PySCard: unofficial version 1.6.16 available

I already presented PySCard in "PCSC sample in Python" (April 2010). PySCard is a Python wrapper for PC/SC.

History

Unfortunately since that time the PySCard software has never seen a new official release, even after I committed many changes upstream.
  • The latest official version is 1.6.12 from August 2010.
  • The version 1.6.14 was planned but not released.
  • The 1.6.16 version is planned but not yet released.

New version

To be able to build PySCard on Mac OS X 10.9 you need to use a version more recent than 1.6.12. That is why I now provide a snapshot of version 1.6.16 at "Beta versions".

I provide 2 files:

Mac OS X installation

The binary "installer" is provided so that you do not have to rebuild the source code yourself. To install it just do:
$ cd /
$ sudo tar xzvf [...]/pyscard-1.6.16.macosx-10.9-intel.tar.gz

Conclusion

I hope Jean-Daniel Aussel (upstream maintainer of PySCard) will have some time and motivation to publish an official new version of PySCard.

New PyKCS11 1.3.0 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

See PyKCS11 introduction for more details about PyKCS11.

The changelog is short:
1.3.0 - July 2014, Ludovic Rousseau

  • add Python3 support
After some efforts I also uploaded the package python3-pykcs11 to Debian. It is my first Python3 package.

OS X Yosemite BETA and smart cards status

As I did with the previous major versions of Mac OS X Mavericks, Mountain Lion (and Lion) I will list changes in Yosemite BETA regarding the smart card world.


For now only a "public" beta version is available. According to the beta program FAQ:

Is the pre-release software I am installing confidential?
Yes, the pre-release software is Apple confidential information. For example, don’t install the pre-release Apple software on any systems you don't directly control or that you share with others, don’t blog, post screen shots, tweet or publicly post information about the pre-release Apple software, and don't discuss the pre-release Apple software with or demonstrate it to others who are not in the OS X Beta Program. For clarity, if Apple has publicly disclosed technical information about the pre-release software then it is no longer considered confidential.

So I can't tell you much. I will only refer to public documentation from Apple.

New frameworks

From What's New in OS X: OS X Yosemite v10.10

New Frameworks

The following frameworks are new in OS X v10.10:
  • Crypto Token Kit (CryptoTokenKit.framework). The Crypto Token Kit framework provides native support for smart cards, including:
    • Enumerating connected smart card readers and monitoring them for card insertion and removal
    • Transmitting commands and responses to and from smart cards in the reader
    • Supporting new smart card reader hardware

API Differences

From OS X v10.9 to OS X v10.10 API Differences

CryptoTokenKit (Added)

CryptoTokenKit.h (Added)
TKError.h (Added)
Added TKErrorAuthenticationFailed
Added TKErrorCode
Added TKErrorCodeCanceledByUser
Added TKErrorCodeCommunicationError
Added TKErrorCodeCorruptedData
Added TKErrorCodeNotImplemented
Added TKErrorDomain
Added TKErrorObjectNotFound
Added TKErrorTokenNotFound
TKSmartCard.h (Added)
Added TKSmartCard
Added TKSmartCard.allowedProtocols
Added -[TKSmartCard beginSessionWithReply:]
Added TKSmartCard.cla
Added TKSmartCard.context
Added TKSmartCard.currentProtocol
Added -[TKSmartCard endSession]
Added -[TKSmartCard sendIns:p1:p2:data:le:reply:]
Added TKSmartCard.sensitive
Added TKSmartCard.slot
Added -[TKSmartCard transmitRequest:reply:]
Added TKSmartCard.useExtendedLength
Added TKSmartCard.valid
Added TKSmartCardSlot
Added TKSmartCardSlot.ATR
Added -[TKSmartCardSlot makeSmartCard]
Added TKSmartCardSlot.maxInputLength
Added TKSmartCardSlot.maxOutputLength
Added TKSmartCardSlot.name
Added TKSmartCardSlot.state
Added TKSmartCardSlotManager
Added +[TKSmartCardSlotManager defaultManager]
Added -[TKSmartCardSlotManager getSlotWithName:reply:]
Added TKSmartCardSlotManager.slotNames
Added TKSmartCard(APDULevelTransmit)
Added TKSmartCardNoSlot
Added TKSmartCardSlotEmpty
Added TKSmartCardSlotMuteCard
Added TKSmartCardSlotProbing
Added TKSmartCardSlotState
Added TKSmartCardSlotStateEmpty
Added TKSmartCardSlotStateMissing
Added TKSmartCardSlotStateMuteCard
Added TKSmartCardSlotStateProbing
Added TKSmartCardSlotStateValidCard
Added TKSmartCardSlotValidCard
TKSmartCardATR.h (Added)
Added TKSmartCardATR
Added TKSmartCardATR.bytes
Added TKSmartCardATR.historicalBytes
Added -[TKSmartCardATR initWithBytes:]
Added -[TKSmartCardATR initWithSource:]
Added -[TKSmartCardATR interfaceGroupAtIndex:]
Added -[TKSmartCardATR interfaceGroupForProtocol:]
Added TKSmartCardATR.protocols
Added TKSmartCardATRInterfaceGroup
Added TKSmartCardATRInterfaceGroup.TA
Added TKSmartCardATRInterfaceGroup.TB
Added TKSmartCardATRInterfaceGroup.TC
Added TKSmartCardATRInterfaceGroup.protocol
Added TKSmartCardProtocol
Added TKSmartCardProtocolAny
Added TKSmartCardProtocolNone
Added TKSmartCardProtocolT0
Added TKSmartCardProtocolT1
Added TKSmartCardProtocolT15

PCSC

No changes

Crypto Token

So it looks like Apple changed the way to use a smart card (or Crypto Token). I would not be surprised if the CDSA and tokend infrastructures are now removed. CDSA is deprecated since Lion (3 major releases and 3 years ago), see Mac OS X Lion and tokend.

The removal of CDSA and tokend may be effective in Yosemite (or not).

PC/SC

The PC/SC API is still present and had not been modified.

Conclusion

Apple will surprise the smart card world with its new OS Yosemite.

I would say more but I can't because of the NDA. I will post a complete smart card status when Yosemite is released this autumn.

CCID descriptor statistics: dwMaxIFSD

Article from the serie "CCID descriptor statistics"

The dwMaxIFSD field is a number value from the USB CCID descriptor: Indicates the maximum IFSD supported by CCID for protocol T=1.

dwMaxIFSD # %
254 176 69.29 %
252 34 13.39 %
247 16 6.30 %
0 12 4.72 %
1024 4 1.57 %
256 3 1.18 %
1400 2 0.79 %
1041 1 0.39 %
123 1 0.39 %
2048 1 0.39 %
240 1 0.39 %
248 1 0.39 %
49 1 0.39 %
64 1 0.39 %


Some values may look strange or bogus:
  • 0 is used by 5% of readers. It is not a bug for a ICCD device with a T=0 card inside because dwMaxIFSD is only used with a T=1 card.
    Readers with dwMaxIFSD = 0 are:
    • ATMEL AT91SC192192CT-USB ICCD reader
    • ATMEL AT98SC032CT-USB
    • ATMEL VaultIC420 Smart Object
    • ATMEL VaultIC440
    • ATMEL VaultIC460
    • Gemalto Hybrid Smartcard Reader
    • IID AT90S064 CCID READER
    • INSIDE Secure VaultIC 405 Smart Object
    • INSIDE Secure VaultIC 441 Smart Object
    • Inside Secure VaultIC 420 Smart Object
    • Inside Secure VaultIC 440 Smart Object
    • Inside Secure VaultIC 460 Smart Object
    • MYSMART MySMART PAD V2.0
    • SchlumbergerSema SchlumbergerSema Cyberflex Access
    • SecuTech SecuTech Token
    • TianYu CCID Key TianYu CCID SmartKey
    Among them only the MYSMART MySMART PAD V2.0 is bogus with dwMaxIFSD = 0 and dwProtocols = 0x0000 0x0300 (should be 0x0000 0x0003 for T=0 and T=1).
  • The maximum value for dwMaxIFSD is dwMaxCCIDMessageLength - 10.
    Readers with  dwMaxIFSD > dwMaxCCIDMessageLength - 10, so bogus readers, are:
    • Aktiv Co., ProgramPark Rutoken Magistra
    • CCB eSafeLD
    • Feitian bR301
    • Free Software Initiative of Japan Gnuk
    • Gemalto PDT
    • Giesecke & Devrient GmbH Star Sign Card Token 550 (ICCD)
    • OCS ID-One Cosmo Card USB Smart Chip Device
    • Philips Semiconductors JCOP41V221
    • Philips Semiconductors SmartMX Sample
    • Planeta RC700-NFC CCID
    • Yubico Yubikey NEO CCID
    • Yubico Yubikey NEO OTP+CCID

CCID descriptor statistics: dwMaxDataRate

Article from the serie "CCID descriptor statistics"

The dwMaxDataRate field is a number value from the USB CCID descriptor:

Maximum supported ICC I/O data rate in bps
Example: 115.2Kbps is encoded as the integer value 115200. (0001C200h)

dwMaxDataRate # %
412903 bps 38 14.96 %
9600 bps 33 12.99 %
344086 bps 30 11.81 %
344105 bps 17 6.69 %
250000 bps 13 5.12 %
115200 bps 11 4.33 %
500000 bps 11 4.33 %
318280 bps 10 3.94 %
230400 bps 8 3.15 %
344100 bps 8 3.15 %
12643980 bps 7 2.76 %
129032 bps 7 2.76 %
307200 bps 7 2.76 %
10752 bps 5 1.97 %
397024 bps 5 1.97 %
200080 bps 3 1.18 %
312500 bps 3 1.18 %
344068 bps 3 1.18 %
46875 bps 3 1.18 %
847000 bps 3 1.18 %
241936 bps 2 0.79 %
2688 bps 2 0.79 %
333333 bps 2 0.79 %
344064 bps 2 0.79 %
600000 bps 2 0.79 %
825807 bps 2 0.79 %
116129 bps 1 0.39 %
119096 bps 1 0.39 %
125000 bps 1 0.39 %
21504 bps 1 0.39 %
223200 bps 1 0.39 %
23437 bps 1 0.39 %
317591 bps 1 0.39 %
32258 bps 1 0.39 %
412896 bps 1 0.39 %
421052 bps 1 0.39 %
430107 bps 1 0.39 %
589250 bps 1 0.39 %
825806 bps 1 0.39 %
847500 bps 1 0.39 %
848000 bps 1 0.39 %
96774 bps 1 0.39 %
9910 bps 1 0.39 %




We find again the "magic" value of 9600 bps (used by 13% of readers) as with dwDataRate, dwDefaultClock and dwMaximumClock.

The highest value 12643980 is used by 7 readers (3%) and is not a bogus value. This speed of 12.6 Mbps is used by contactless readers, all manufactured by SpringCard. I guess not so may smart cards can communicate with a speed as high as 12.6 Mbps.

CCID descriptor statistics: dwMaximumClock

Article from the serie "CCID descriptor statistics"

The dwMaximumClock field is a number value from the USB CCID descriptor:

Maximum supported ICC clock frequency in KHz. This is an integer value.
Example: 14.32 MHz is encoded as the integer value 14320. (000037F0h)

dwMaximumClock # %
4.000 MHz 94 37.01 %
8.000 MHz 43 16.93 %
3.580 MHz 33 12.99 %
12.000 MHz 17 6.69 %
3.700 MHz 10 3.94 %
4.800 MHz 10 3.94 %
13.560 MHz 8 3.15 %
7.500 MHz 6 2.36 %
4.615 MHz 5 1.97 %
1.500 MHz 4 1.57 %
20.000 MHz 3 1.18 %
3.570 MHz 3 1.18 %
3.600 MHz 3 1.18 %
1.000 MHz 2 0.79 %
3.571 MHz 2 0.79 %
3.692 MHz 2 0.79 %
1024.000 MHz 1 0.39 %
16.000 MHz 1 0.39 %
2.000 MHz 1 0.39 %
3.000 MHz 1 0.39 %
3.685 MHz 1 0.39 %
3.686 MHz 1 0.39 %
3.850 MHz 1 0.39 %
4.714 MHz 1 0.39 %
5.000 MHz 1 0.39 %

We find nearly the same values as for dwDefaultClock (See CCID descriptor statistics: dwDefaultClock):
  • 4.0 Mhz: (37% of readers), 48% of readers have a default clock of 4.0 Mhz
  • 8.0 Mhz: (17%) this is just the double of a default clock of 4.0 Mhz
  • 3.58 Mhz: (13%) same as default clock for 34 readers
  • 12 Mhz: (7%) 3 times the default clock of 4.0 Mhz

The maximum clock speeds are more diverse than the default clock speeds.

If we draw the number of reader per clock frequency we have:

The value 1024 Mhz (1.024 GHz) is, here again, clearly from a bogus reader.

CCID descriptor statistics: dwDefaultClock

Article from the serie "CCID descriptor statistics"

The dwDefaultClock field is a number value from the USB CCID descriptor:

Default ICC clock frequency in KHz. This is an integer value.
Example: 3.58 MHz is encoded as the integer value 3580. (00000DFCh)
This is used in ETU and waiting time calculations. It is the clock frequency used when reading the ATR data.

dwDefaultClock # %
4.000 MHz 123 48.43 %
4.800 MHz 43 16.93 %
3.580 MHz 34 13.39 %
3.700 MHz 10 3.94 %
3.686 MHz 8 3.15 %
4.615 MHz 5 1.97 %
1.500 MHz 4 1.57 %
3.600 MHz 4 1.57 %
2.000 MHz 3 1.18 %
3.570 MHz 3 1.18 %
3.750 MHz 3 1.18 %
1.000 MHz 2 0.79 %
3.000 MHz 2 0.79 %
3.571 MHz 2 0.79 %
3.685 MHz 2 0.79 %
3.692 MHz 2 0.79 %
1024.000 MHz 1 0.39 %
3.850 MHz 1 0.39 %
4.714 MHz 1 0.39 %
5.000 MHz 1 0.39 %


The most common default clock frequencies are:
  • 4.0 Mhz (48% of readers)
  • 4.8 Mhz (17%)
  • 3.58 Mhz (13%)

Note that 3.57 Mhz (used by 3 readers) was the default speed when the reader-host communication was at 9600 bauds using a serial communication port (9600 * 372 = 3,571,200).

Now that the readers are using the USB protocol the 4 Mhz clock speed may be easier to use at the hardware level and not too far from the classic 3.57 Mhz supported by old smart cards.

If we draw the number of reader per clock frequency we have:

The value 1024 Mhz (1.024 GHz) is clearly from a bogus reader.

MUSCLE website migration

After the migration of the MUSCLE mailing list (see MUSCLE list migration) I had to move the MUSCLE web site.

The MUSCLE (Movement for the Use of Smart Card in a Linux Environment) web site used to be at http://www.musclecard.com. Because of issues with the hosting service the web site has been moved to another place at http://pcsclite.alioth.debian.org/musclecard.com/.

The web site at http://pcsclite.alioth.debian.org/musclecard.com/ is just a copy of the old web for the history. I do not plan to update this web site.

History

David Corcoran sent me a backup of the web site. But the backup was incomplete and all the source code archives were missing. That was a problem because, for example, the driver skeleton was missing. In the mean time the hosting service had shutdown the web site. So it was not possible to fetch the archives files anymore.

Thanks to the wayback machine I could find a not so old version (May 2014) of the MUSCLE web site. The source code archive files are available on the wayback machine. So I could copy them to the new http://pcsclite.alioth.debian.org/musclecard.com/ web site.

New version of libccid: 1.4.17

I just released a version 1.4.17 of libccid the free software CCID class smart card reader driver.

Changes:
1.4.17 - 11 June 2014, Ludovic Rousseau

  • Add support of
    • Feitian R502
    • Free Software Initiative of Japan Gnuk Token
    • German Privacy Foundation Crypto Stick v2.0
    • HID Global veriCLASS Reader
    • HID OMNIKEY 5025-CL
    • Identive Technologies Multi-ISO HF Reader - USB
    • OMNIKEY 5421
    • OMNIKEY AG 3121 USB
    • udea MILKO V1.
  • Fix support of O2 Micro Oz776. The reader is limited to 9600 bps
  • some minor bugs removed

MUSCLE list migration: some emails were invalid

The old MUSCLE list contained:

  • A total of 1043 subscribers
  • 417 of them were already disabled or suspended
  • So only 626 emails (60%) were really used
I migrated the 626 enabled emails to the new MUSCLE list (see MUSCLE list migration).

After a few days of use of the new MUSCLE list 95 emails (15%) have been suspended by the list manager software because the email is not valid (mailbox full, no such user, quota exceeded, etc.).

If you do not receive MUSCLE emails but want to receive them then maybe your email has been rejected because it is invalid. You need to subscribe to the list again using a valid email.