Bit4id miniLector-s
    • CCB eSafeLD
    • Gemalto Ezio Shield Branch
    • KOBIL Systems IDToken
    • NXP PR533
  • KOBIL Systems IDToken special cases:
    • Give more time (3 seconds instead of 2) to the reader to answer
    • Hack for the Kobil IDToken and Geman eID card. The German eID card is bogus and need to be powered off before a power on
    • Add Reader-Info-Commands special APDU/command
      • Manufacturer command
      • Product name command
      • Firmware version command
      • Driver version command
  • Use auto suspend for CCID devices only (Closes Alioth bug [#313445] "Do not activate USB suspend for composite devices: keyboard")
  • Fix some error management in the T=1 TPDU state machine
  • some minor bugs removed
  • some minor improvements added

More EMV tools

I discovered 2 other tools for interacting with EMV smart cards

javaemvreader

It is an application written in Java. The project is hosted at http://code.google.com/p/javaemvreader/ and using the Apache License 2.0 licence.

I have not yet tried to use the software. According to the web site the application is able to perform:
EMV function name Command
Initialize card SELECT FILE "1PAY.SYS.DDF01"
READ RECORD (to read all records in the specified SFI)
Application Selection SELECT
Initiate Application Processing GET PROCESSING OPTIONS
Read Application Data READ RECORD (all records listed in the AFL)
(Read other application data) GET DATA (ATC, Last online ATC, PIN Try Counter, Log Format)
Dynamic Data Authentication INTERNAL AUTHENTICATE
Offline verification VERIFY (only plaintext PIN verification is supported)
Read Transaction Log GET DATA/READ RECORD
N/A READ RECORD (brute force all valid SFI values and record numbers)

The application uses the javax.smartcardio API to talk to PC/SC.


emvlab.org

It is not an application but different web services to parse EMV data.

EMV tag search Look up EMV tags in this handy database. Search by keyword e.g. for all tags that contain the word "currency" or "cryptogram" in the description, or look up a hex tag e.g "9F20".
TLV decoder Decode EMV TLV (Tag, Length Value) byte strings into their constituent tags and sub-tags. Useful for analysing APDU traces, responses and so on.
CAP calculator Generate CAP codes using an emulated banking card and CAP calculator, to test against real gadgets or for testing authentication servers.
Cryptogram calculator Generate and verify EMV ARQC, ARPC and TC cryptograms, calculated using the vital parameters of the card, UDKs, ATC etc.
DES calculator Encrypt and decrypt hex strings using DES and 3DES, using the basic modes of operation, ECB, CBC.
ASN1 decoder Decode a binary file into an ASN1 dump using an online interface to Peter Gutmann's dumpasn1 tool
PIN translation tools Encrypt, decrypt and translate ISO PINblocks between different encryption keys. PINs, PANs, padding... all sorts of fun!
Keyshare generation tools Automatically generate test keys of various lengths, and split into components. KCVs are automatically provided for each component and the whole key.
Truecolour hex dump tool This hex dump tool will create a multicoloured, annotated hex dump of the provided file, making it easy to spot strings, markers, and high and low entropy areas of the file. Very useful for when you don't have your favourite hex dump tool to hand.
Character set encoding conversion Convert strings of text and hex between ASCII, ECBDIC and hex representations. Suprising how often you need one of these!
ePassport MRZ calculator Generate passport Machine Readable Zones (MRZs) from biographical details including name, date of birth, and passport numbers, expiry dates etc. Randomly created identities can also be used.
Contact us Let us know what you think of the site, and if you have any problem reports or suggestions.

I have not yet tried this service.

new version of pcsc-tools: 1.4.20

I just released a (two in fact) new version of pcsc-tools. The major change is the move of the personal litst of ATR used by ATR_analysis from ~ to ~/.cache/.

If you do not know what pcsc-tools is, it contains 4 tools:

  • pcsc_scan(1) regularly scans every PC/SC reader connected to the host if a card is inserted or removed a "line" is printed.
  • ATR_analysis(1) is a Perl script used to parse the smart card ATR. This script is called (by default) by pcsc_scan.
  • scriptor(1) is a Perl script to send commands to a smart card using a batch file or stdin.
  • gscriptor(1) the same idea as scriptor.pl(1) but with a Perl-Gtk2 GUI.

An equivalent of ATR_analysis is available online http://smartcard-atr.appspot.com/

Changes:
1.4.20 - 16 June 2012, Ludovic ROUSSEAU
  • Makefile: Add arguments to CFLAGS instead of overwritting them
  • 3 new ATRs

1.4.19 - 13 June 2012, Ludovic ROUSSEAU
  • ATR_analysis: use XDG_CACHE_HOME env variable
    The smartcard_list.txt file is now searched in ~/.cache/ by default
  • 115 new ATRs

Debian multi-arch and pcsc-lite

64-bits Intel and AMD CPUs are able to run 32 and 64 bits programs at the same time. Different OS uses different strategies to use this feature.

Apple Mac OS X

Mac OS X uses what they call a Universal Binary. This format has been designed during the transition from 680x0 to PowerPC two decades ago. The idea is to have the code for both 680x0 and PowerPC in the same executable file. So a user do not have to select any thing. The system will use the correct version transparently.

This Universal Binary concept has also been used for the PowerPC to Intel migration and now for the support of 32 and 64 bits Intel CPU.

The idea is very nice and easy to use. It works for both libraries and binaries. You can use the file command line tool to check what is inside a binary.

$ file /bin/ls
/bin/ls: Mach-O universal binary with 2 architectures
/bin/ls (for architecture x86_64): Mach-O 64-bit executable x86_64
/bin/ls (for architecture i386): Mach-O executable i386
The ls command is available in both 32 and 64-bits.

$ cd /System/Library/Frameworks/PCSC.framework
$ file PCSC 
PCSC: Mach-O universal binary with 2 architectures
PCSC (for architecture x86_64): Mach-O 64-bit dynamically linked shared library x86_64
PCSC (for architecture i386): Mach-O dynamically linked shared library i386
The PCSC framework is available for both 32-bits applications (i386) and 64-bits applications (x86_64).

Microsoft Windows

Microsoft has a System32 directory to store system files. The surprise is that on a 64-bits machine the System32 is used to store 64-bits system files and the 32-bits system files are stored in a SysWow64 directory. I am not a Windows expert (or even user). I got the information from friends and it is confirmed here.

It was too simple for Microsoft to use System32 for 32-bits files and System64 for 64-bits files. Never underestimate Microsoft on its ability to find a complex solution to a given problem.

Another example of Microsoft complexity is the use of UTF-16 instead of UTF-8 for Unicode strings and then the duplication every API with A and W variants like SCardListReadersA() and SCardListReadersW().

Red Hat

Red Hat, and other GNU/Linux distributions, use /usr/lib32/ to store 32-bits libraries and /usr/lib64/ to store 64-bits libraries. This scheme is know as multi lib or biarch.

This scheme is simple (more logical than the one from Microsoft :-) but it is also limited. For example it is limited to one specific architecture: Intel/AMD.

Debian

Debian is working on the problem since 2004 (see History in Debian multi arch support). The solution is to avoid a limitation to only 2 architectures and generalize the solution to any CPU architecture.

The libraries are then stored in /usr/lib/<triplet>/. The <triplet> being something like i386-linux-gnu or x86_64-linux-gnu or mipsel-linux-gnu.

pcsc-lite

Since version 1.8.3-1 of the Debian pcsc-lite package the multiarch system is supported.

The package libpcsclite1_1.8.3-3_i386.deb provides the files:
/usr/lib/i386-linux-gnu/libpcsclite.so.1
/usr/lib/i386-linux-gnu/libpcsclite.so.1.0.0
/usr/share/doc/libpcsclite1/changelog.Debian.gz
/usr/share/doc/libpcsclite1/changelog.gz
/usr/share/doc/libpcsclite1/copyright


The package libpcsclite1_1.8.3-3_amd64.deb provides the files:
/usr/lib/x86_64-linux-gnu/libpcsclite.so.1
/usr/lib/x86_64-linux-gnu/libpcsclite.so.1.0.0
/usr/share/doc/libpcsclite1/changelog.Debian.gz
/usr/share/doc/libpcsclite1/changelog.gz
/usr/share/doc/libpcsclite1/copyright


And it is possible to install the two packages at the same time (after configuring the system for multiarch).

pcscd

One complexity is that pcsc-lite has a client/server architecture. The client is libpcsclite.so.1 and the server is pcscd.

Since at least four years we have:
pcsc-lite-1.4.99: Ludovic Rousseau
9 January 2008
- add support of mix 32/64 bits platforms.  Thanks to Jacob Berkman for
  the big patch

So a 32-bit library can talk to a 64-bit pcscd. That is nice since, even with multi-arch, it is not possible to install two pcscd (for i386 and x86_64) at the same time. You only need to install one pcscd and one (or more) libpcsclite.so.1.

Example

I have a amd64 Debian system.

I have installed the Debian package pcsc-tools to have the pcsc_scan command.

$ file /usr/bin/pcsc_scan
/usr/bin/pcsc_scan: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x50bda59b9b9a86b312e59fd3022cd4da87b87265, stripped
The file is a 64-bits binary.

$ ldd /usr/bin/pcsc_scan 
 linux-vdso.so.1 =>  (0x00007fff7c75f000)
 libpcsclite.so.1 => /usr/lib/x86_64-linux-gnu/libpcsclite.so.1 (0x00007f022ca9d000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f022c716000)
 librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f022c50d000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f022c2f1000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f022ccb1000)
And it is linked with the 64-bits library at /usr/lib/x86_64-linux-gnu/libpcsclite.so.1.

And the execution works:
$ pcsc_scan 
PC/SC device scanner
V 1.4.18 (c) 2001-2011, Ludovic Rousseau 
Compiled with PC/SC lite version: 1.7.4
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...^C

I also fetched the i386 version of the pcsc-tools package. I can not install it since it will conflict with the amd64 version of the package (same filename /usr/bin/pcsc_scan but different content). So I unpack the Debian package in a temporary directory.

$ mkdir foobar
$ cd foobar
$ dpkg -x ../pcsc-tools_1.4.18-1_i386.deb .
$ file usr/bin/pcsc_scan 
usr/bin/pcsc_scan: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xcbf386965c3541f0557c913c5aead05512d4b75c, stripped

The binary is a 32-bit executable.

$ usr/bin/pcsc_scan
PC/SC device scanner
V 1.4.18 (c) 2001-2011, Ludovic Rousseau 
Compiled with PC/SC lite version: 1.8.1
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...^C

And the execution also works. The 32-bit binary is talking to the 64-bit pcscd server.

Conclusion

With multiarch it will/should be easy to install and execute on the same system programs for different architectures.

Maybe the new Linux x86 architecture (taking best parts from the i386 and x86_64 worlds) will also be available as a new in architecture in the multiarch word.