New version of pcsc-lite: 1.8.22

I just released a new version of pcsc-lite 1.8.22.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.

1.8.22: Ludovic Rousseau
17 June 2017

  • SCardCancel() was broken in 1.8.21. The call was blocking.
  • Enable use of info level logging for pcscd using -i/--info

pcsc_scan on Windows

Since version 1.5.0 of pcsc-tools (see "New version of pcsc-tools: 1.5.0, 1.5.1, 1.5.2") it is possible to build and run pcsc_scan on Windows.


From the project webpage:

MSYS2 is a software distro and building platform for Windows

At its core is an independent rewrite of MSYS, based on modern Cygwin (POSIX compatibility layer) and MinGW-w64 with the aim of better interoperability with native Windows software. It provides a bash shell, Autotools, revision control systems and the like for building native Windows applications using MinGW-w64 toolchains.

It features a package management system to provide easy installation of packages, Pacman. It brings many powerful features such as dependency resolution and simple complete system upgrades, as well as straight-forward package building.

Using MSYS2 it is easy to build/port a Unix program on Windows.


To build the program use the classic sequence:
  1. ./configure
  2. make

$ ./configure
configure: loading site script /etc/
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking build system type... x86_64-pc-msys
checking host system type... x86_64-pc-msys
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.exe
checking for suffix of executables... .exe
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
configure: WARNING: libpcsclite not found by pkg-config
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking winscard.h usability... yes
checking winscard.h presence... yes
checking for winscard.h... yes
checking for SCardEstablishContext... yes
checking for ANSI C header files... (cached) yes
checking for unistd.h... (cached) yes
checking time.h usability... yes
checking time.h presence... yes
checking for time.h... yes
checking for string.h... (cached) yes
checking stdio.h usability... yes
checking stdio.h presence... yes
checking for stdio.h... yes
checking for stdlib.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking whether sys/types.h defines makedev... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: executing depfiles commands

Windows does not use pcsc-lite but its own natice WinSCard implementation. So it is not surprising that libpcsclite is not found by the configure script. What is important is that the header file winscard.h is found and that the function SCardEstablishContext() can be used.

$ make
make  all-am
make[1] : on entre dans le répertoire « /home/Ludovic/pcsc-tools »
  CC       pcsc_scan-pcsc_scan.o
  CCLD     pcsc_scan.exe
make[1] : on quitte le répertoire « /home/Ludovic/pcsc-tools »


$ ./pcsc_scan.exe
PC/SC device scanner
V 1.5.2 (c) 2001-2017, Ludovic Rousseau 
Using reader plug'n play mechanism
Scanning present readers...
0: Broadcom Corp Contacted SmartCard 0
1: Broadcom Corp Contactless SmartCard 0
Tue May 30 18:04:07 2017
 Reader 0: Broadcom Corp Contacted SmartCard 0
  Card state: Card removed, 
 Reader 1: Broadcom Corp Contactless SmartCard 0
  Card state: Card removed, 
 Reader 2: \\?PnP?\Notification
  Card state: 


The program has some limitations:
  • the special reader name \\?PnP?\Notification, used for reader hotplug events, has its name listed.
    This is not the case on GNU/Linux or macOS.
  • the program does not exit when the key sequence Ctrl-C is used. On Unix the Control-C sequence is used to send a SIGINT signal to the process. On Windows I do not know an equivalent.
    To quit pcsc_scan you have to terminate the process using the task manager. Not really a good User eXperience.


I do not plan to put a lot of effort into the Windows version of pcsc_scan. It was just an experiment.

If you want a change you can submit a Pull Request at the pcsc-tools github project.

New version of pcsc-tools: 1.5.0, 1.5.1, 1.5.2

I just released a new version of pcsc-tools, a suite of tools for PC/SC.

The main changes are for the pcsc_scan command.

1.5.2 - 28 May 2017, Ludovic ROUSSEAU

  • include gscriptor.desktop and test.script in the archive

1.5.1 - 28 May 2017, Ludovic ROUSSEAU
  • rename the archive pcsc-tools

1.5.0 - 28 May 2017, Ludovic ROUSSEAU
  • 221 new ATRs
  • pcsc_scan:
    • add APDU stress mode (-s) (send "Select MF" APDU in a loop)
    • display an animation while waiting for a card or reader event
  • use autoconf/automake

New PyKCS11 1.4.2 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

See PyKCS11 introduction for more details about PyKCS11.

1.4.2 - May 2017, Ludovic Rousseau

  • Moved the project from to
  • Makefile: use a better default value for PREFIX
  • Fix PyKCS11.__del__(): test that every module is accessible
  • getSlotList(): add optional tokenPresent parameter
    By default the method returns all the slots (like before the change).
  • Always call C_Initialize() in ::Load() to work with some bogus PKCS#11 library (like libCryptoki2 from Safenet Luna SA HSM)
  • LowLevel samples: use PYKCS11LIB environment variable
  • some minor improvements

Available on:

New version of libccid: 1.4.27

I just released a version 1.4.27 of libccid the Free Software CCID class smart card reader driver.

1.4.27 - 21 May 2017, Ludovic Rousseau

  • Add support of
    • ACS ACR1255U-J1
    • ACS CryptoMate (T2)
    • ANCUD CCID USB Reader & RNG
    • DUALi DE-620 Combi
    • FT CCID
    • FT CCID KB
    • FT U2F CCID KB
    • HID Global OMNIKEY 5422 Smartcard Reader
    • InfoThink IT-102MU Reader
    • Kapsch TrafficCom USB SAM reader
    • MK Technology KeyPass S1
    • Mulann PVT
    • Regula RFID Reader
    • Spyrus Inc PocketVault P-3X
    • Unicept GmbH AirID USB
  • Add Microchip SEC1210 UART support (when connected on a serial port)
  • Add Zero Length Packet (ZLP) support for Gemalto IDBridge CT30 and K30
    enable the patch using ./configure --enable-zlp
  • Add support of HID Omnikey 5422 as multi slot reader (for macOS)
  • Escape command: signals buffer overflow instead of silently truncating the buffer
  • Fix a bug with multi readers and pcscd uses hotplug_libusb (not the recommended configuration)
  • Some minor improvements

New version of pcsc-lite: 1.8.21

I just released a new version of pcsc-lite 1.8.21.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.

1.8.21: Ludovic Rousseau
20 May 2017

  • SCardCancel():
    • fix a race condition bug
    • fix a possible use after free
    • improve Doxygen documentation
  • SCardGetStatusChange(): fix a race condition when a reader is removed
  • SCardDisconnect(): fix status update for SCARD_UNPOWER_CARD
  • pcsc_stringify_error(): use Thread-local storage
  • pcsc_stringify_error() now returns a const char *
  • SCardControl() may return SCARD_E_INSUFFICIENT_BUFFER when pbRecvBuffer is not big enough to receive the card response.
  • Fix compilation error with GCC 4.9
  • UnitaryTests: add support of Python 3
  • pcsc-spy: add support of Python 3
  • Some other minor improvements

Google Open Source Peer Bonus winner

I am pleased to announce that I am one of the 2017 "Google Open Source Peer Bonus winners" for my work on pcsc-lite and the CCID driver.

The latest round of Google Open Source Peer Bonus winners

Monday, March 27, 2017
Google relies on open source software throughout our systems, much of it written by non-Googlers. We’re always looking for ways to say “thank you!” so 5 years ago we started asking Googlers to nominate open source contributors outside of the company who have made significant contributions to codebases we use or think are important. We’ve recognized more than 500 developers from 30+ countries who have contributed their time and talent to over 400 open source projects since the program’s inception in 2011. Today we are pleased to announce the latest round of awardees, 52 individuals we’d like to recognize for their dedication to open source communities. The following is a list of everyone who gave us permission to thank them publicly:
Name Project Name Project
Philipp Hancke Adapter.js Fernando Perez Jupyter & IPython
Geoff Greer Ag Michelle Noorali Kubernetes & Helm
Dzmitry Shylovich Angular Prosper Otemuyiwa Laravel Hackathon Starter
David Kalnischkies Apt Keith Busch Linux kernel
Peter Mounce Bazel Thomas Caswell matplotlib
Yuki Yugui Sonoda Bazel Tatsuhiro Tsujikawa nghttp2
Eric Fiselier benchmark Anna Henningsen Node.js
Rob Stradling Certificate Transparency Charles Harris NumPy
Ke He Chromium Jeff Reback pandas
Daniel Micay CopperheadOS Ludovic Rousseau PCSC-Lite, CCID
Nico Huber coreboot Matti Picus PyPy
Kyösti Mälkki coreboot Salvatore Sanfilippo Redis
Jana Moudrá Dart Ralf Gommers SciPy
John Wiegley Emacs Kevin O'Connor SeaBIOS
Alex Saveau FirebaseUI-Android Sam Aaron Sonic Pi
Toke Hoiland-Jorgensen Flent Michael Tyson The Amazing Audio Engine
Hanno Böck Fuzzing Project Rob Landley Toybox
Luca Milanesio Gerrit Bin Meng U-Boot
Daniel Theophanes Go programming language Ben Noordhuis V8
Josh Snyder Go programming language Fatih Arslan vim-go
Brendan Tracey Go programming language Adam Treat WebKit
Elias Naur Go on Mobile Chris Dumez WebKit
Anthonios Partheniou Google Cloud Datalab Sean Larkin Webpack
Marcus Meissner gPhoto2 Tobias Koppers Webpack
Matt Butcher Helm Alexis La Goutte Wireshark dissector for QUIC
Congratulations to all of the awardees, past and present! Thank you for your contributions.
By Helen Hu, Open Source Programs Office

The bonus (I should receive) is a credit card with 250$.

That is not much compared to Google annual profit. Google operating profit for 2016 was 30 419 M$.
My bonus part is 250 / 30 419 000 000 = 0.000 000 008 218 548.

That is not much for Google, but this is twice the amount I received in bitcoin for now ("How to help my projects? Send me bitcoins!").

"PC/SC" sample in Objective-C (synchronous)

To continue the list of PC/SC wrappers initiated in 2010 with "PC/SC sample in different languages" I now present a new sample in Objective-C using the Apple Crypto Token Kit API.

I already proposed a sample code in Objective-C in "PCSC sample in Objective-C". This code used the asynchronous version of sendIns. The API is:

- (void)sendIns:(UInt8)ins 
           data:(NSData *)requestData 
             le:(NSNumber *)le 
          reply:(void (^)(NSData *replyData, UInt16 sw, NSError *error))reply;

The method returns immediately and a callback reply block is executed when the card response is received.

We will now use the synchronous version of sendIns. The API is:
- (NSData *)sendIns:(UInt8)ins 
               data:(NSData *)requestData 
                 le:(NSNumber *)le 
                 sw:(UInt16 *)sw 
              error:(NSError * _Nullable *)error;

Crypto Token Kit API

In Yosemite (Mac OS X 10.10) Apple introduced a new API to access smart cards. See OS X Yosemite and smart cards status.
This API is not a wrapper above PC/SC. It is the native API to be used on macOS. You do not need to install it, it comes with the OS.

Since PC/SC is not used here the blog title may be misleading. So I used " " around PC/SC this time.

Source code

Create a new Cocoa application in Xcode. You need to enable the App Sandbox and add/set the entitlement to yes.

My sample HellloWorld application does not use Cocoa. It is a text only application.

#import <CryptoTokenKit/CryptoTokenKit.h>

int main(int argc, const char * argv[])
    TKSmartCardSlotManager * mngr;
    mngr = [TKSmartCardSlotManager defaultManager];

    // Use the first reader/slot found
    NSString *slotName = (NSString *)mngr.slotNames[0];
    NSLog(@"slotName: %@", slotName);

    dispatch_semaphore_t sem = dispatch_semaphore_create(0);

    // connect to the slot
    [mngr getSlotWithName:slotName reply:^(TKSmartCardSlot *slot)
         // connect to the card
         TKSmartCard *card = [slot makeSmartCard];
         if (nil == card)
             NSLog(@"No card found");

             // signals end of getSlotWithName block


         // begin a session
         [card beginSessionWithReply:^(BOOL success, NSError *error)
              if (success)
                  NSData *response;
                  UInt16 sw;
                  NSString *newString;

                  // explicitly set the CLA byte even if 0 is already the default value
                  card.cla = 0x00;

                  // send 1st APDU
                  uint8_t aid[] = {0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01};
                  NSData *data = [NSData dataWithBytes:aid length:sizeof aid];

                  response = [card sendIns:0xA4 p1:0x04 p2:0x00 data:data le:nil sw:&sw error:&error];

                  if (nil == response)
                      NSLog(@"sendIns error: %@", error);
                      goto out;

                  NSLog(@"Response: %@ 0x%04X", response, sw);

                  // send 2nd APDU
                  response = [card sendIns:0x00 p1:0x00 p2:0x00 data:nil le:@0 sw:&sw error:&error];

                  if (nil == response)
                      NSLog(@"sendIns error: %@", error);
                      goto out;

                  NSLog(@"Response: %@ 0x%04X", response, sw);

                  newString = [[NSString alloc] initWithData:response encoding:NSASCIIStringEncoding];
                  NSLog(@"%@", newString);

                  // end the session
                  [card endSession];
                  NSLog(@"Session error: %@", error);

              // signals end of beginSessionWithReply block

    // wait for the asynchronous blocks to finish
    dispatch_semaphore_wait(sem, DISPATCH_TIME_FOREVER);

    return 0;


2017-03-31 10:54:24.990581+0200 HelloWorld[19931:85555] slotName: Gemalto PC Twin Reader
2017-03-31 10:54:25.103855+0200 HelloWorld[19931:85584] Response: <> 0x9000
2017-03-31 10:54:25.115946+0200 HelloWorld[19931:85584] Response: <48656c6c 6f20776f="" 726c6421=""> 0x9000
2017-03-31 10:54:25.115993+0200 HelloWorld[19931:85584] Hello world!


Compared to the previous Objective-C sample in "PCSC sample in Objective-C" this code has some improvements/bugs fixes:
  • [card endSession]; is called.
    This is needed to close the session started by [card beginSessionWithReply:...].
  • The main thread is waiting for the callbacks from [mngr getSlotWithName:...] and [card beginSessionWithReply:...] to finish using a semaphore (instead of a sleep()).

The CryptoTokenKit API provides a in​Session​With​Error:​execute​Block: to synchronously begin a session instead of using begin​Session​With​Reply:​ and end​Session. But this method has some limitations/bugs and is not (yet) easy to use. I may use it in a next sample code when it will be fixed (in macOS 10.13?).


In general, I prefer to use synchronous calls. So the possibility to use a synchronous sendIns: method is nice.
Depending on your needs, the CryptoTokenKit TKSmart​Card API offers you the choice between a synchronous or asynchronous version.

Gemalto IDBridge K30, K50, CT30 and Zero Length Packet issue

Some Gemalto smart card readers with a specific firmware version have a problem and send bogus USB frames.

Possibly affected devices

Some firmware versions of the following devices are affected
  • K30
  • CT30


If you generate a pcscd log as described in "How to get support" and see:
00000023 commands.c:2251:SetParameters() length: 7 bytes
00000037 -> 000000 61 07 00 00 00 00 0E 01 00 00 18 10 02 58 00 FE 00
00001776 <- 000000
00000025 commands.c:2271:SetParameters() Not enough data received: 0 bytes

Then your reader may suffer from the Zero Length Packet issue. The reader, sometimes, sends a USB packet with no data (so a size of 0 bytes).


The problem is that it is not possible to specifically and uniquely identify the problematic devices.

In the CCID driver version 1.4.11 (12 June 2013) I added two patches ("ReadUSB: Zero Length Packet (ZLP) support", "Add Zero Length Packet (ZLP) support for Gemalto IDBridge CT30 and K30") to circumvent the problem.

But this code caused problem with some smart card reader that had not the problem and failed to work with the "fix" ("[#314691] Gemalto ID Bridge K50 Smart card Reader does not work on USB2 with ZLP fix").

So in CCID driver version 1.4.19 (13 May 2014) I removed the patch in "Remove ZLP patch for Gemalto IDBridge CT30 and K30.".


I added the patch again in the CCID driver ("Add Zero Length Packet (ZLP) support for Gemalto IDBridge CT30 and K30", "ZLP: enable the patch only if --enable-zlp is used") but this time the patch is disabled by default. So no bad side effect can happen.

You have to build the driver using the configure option --enable-zlp to explicitly enable the modification.

The new code will be provided in the next CCID driver release: 1.4.27 (not yet released).


I am sorry to not be able to correctly circumvent the problem in the CCID driver itself.

If your reader has the problem then you will have to (re)build the CCID driver yourself at each new CCID driver upgrade.

[Update] 21 May 2017

The CCID driver version 1.4.27 is now available.

PC/SC sample in Rust

To continue the list of PC/SC wrappers initiated in 2010 with "PC/SC sample in different languages" I now present a sample in Rust.


pcsc-rust is written by Ran Benita since January 2017 and uses the MIT license.

Project web site:


pcsc-rust is easy to use. Installation is automatic using cargo (the Rust package manager).

Source code

You only need 2 files: one file Cargo.toml indicating the dependency on pcsc-rust, and the source code itself in the default file src/

File Cargo.toml:

name = "hello_world"
version = "0.1.0"
authors = ["Your Name <>"]

pcsc = "0.1"

File src/

extern crate pcsc;

use pcsc::*;
use std::str;

fn main() {
    // Establish a PC/SC context.
    let ctx = Context::establish(Scope::User)
        .expect("failed to establish context");

    // List available readers.
    let mut readers_buf = [0; 2048];
    let mut readers = ctx.list_readers(&mut readers_buf)
        .expect("failed to list readers");

    // Use the first reader.
    let reader =
        .expect("no readers are connected");
    println!("Using reader: {:?}", reader);

    // Connect to the card.
    let card = ctx.connect(reader, ShareMode::Shared, PROTOCOL_ANY)
        .expect("failed to connect to card");

    // Send an SELECT APDU command.
    let apdu = b"\x00\xA4\x04\x00\x0A\xA0\x00\x00\x00\x62\x03\x01\x0C\x06\x01";
    let mut rapdu_buf = [0; MAX_BUFFER_SIZE];
    let rapdu = card.transmit(apdu, &mut rapdu_buf)
        .expect("failed to transmit APDU to card");
    println!("{:?}", rapdu);

    // Send an COMMAND APDU command.
    let apdu = b"\x00\x00\x00\x00";
    let mut rapdu_buf = [0; MAX_BUFFER_SIZE];
    let rapdu = card.transmit(apdu, &mut rapdu_buf)
        .expect("failed to transmit APDU to card");
    println!("{:?}", rapdu);

    // remove the extra 2 SW bytes at the end
    let text = &rapdu[0 .. rapdu.len()-2];

    // convert to UTF-8 (ASCII in fact)
    println!("{}", str::from_utf8(&text).unwrap());

The source code is an adaptation of the already existing pcsc-rust project example:


$ cargo build
   Compiling pkg-config v0.3.9
   Compiling bitflags v0.7.0
   Compiling pcsc-sys v0.1.0
   Compiling pcsc v0.1.0
   Compiling hello_world v0.1.0 (file:///Users/rousseau/Documents/sc/HelloWorld%20Rust)
    Finished debug [unoptimized + debuginfo] target(s) in 3.4 secs


$ ./target/debug/hello_world
Using reader: "Gemalto PC Twin Reader"
[144, 0]
[72, 101, 108, 108, 111, 32, 119, 111, 114, 108, 100, 33, 144, 0]
Hello world!


pcsc-rust API seems complete, is easy to use and is well documented.

If you know a PC/SC wrapper that is not yet in my list then please contact me.