PCSC framework will stay in Mac OS X 10.11 El Capitan



In a previous article "PCSC framework removed in Mac OS X 10.11 El Capitan?" I was afraid that the PCSC framework would be removed in the next version of Mac OS X: El Capitan.

I learned that this will not the be case. It was a misinterpretation on my side.

PCSC framework

On the page "OS X v.10.11 API Diffs" PCSC is removed in the 'Modules' section but is not removed in the 'Framework' section. The PCSC framework is still provided and supported in El Capitan.

This means that PCSC.framework public API will not changed at all and is perfectly usable from C/C++/ObjC applications.

Swift

For developing smart card applications with Swift, CryptoTokenKit framework/module is recommended by Apple.

The effect that PCSC Module is removed is that it will not be possible to import PCSC in a Swift application on El Capitan.

On Yosemite you can import PCSC but no SCard functions nor declarations are actually visible and nothing could be used, the import is in fact broken. So using El Capitan should not break existing Swift application.

Maybe someone will write a PC/SC wrapper for Swift so I can add it to my list "PC/SC sample in different languages".

Conclusion

PCSC framework will be available in Mac OS X 10.11 El Capitan. No need to stress and rewrite/port all existing PC/SC applications to CryptoTokenKit.

I "guess" Apple will bring other surprises on the PC/SC front in El Capitan (but I can't tell now). If you have tried the beta version you may already know :-).

OS X Yosemite bug: SCardGetStatusChange blocks forever

This is part of the series: "OS X Yosemite and smart cards: known bugs".

SCardGetStatusChange() blocks forever after some time

SCardGetStatusChange() does not work correctly on Mac OS X 10.10 Yosemite. Sometimes the function blocks and does not return.

The execution do not always block at the same iteration. It looks like an internal dead lock in some circumstances.

See also

The problem was reported to me by Paolo S. Thanks to him.

Apple bug report #21437286 "PC/SC SCardGetStatusChange() blocks forever after some time".
Closed by Apple on 27th June 2015, as duplicate of  #20517200.

Sample code

Code from Paolo S.

#include <stdio.h>
#include <stdlib.h>

#ifdef __APPLE__
#include <PCSC/winscard.h>
#include <PCSC/wintypes.h>
#else
#include <winscard.h>
#endif

#define CHECK(f, rv) \
 if (SCARD_S_SUCCESS != rv) \
 { \
  printf(f ": %s\n", pcsc_stringify_error(rv)); \
  return -1; \
 }

int main(void) {
    LONG rv;

    SCARDCONTEXT hContext;
    LPTSTR mszReaders;
    DWORD dwReaders;

    unsigned int i;

    rv = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &hContext);
    CHECK("SCardEstablishContext", rv)

    rv = SCardListReaders(hContext, NULL, NULL, &dwReaders);
    CHECK("SCardListReaders", rv)

    mszReaders = calloc(dwReaders, sizeof(char));
    rv = SCardListReaders(hContext, NULL, mszReaders, &dwReaders);
    CHECK("SCardListReaders", rv)

    if (dwReaders <= 1) {
        puts("No reader found");
        goto end ;
    }

    printf("reader name: %s\n", mszReaders);

    SCARD_READERSTATE sReaderState ;
    sReaderState.szReader = mszReaders ;

    i = 0 ;
    while(1) {
        i++ ;
        printf("Loop #%d: calling SCardGetStatusChange\n", i);
        rv = SCardGetStatusChange(hContext, 1, &sReaderState, 1);   // This hangs after random number of calls
        puts("returned");
        CHECK("SCardGetStatusChange", rv)
    }

    free(mszReaders);

end:
    rv = SCardReleaseContext(hContext);

    CHECK("SCardReleaseContext", rv)

    return 0;
}

Result (on Yosemite)

$ ./main
reader name: Gemalto PC Twin Reader
Loop #1: calling SCardGetStatusChange
returned
Loop #2: calling SCardGetStatusChange
[...]
Loop #11145: calling SCardGetStatusChange
returned
Loop #11146: calling SCardGetStatusChange
^C

I have to use Control-C to stop the execution.

Known workaround

Paolo S. has a workaround.
  1. detect the card presence by calling the SCardConnect() function (shared mode, default protocols). no errors = card inserted.
  2. detect the card extraction by calling the SCardReconnect() function (same parameters, no card reset or eject). no errors = card still inserted.

Update

This bug is now fixed in Mac OS X El Capitan 10.11.0.

PCSC framework removed in Mac OS X 10.11 El Capitan?

OS X El Capitan

You may know that Apple announced the new major version of OS during this week Apple WWDC 2015 (Worldwide Developers Conference). The next major version of OS X is 10.11, is planned for this Fall and is called El Capitan. See OS X El Capitan for some more details.

For even more details you have to go to the (public) web page "OS X v.10.11 API Diffs".

PCSC framework

According to the (public) web page "OS X v.10.11 API Diffs" we have:

It looks like Apple decided to remove the PCSC framework and replace it with CryptoTokenKit, already introduced in OS X 10.10 Yosemite (see "OS X Yosemite BETA and smart cards status" and "OS X Yosemite and smart cards status" for the beginning of the replacement story).

CryptoTokenKit

We also have some changes (to make it work for real?) in the CryptoTokenKit side (both framework and modules).

CryptoTokenKit framework

Full page at https://developer.apple.com/library/prerelease/mac/releasenotes/General/APIDiffsMacOSX10_11/frameworks/CryptoTokenKit.html

TKError.h

Added TKErrorCodeBadParameter

TKSmartCard.h

Removed TKSmartCardNoSlot
Removed TKSmartCardSlotEmpty
Removed TKSmartCardSlotMuteCard
Removed TKSmartCardSlotProbing
Removed TKSmartCardSlotValidCard
Added -[TKSmartCard userInteractionForSecurePINChangeWithPINFormat:APDU:currentPINByteOffset:newPINByteOffset:]
Added -[TKSmartCard userInteractionForSecurePINVerificationWithPINFormat:APDU:PINByteOffset:]
Added TKSmartCardPINFormat
Added TKSmartCardPINFormat.charset
Added TKSmartCardPINFormat.encoding
Added TKSmartCardPINFormat.maxPINLength
Added TKSmartCardPINFormat.minPINLength
Added TKSmartCardPINFormat.PINBitOffset
Added TKSmartCardPINFormat.PINBlockByteLength
Added TKSmartCardPINFormat.PINJustification
Added TKSmartCardPINFormat.PINLengthBitOffset
Added TKSmartCardPINFormat.PINLengthBitSize
Added TKSmartCardSlot.screen
Added -[TKSmartCardSlot userInteractionForConfirmation]
Added -[TKSmartCardSlot userInteractionForStringEntry]
Added TKSmartCardSlotScreen
Added -[TKSmartCardSlotScreen displayMessage:x:y:duration:clearScreen:]
Added TKSmartCardSlotScreen.physicalColumnCount
Added TKSmartCardSlotScreen.physicalRowCount
Added TKSmartCardSlotScreen.virtualColumnCount
Added TKSmartCardSlotScreen.virtualRowCount
Added TKSmartCardUserInteraction
Added -[TKSmartCardUserInteraction cancel]
Added TKSmartCardUserInteraction.delegate
Added TKSmartCardUserInteraction.initialTimeout
Added TKSmartCardUserInteraction.interactionTimeout
Added -[TKSmartCardUserInteraction runWithReply:]
Added TKSmartCardUserInteractionDelegate
Added -[TKSmartCardUserInteractionDelegate characterEnteredInUserInteraction:]
Added -[TKSmartCardUserInteractionDelegate correctionKeyPressedInUserInteraction:]
Added -[TKSmartCardUserInteractionDelegate invalidCharacterEnteredInUserInteraction:]
Added -[TKSmartCardUserInteractionDelegate newPINConfirmationRequestedInUserInteraction:]
Added -[TKSmartCardUserInteractionDelegate newPINRequestedInUserInteraction:]
Added -[TKSmartCardUserInteractionDelegate oldPINRequestedInUserInteraction:]
Added -[TKSmartCardUserInteractionDelegate validationKeyPressedInUserInteraction:]
Added TKSmartCardUserInteractionForConfirmation
Added TKSmartCardUserInteractionForConfirmation.result
Added TKSmartCardUserInteractionForPINOperation
Added TKSmartCardUserInteractionForPINOperation.locale
Added TKSmartCardUserInteractionForPINOperation.PINCompletion
Added TKSmartCardUserInteractionForPINOperation.PINMessageIndices
Added TKSmartCardUserInteractionForPINOperation.resultData
Added TKSmartCardUserInteractionForPINOperation.resultSW
Added TKSmartCardUserInteractionForSecurePINChange
Added TKSmartCardUserInteractionForSecurePINChange.PINConfirmation
Added TKSmartCardUserInteractionForSecurePINVerification
Added TKSmartCardUserInteractionForStringEntry
Added TKSmartCardUserInteractionForStringEntry.result
Added TKSmartCardPINCharset
Added TKSmartCardPINCharsetAlphanumeric
Added TKSmartCardPINCharsetNumeric
Added TKSmartCardPINCharsetUpperAlphanumeric
Added TKSmartCardPINCompletion
Added TKSmartCardPINCompletionKey
Added TKSmartCardPINCompletionMaxLength
Added TKSmartCardPINCompletionTimeout
Added TKSmartCardPINConfirmation
Added TKSmartCardPINConfirmationCurrent
Added TKSmartCardPINConfirmationNew
Added TKSmartCardPINConfirmationNone
Added TKSmartCardPINEncoding
Added TKSmartCardPINEncodingASCII
Added TKSmartCardPINEncodingBCD
Added TKSmartCardPINEncodingBinary
Added TKSmartCardPINJustification
Added TKSmartCardPINJustificationLeft
Added TKSmartCardPINJustificationRight

and many functions modified.

CryptoTokenKit modules

Full page at https://developer.apple.com/library/prerelease/mac/releasenotes/General/APIDiffsMacOSX10_11/modules/CryptoTokenKit.html

Removed TKSmartCardProtocol.init(_: UInt)
Added TKErrorCode.CodeBadParameter
Added TKSmartCard.userInteractionForSecurePINChangeWithPINFormat(_: TKSmartCardPINFormat, APDU: NSData, currentPINByteOffset: Int, newPINByteOffset: Int) -> TKSmartCardUserInteractionForSecurePINChange?
Added TKSmartCard.userInteractionForSecurePINVerificationWithPINFormat(_: TKSmartCardPINFormat, APDU: NSData, PINByteOffset: Int) -> TKSmartCardUserInteractionForSecurePINVerification?
Added TKSmartCardPINCharset [enum]
Added TKSmartCardPINCharset.Alphanumeric
Added TKSmartCardPINCharset.Numeric
Added TKSmartCardPINCharset.UpperAlphanumeric
Added TKSmartCardPINCompletion [struct]
Added TKSmartCardPINCompletion.init(rawValue: UInt)
Added TKSmartCardPINCompletion.Key
Added TKSmartCardPINCompletion.MaxLength
Added TKSmartCardPINCompletion.Timeout
Added TKSmartCardPINConfirmation [struct]
Added TKSmartCardPINConfirmation.Current
Added TKSmartCardPINConfirmation.init(rawValue: UInt)
Added TKSmartCardPINConfirmation.New
Added TKSmartCardPINConfirmation.None
Added TKSmartCardPINEncoding [enum]
Added TKSmartCardPINEncoding.ASCII
Added TKSmartCardPINEncoding.BCD
Added TKSmartCardPINEncoding.Binary
Added TKSmartCardPINFormat
Added TKSmartCardPINFormat.charset
Added TKSmartCardPINFormat.encoding
Added TKSmartCardPINFormat.maxPINLength
Added TKSmartCardPINFormat.minPINLength
Added TKSmartCardPINFormat.PINBitOffset
Added TKSmartCardPINFormat.PINBlockByteLength
Added TKSmartCardPINFormat.PINJustification
Added TKSmartCardPINFormat.PINLengthBitOffset
Added TKSmartCardPINFormat.PINLengthBitSize
Added TKSmartCardPINJustification [enum]
Added TKSmartCardPINJustification.Left
Added TKSmartCardPINJustification.Right
Added TKSmartCardSlot.screen
Added TKSmartCardSlot.userInteractionForConfirmation() -> TKSmartCardUserInteractionForConfirmation?
Added TKSmartCardSlot.userInteractionForStringEntry() -> TKSmartCardUserInteractionForStringEntry?
Added TKSmartCardSlotScreen
Added TKSmartCardSlotScreen.displayMessage(_: String, x: Int, y: Int, duration: NSTimeInterval, clearScreen: Bool) -> Bool
Added TKSmartCardSlotScreen.physicalColumnCount
Added TKSmartCardSlotScreen.physicalRowCount
Added TKSmartCardSlotScreen.virtualColumnCount
Added TKSmartCardSlotScreen.virtualRowCount
Added TKSmartCardUserInteraction
Added TKSmartCardUserInteraction.cancel() -> Bool
Added TKSmartCardUserInteraction.delegate
Added TKSmartCardUserInteraction.initialTimeout
Added TKSmartCardUserInteraction.interactionTimeout
Added TKSmartCardUserInteraction.runWithReply(_: (Bool, NSError?) -> Void)
Added TKSmartCardUserInteractionDelegate
Added TKSmartCardUserInteractionDelegate.characterEnteredInUserInteraction(_: TKSmartCardUserInteraction)
Added TKSmartCardUserInteractionDelegate.correctionKeyPressedInUserInteraction(_: TKSmartCardUserInteraction)
Added TKSmartCardUserInteractionDelegate.invalidCharacterEnteredInUserInteraction(_: TKSmartCardUserInteraction)
Added TKSmartCardUserInteractionDelegate.newPINConfirmationRequestedInUserInteraction(_: TKSmartCardUserInteraction)
Added TKSmartCardUserInteractionDelegate.newPINRequestedInUserInteraction(_: TKSmartCardUserInteraction)
Added TKSmartCardUserInteractionDelegate.oldPINRequestedInUserInteraction(_: TKSmartCardUserInteraction)
Added TKSmartCardUserInteractionDelegate.validationKeyPressedInUserInteraction(_: TKSmartCardUserInteraction)
Added TKSmartCardUserInteractionForConfirmation
Added TKSmartCardUserInteractionForConfirmation.result
Added TKSmartCardUserInteractionForPINOperation
Added TKSmartCardUserInteractionForPINOperation.locale
Added TKSmartCardUserInteractionForPINOperation.PINCompletion
Added TKSmartCardUserInteractionForPINOperation.PINMessageIndices
Added TKSmartCardUserInteractionForPINOperation.resultData
Added TKSmartCardUserInteractionForPINOperation.resultSW
Added TKSmartCardUserInteractionForSecurePINChange
Added TKSmartCardUserInteractionForSecurePINChange.PINConfirmation
Added TKSmartCardUserInteractionForSecurePINVerification
Added TKSmartCardUserInteractionForStringEntry
Added TKSmartCardUserInteractionForStringEntry.result

and many functions modified.

WWDC sessions

Apple provides 2 security related sessions at the WWDC according to the schedule.

Security and Your Apps
System Frameworks
Your reputation depends on protecting your users' data. Do this by taking advantage of the Security frameworks built into iOS, OS X and watchOS. Find out about new developments in Security and learn the best practices to develop secure apps and protect your users' data.

Security and Privacy Lab
System Frameworks
Get together with the Apple security and privacy teams for expert advice on protecting your apps, safeguarding your users' data, and honoring your users' privacy. Bring your code and your questions.
It may be interesting to watch the videos of the sessions once they are available. Or may they are not related to smart card at all.

Conclusion

PC/SC application developers, maintainers and vendors will have some work to port/rewrite the PC/SC code to CryptoTokenKit. And the delay is very short to be ready for the release of OS X El Capitan (in 3 months ?).

Thanks to Karl T. for the notice.

Update

PCSC framework will be present in El Capitan. See "PCSC framework will stay in Mac OS X 10.11 El Capitan".

PCSC sample in C for UEFI

To continue the list of PC/SC wrappers initiated more than four years ago with "PC/SC sample in different languages" I now present a PC/SC sample written in C but for UEFI.

UEFI

UEFI stands for Unified Extensible Firmware Interface. UEFI is an evolution of EFI. EFI should replace BIOS on "modern" "Intel PC" computers.

Any 64-bits Intel (or compatible) PC computer should have UEFI (and maybe also a BIOS for compatibility).

See my previous article "UEFI Smart Card Reader Protocol" for some more details.

Sample source code

#include <Uefi.h>
#include <Library/UefiLib.h>
#include <Library/ShellCEntryLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/BaseMemoryLib.h>

#include <Protocol/SmartCardReader.h>

int HelloWorld(EFI_SMART_CARD_READER_PROTOCOL *SmartCardReader)
{
    EFI_STATUS  Status;
    UINT32 ActiveProtocol;
    int i;
    UINT8 CAPDU_select[] = {0x00, 0xA4, 0x04, 0x00, 0x0A, 0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01};
    UINT8 CAPDU_command[] = {0x00, 0x00, 0x00, 0x00};
    UINTN CAPDULength, RAPDULength;
    UINT8 RAPDU[256+2];

    /*
     * SCardConnect
     */
    Status = SmartCardReader->SCardConnect(SmartCardReader,
        SCARD_AM_CARD,
        SCARD_CA_COLDRESET,
        SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1,
        &ActiveProtocol);
    if (EFI_ERROR(Status))
    {
        Print(L"ERROR: SCardConnect: %d\n", Status);
        return 0;
    }

    /*
     * SCardTransmit Select
     */
    CAPDULength = sizeof CAPDU_select;
    RAPDULength = sizeof RAPDU;
    Status = SmartCardReader->SCardTransmit(SmartCardReader,
        CAPDU_select, CAPDULength,
        RAPDU, &RAPDULength);
    if (EFI_ERROR(Status))
    {
        Print(L"ERROR: SCardTransmit: %d\n", Status);
        return 0;
    }
    Print(L"RAPDU: ");
    for (i=0; i<RAPDULength; i++)
        Print(L"%02X ", RAPDU[i]);
    Print(L"\n");

    /*
     * SCardTransmit Command
     */
    CAPDULength = sizeof CAPDU_command;
    RAPDULength = sizeof RAPDU;
    Status = SmartCardReader->SCardTransmit(SmartCardReader,
        CAPDU_command, CAPDULength,
        RAPDU, &RAPDULength);
    if (EFI_ERROR(Status))
    {
        Print(L"ERROR: SCardTransmit: %d\n", Status);
        return 0;
    }
    Print(L"RAPDU: ");
    for (i=0; i<RAPDULength; i++)
        Print(L"%02X ", RAPDU[i]);
    Print(L"\n");
    for (i=0; i<RAPDULength; i++)
        Print(L"%c", RAPDU[i]);
    Print(L"\n");

    /*
     * SCardDisconnect
     */
    Status = SmartCardReader->SCardDisconnect(SmartCardReader,
        SCARD_CA_NORESET);
    if (EFI_ERROR(Status))
    {
        Print(L"ERROR: SCardDisconnect: %d\n", Status);
        return 0;
    }

    return 0;
}

INTN
EFIAPI
ShellAppMain (
  IN UINTN Argc,
  IN CHAR16 **Argv
  )
{
    EFI_STATUS  Status;
    UINTN       HandleIndex, HandleCount;
    EFI_HANDLE  *DevicePathHandleBuffer = NULL;
    EFI_SMART_CARD_READER_PROTOCOL *SmartCardReader;

    /* EFI_SMART_CARD_READER_PROTOCOL */
    Status = gBS->LocateHandleBuffer(
            ByProtocol,
            &gEfiSmartCardReaderProtocolGuid,
            NULL,
            &HandleCount,
            &DevicePathHandleBuffer);

    if (EFI_ERROR(Status))
    {
        Print(L"ERROR: Get EFI_SMART_CARD_READER_PROTOCOL count fail.\n");
        return 0;
    }

    Print(L"Found %d reader(s)\n", HandleCount);
    for (HandleIndex = 0; HandleIndex < HandleCount; HandleIndex++)
    {
        ZeroMem(&SmartCardReader, sizeof SmartCardReader);

        Status = gBS->HandleProtocol(
                DevicePathHandleBuffer[HandleIndex],
                &gEfiSmartCardReaderProtocolGuid,
                (VOID**)&SmartCardReader);

        if (EFI_ERROR(Status))
        {
            Print(L"ERROR: Open Protocol fail.\n");
            gBS->FreePool(DevicePathHandleBuffer);
            return 0;
        }

        HelloWorld(SmartCardReader);
    }
    gBS->FreePool(DevicePathHandleBuffer);

    return(0);
}

Output

Found 1 reader(s)
RAPDU: 90 00 
RAPDU: 48 65 6C 6C 6F 20 77 6F 72 6C 64 21 90 00 
Hello world!

Test platform

I used a Dell laptop model E6420 (shipped in August 2013) with an integrated Broadcom smart card reader. This reader was already in the "should work" list of my CCID driver. Of course the SmartCardReader API was not included in the UEFI. I had to write the driver myself.

I made tests with older Dell laptops and had problems with the USB UEFI layer. It looks like UEFI is still a work in progress and bugs/limitations are common.

I started by using a software simulator qemu + UEFI but I could not use a USB device with the simulator. So I rapidly had to use a real hardware. Developing a UEFI driver involves a lot of reboot to try a new version of the driver.

Remarks

I added error checks and logging feature in the source code.

The API is not high level but mostly the direct equivalent of WinSCard (the classic C API for smart cards).

Conclusion

It was fun to work on UEFI and learn a new technology.

UEFI is very powerful. Time will tell if the SmartCardReader API will be deployed and used.

UEFI Smart Card Reader Protocol

The release 2.5, April 2015 of the Unified Extensible Firmware Interface Specification (UEFI) contains 2 new protocols:

  • Smart Card Reader Protocol
  • Smart Card Edge Protocol

The specification is available in at http://www.uefi.org/sites/default/files/resources/UEFI%202_5.pdf from the UEFI web site.

Smart Card Reader Protocol

The Smart Card Reader Protocol is described in chapter 35.6.1 page 2241 (yes, the specification is one huge document of 14 MB and 2588 pages).

The functions provided are:
typedef struct _EFI_SMART_CARD_READER_PROTOCOL {
 EFI_SMART_CARD_READER_CONNECT    SCardConnect;
 EFI_SMART_CARD_READER_DISCONNECT SCardDisconnect;
 EFI_SMART_CARD_READER_STATUS     SCardStatus;
 EFI_SMART_CARD_READER_TRANSMIT   SCardTransmit;
 EFI_SMART_CARD_READER_CONTROL    SCardControl;
 EFI_SMART_CARD_READER_GET_ATTRIB SCardGetAttrib;
} EFI_SMART_CARD_READER_PROTOCOL;

You may be surprised that there is no function to list the available readers. This is because UEFI has its own way to enumerate resources. Each smart card reader will have its own EFI_SMART_CARD_READER_PROTOCOL structure. The program just have to iterate over all the protocols identified as EFI_SMART_CARD_READER_PROTOCOL_GUID.

Usage

The planned usage of the Smart Card Reader Protocol is to be used from an UEFI application so before the operating system (Windows, GNU/Linux, Mac OS X, etc.) is started.
This can be used to access a smart card and get a secret key from the smart card after a PIN has been verified. The secret key could be used to decipher the hard disk.

Smart Card Edge Protocol

The Smart Card Edge Protocol is described in chapter 35.6.2 page 2253.

The functions provided are:
typedef struct _EFI_SMART_CARD_EDGE_PROTOCOL {
 EFI_SMART_CARD_EDGE_GET_CONTEXT        GetContext;
 EFI_SMART_CARD_EDGE_CONNECT            Connect;
 EFI_SMART_CARD_EDGE_DISCONNECT         Disconnect;
 EFI_SMART_CARD_EDGE_GET_CSN            GetCsn;
 EFI_SMART_CARD_EDGE_GET_READER_NAME    GetReaderName;
 EFI_SMART_CARD_EDGE_VERIFY_PIN         VerifyPin;
 EFI_SMART_CARD_EDGE_GET_PIN_REMAINING  GetPinRemaining;
 EFI_SMART_CARD_EDGE_GET_DATA           GetData;
 EFI_SMART_CARD_EDGE_GET_CREDENTIAL     GetCredential;
 EFI_SMART_CARD_EDGE_SIGN_DATA          SignData;
 EFI_SMART_CARD_EDGE_DECRYPT_DATA       DecryptData;
 EFI_SMART_CARD_EDGE_BUILD_DH_AGREEMENT BuildDHAgreement;
} EFI_SMART_CARD_EDGE_PROTOCOL;

Usage

This API allows to easily use a PKI card. It is the same idea as a PKCS#11 or MiniDriver library: abstract the smart card specificities and make an UEFI application able to use different PKI smart cards without writing specific source code.

Can I use it now?

The specification is now public. You can implement it yourself and play with it. Or you can wait for someone else to implement it and provide it in the UEFI of your next computer.

I already implemented the Smart Card Reader Protocol. I will proposed it for inclusion to TianoCore.

Conclusion

Stay tuned. Do not expect to have it included in the UEFI of your next computer before some time.

But if you are a developer you can play with it now.

New version of libccid: 1.4.19

I just released a version 1.4.19 of libccid the free software CCID class smart card reader driver.

Direct download here.

Changes:
1.4.19 - 13 May 2014, Ludovic Rousseau

  • Add support of
    • AK910 CKey (idProduct 0x0001)
    • AK910 CKey (idProduct 0x0011)
    • AK910 IDONE
    • Broadcom Corp 5880 (idProduct: 0x5804)
    • CASTLES EZCCID Smart Card Reader
    • Cherry KC 1000 SC
    • Cherry KC 1000 SC Z
    • Cherry KC 1000 SC/DI
    • Cherry KC 1000 SC/DI Z
    • Cherry TC 1300
    • Chicony USB Smart Card Keyboard
    • Elatec TWN4 SmartCard NFC
    • Feitian 502-CL
    • Feitian eJAVA Token
    • FujitsuTechnologySolutions GmbH Keyboard KB100 SCR
    • FujitsuTechnologySolutions GmbH Keyboard KB100 SCR eSIG
    • Hewlett-Packard HP lt4112 Gobi 4G Module
    • Identive SCT3522CC token
    • OMNIKEY AG 6121 USB mobile
    • PIVKey T800
    • REINER SCT tanJack Bluetooth
    • Watchdata USB Key
  • Add syslog(3) debug for Mac OS X Yosemite.
    Use: sudo syslog -c "com.apple.ifdreader PID" -d to change the logging level.
    See also "Change syslog logging level on Yosemite" /posts/2015/03/change-syslog-logging-level-on-yosemite/
  • Remove ZLP patch for Gemalto IDBridge CT30 and K30. The patch was causing problems with the K50. A new reader firmware (version F) solved the problem so the patch is no more needed.
  • Fix a memory leak in an error path
  • some minor bugs removed

pcsc-lite and CCID driver source code moved from SVN to GIT

The major projects hosted at https://alioth.debian.org/projects/pcsclite/ have moved from SVN (subversion) to GIT as the Version Control System (VCS).

Alioth.debian.org

The new URLs for the source code are:

The source code at the SVN server is still available at https://anonscm.debian.org/viewvc/pcsclite/trunk/ but will not be updated any more.

Github

I also provide a github version of the source codes at:

You can either use use the alioth or github server to clone the repositories.

Master repository is alioth

But be careful that they are different repositories. One repo is NOT the mirror of the other repo. They are both handled by hand.

The "official" repository should be the one at alioth.debian.org.

Conclusion

Maybe this change will bring new blood to the development :-)

The real reason for the move is that alioth only provides an ssh access to push code. So it is not possible to work from places where connecting to an Internet server using ssh is not allowed. I should be able to push code to github from anywhere (since github can use https) and then merge it and push it to alioth from more net-friendly places.

Smart card reader p0rn pictures

Federal Communications Commission

Devices emitting radio frequency signals must be declared at the FCC to be sold in the USA (or something like that). Smart card readers are such devices since they use electricity.

I let you read the wikipedia page to know more about the FCC.

Search engine

The Office of Engineering and Technology (part of the FCC) provides a search engine at Equipment Authorization Search.

Example: Gemalto MESPROXDUB

I searched for all the Gemalto devices. The list contains 381 results.

I found the MESPROXDUB also known as IDBridge CL300 (previously known as Prox-DU) smart card reader. I have it in my own list at Gemalto Prox Dual USB PC Link Reader.

The result of the search is a list:

9 Matches found for FCC ID MESPROXDUB
View Attachment Exhibit Type Date Submitted to FCC Display Type Date Available
Confidentiality Request Cover Letter(s) 01/17/2011 pdf 01/17/2011
External Photos External Photos 01/17/2011 pdf 01/17/2011
Label ID Label/Location Info 01/17/2011 pdf 01/17/2011
Internal Photos Internal Photos 01/17/2011 pdf 01/17/2011
Operational Description Operational Description 01/17/2011 pdf 01/17/2011
Test Report Test Report 01/17/2011 pdf 01/17/2011
Test Setup Photos Test Setup Photos 01/17/2011 pdf 01/17/2011
User Manual - Prox-DU Users Manual 01/17/2011 pdf 01/17/2011
User Manual - Prox-SU Users Manual 01/17/2011 pdf 01/17/2011

For a strange reason it is not possible to directly access the referenced PDF documents. You will get a "You are not authorized to access this page." if you click on the links in the table above. You need to get them from the real result page itself.

Pictures

What is interesting for a hardware hacker are the "Internal Photos". This is called "hardware p0rn".

You can search "hardware p0rn" in Google. Maybe some pictures from Google are NSFW. There is also a tumblr dedicated to hardware porn with nice (and safe) pictures.

Pictures of the Gemalto MESPROXDUB

I will not include all the pictures here, just "best of" a selection.






Conclusion

You can also search for "Apple" in the search engine. You will find photos of the internal of the iPhone. But pictures from iFixit are of a much better quality. I do not know an equivalent of iFixit for smart card readers.

Gemalto smart card readers

Now that Gemalto bought SafeNet it has become a big company with a lot of different brands.

Some of the brands in the Gemalto group are used by CCID readers listed in the big matrix. I will only talk about CCID compliant readers. So readers produced before the CCID specification was available (around 2001) are not listed here.

Short history of Gemalto fusions and acquisitions

  • 1926: creation of Schlumberger
  • 1988: creation of Gemplus
  • 2001: Schlumberger buys Sema Group plc and becomes SchlumbergerSema
  • 2004: Axalto is a spin-off of SchlumbergerSema
  • 2006: Axalto and Gemalto merge to become Gemalto
  • 2009: Gemalto buys XIRING’s banking activity
  • 2010: SafeNet buys Aladdin
  • 2010: Gemalto buys Todos AB in Sweden
  • 2015: Gemalto buys SafeNet
I only list the fusions and acquisitions related to smart card reader manufacturers.

VendorID

Vendor VendorID # of readers
Total 31
Aladdin 0x0529 1
Axalto ? 1
Gemalto 0x08E6 17
Gemplus 0x08E6 8
SafeNet ? 1
SchlumbergerSema 0x0973 1
Todos 0x0B0C 2
Xiring 0x0F14 0

Each USB device is identified by a VendorID.
It looks like Axalto and SafeNet do not have their own VendorID.

Xiring

All the Xiring readers I have in my list are now sold by ingenico Healthcare e-ID (ex Xiring healthcare).
They are available at ingenico technical support page.

So Gemalto bought XIRING’s banking activity but it looks like this division of Xiring had no CCID reader.

Reader list


Aladdin


  1. eToken PRO USB 72K Java (Aladdin_eToken_PRO_USB_72K_Java.txt)


Axalto


  1. Reflex USB v3 (AxaltoV3.txt)


Note that the VendorID used by this reader is 0x04E6 and is the VendorID used by SCM (now Identive) for its readers. I guess the reader is a SCM one rebranded as Axalto.

Gemalto


  1. SA .NET Dual (Gemalto_SA_dotNet_Dual.txt)

  2. Ezio Shield Branch Reader (Gemalto_Ezio_Branch.txt)
  3. Ezio Shield (Gemalto_Ezio_Shield_PinPad.txt)

  4. Ezio Shield (Gemalto_Ezio_Shield.txt)

  5. EZIO CB+ (Gemalto_Ezio_CB+.txt)

  6. ING Shield Pro SC (Gemalto_Ezio_Shield_Secure_Channel.txt)

  7. Ezio Shield Pro SC (Gemalto_Ezio_Shield_Pro_SC.txt)

  8. IDBridge CT30 (Gemalto_IDBridge_CT30.txt)

  9. PDT (Gemalto_PDT.txt)
  10. Hybrid Smartcard Reader (Gemalto_HybridSmartcardReader.txt)
  11. IDBridge K30 (Gemalto_IDBridge_K30.txt)

  12. Smart Enterprise Guardian Secure USB Device (GemaltoSmartEnterpriseGuardian.txt)

  13. USB GemPCPinpad SmartCard Reader (GemPCPinpadv2.txt)

  14. IDBridge K3000 (Gemalto_IDBridge_K3000.txt)

  15. Smart Enterprise Guardian Secure USB Device (Gemalto_SG.txt)

  16. Prox Dual USB PC Link Reader (GemProxDU.txt)

  17. Prox SU USB PC LinkReader (GemProxSU.txt)


Gemplus


  1. Gemplus USB SmartCard Reader 433-Swap (GemPC433_SL.txt)

  2. USB GemPCPinpad SmartCard Reader (GemPCPinpad.txt)

  3. GemCore SIM Pro Smart Card Reader (GemCoreSIMPro.txt)

  4. GemCore POS Pro Smart Card Reader (GemCorePOSPro.txt)
  5. USB Shell Token V2 (GemPCKey.txt)

  6. PC Twin Reader (GemPCTwin.txt)

  7. GemPC Express (GemPC_Express.txt)

  8. Gem e-Seal Pro USB Token (Gem_e-SealPro.txt)

SafeNet


  1. SmartMX Sample (Philips_SmartMX.txt)


Similar remark as for Axalto. Here the iManufacturer is: Philips Semiconductors. The vendorID is 0x04B9 which should be Rainbow Technologies.

SchlumbergerSema


  1. SchlumbergerSema Cyberflex Access (e-gate.txt)

Todos


  1. CX00 (Todos_Cx00.txt)

  2. Argos Mini II (Todos_AGM2_CCID.txt)


Conclusion

After so much fusion and acquisitions in the smart card industry it may be difficult to know where to get manufacturer support for a given reader.

Gemalto provides a drivers support page where you can find most of the "Gemalto" readers.