The AlcorMicro AU9560 smart card reader has problems with high speed smart cards.

The reported problem

The same problem is already reported in different places:

• "HP Zbook AU9540"
• "Problem with Alcor MicroAU9540"
• "Alcor AU9540 NotRecognizing New PIV" 

Example of cards in reported problems

The reader is always the same but used with different cards.

• NASA Personal Identity Verification (PIV) card (eID)
  
• Aktiv Rutoken ECP 3.0 NFC (PKI)
  
• Oberthur Technologies ID-One PIV/CIV on V8 Device (eID) 
  

The problem

The reader declares it can support card/reader communication speed up to 688 172 bps.
See dwMaxDataRate field in AlcorMicro_AU9560.txt.

It is fast but I have 4.5 % of readers in my list that declare to be faster (not including contactless readers).

But speeds above ~200 000 bps are problematic with the AlcorMicro AU9560. It works fine, until an APDU exchange fails with a "Hardware error" (for example) message from the reader:

00000009 APDU: 00 A4 00 00 02 3F 00 00
00000007 ifdhandler.c:1333:IFDHTransmitToICC() usb:058f/9540:libudev:0:/dev/bus/usb/001/002 (lun: 0)
00000006 commands.c:1670:CmdXfrBlockAPDU_extended() T=0 (extended): 8 bytes
00000017 -> 000000 6F 08 00 00 00 00 0E 00 00 00 00 A4 00 00 02 3F 00 00
02734396 <- 000000 80 00 00 00 00 00 0E 41 FB 00
00000025 commands.c:1563:CCID_Receive Hardware error
00000009 APDU: 00 A4 00 00 02 3F 00 00

Where are the bogus readers?

The AlcorMicro AU9560 is not a stand alone USB reader. It must be integrated in a laptop. For example it is present in these laptop models:

• Lenovo Thinkpad P17
• Lenovo Thinkpad L15
• Lenovo X1 Extreme Gen 2
• HP Zbook
• HP EliteBook.

I guess the same AlcorMicro AU9560 reader is present in a lot of other Lenovo or HP laptops and also laptops from other brands. 

Patch

I worked on a patch to remove the highest speeds so that the CCID driver will negotiate a lower speed that is still supported by the reader. 

Problem with the patch

My patch works fine with one card I have (NXP JCOP 4). But it generates problems with another card (Acos-ID).

The error occurs when the driver set the communication speed. The Set Parameters commands fails and the driver gets a "Card absent or mute" error.

00000004 [140396399142464] commands.c:2324:SetParameters() length: 7 bytes
00000006 [140396399142464] -> 000000 61 07 00 00 00 00 07 01 00 00 95 10 FF 46 00 FE 00
01646726 [140396415927872] ccid_usb.c:1532:InterruptRead() after (0) (2)
00621370 [140396399142464] <- 000000 82 00 00 00 00 00 07 41 FE 00
00000025 [140396399142464] commands.c:2351:SetParameters Card absent or mute
00000005 [140396399142464] prothandler.c:141:PHSetProtocol() Set PTS failed (612)

I suspect the problem to be specific to this card. But I am not sure. That is why I need your help to test with as much possible combinations as possible.

Your help is welcome

 If your have:

1. a laptop with the AlcorMicro AU9560 smart card reader
   
2. a fast enough smart card (i.e. TA₁ > 0x95)

then you can help me.

The AlcorMicro AU9560 and the AlcorMicro AU9540 both use the same USB idProduct value of 0x9540 even if the two readers are a bit different. So even if you have a AU9560 the PC/SC name will be "Alcor Micro AU9540 xx yy". If you do not know what reader you have just suppose you have a AU9560.

You can check the 2 conditions above (AlcorMicro and TA1 value) using the pcsc_scan tools. See

$ pcsc_scan 
Using reader plug'n play mechanism
Scanning present readers...
0: Alcor Micro AU9540 00 00
 
Sat Dec 17 11:02:51 2022
 Reader 0: Alcor Micro AU9540 00 00
  Event number: 0
  Card state: Card inserted, Shared Mode, 
  ATR: 3B DC 96 FF 81 11 FE 80 31 C8 54 43 56 35 07 73 FF A1 C0 3C

ATR: 3B DC 96 FF 81 11 FE 80 31 C8 54 43 56 35 07 73 FF A1 C0 3C
+ TS = 3B --> Direct Convention
+ T0 = DC, Y(1): 1101, K: 12 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TC(1) = FF --> Extra guard time: 255 (special value)
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 11 --> Y(i+1) = 0001, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
+ Historical bytes: 80 31 C8 54 43 56 35 07 73 FF A1 C0
[...]
+ TCK = 3C (correct checksum)

Possibly identified card (using /home/rousseau/.cache/smartcard_list.txt):
3B DC 96 FF 81 11 FE 80 31 C8 54 43 56 35 07 73 FF A1 C0 3C
	NXP JCOP 4, J3R200P0X3U/0ZA16CP NXD6.2 (JavaCard)

Please do:

To continue the list of PC/SC wrappers initiated in 2010 with "PC/SC sample in different languages" I now present a new sample code in Deno a modern runtime for JavaScript and TypeScript.

pcsc-deno

The wrapper is available at https://github.com/cryptographix/pcsc-deno and https://deno.land/x/pcsc

The author is Sean Michael Wykes.

The license is MIT.

I used version 0.4.
This version includes the fixes I proposed for GNU/Linux.

Deno

From Wikipedia Deno article:

Deno is a runtime for JavaScript, TypeScript, and WebAssembly that is based on the V8 JavaScript engine and the Rust programming language. Deno was co-created by Ryan Dahl, who also created Node.js.

Deno explicitly takes on the role of both runtime and package manager within a single executable, rather than requiring a separate package-management program.

Installation

Installation is very easy. First install Deno as documented in https://deno.land/#installation

The PC/SC wrapper will be downloaded and installed automatically at run time.

Source code

import {
  CommandAPDU,
  ContextProvider,
  ISO7816,
  PCSC,
} from 'https://deno.land/x/pcsc/mod.ts';

try {
  // establish a PC/SC context
  const context = ContextProvider.establishContext();

  // get all available readers
  const readers = context.listReaders();

  for (const reader of readers) {
    console.log(`Using reader: ${reader.name}`);
    if (reader.isMute) {
      console.log(`Reader ${reader.name}: MUTE`);
    } else if (reader.isPresent) {
      // connect
      const card = await reader.connect();

      // send Select Applet APDU
      const selectApplet = CommandAPDU
        .from([ISO7816.CLA.ISO, ISO7816.INS.SelectFile, 0x04, 0x00]) // ISO SELECT
        .setData([0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01]);

      const resp = await card.transmitAPDU(selectApplet);

      // check for 0x90 0x00
      if (resp.SW == ISO7816.SW.SUCCESS) {
        // success ..
        console.log(`Reader ${reader.name}: applet successfully selected`);

        // send Test APDU
        const command = CommandAPDU
          .from([ISO7816.CLA.ISO, 0, 0, 0]);

        const resp = await card.transmitAPDU(command);
        if (resp.SW == ISO7816.SW.SUCCESS) {
          // success ..
          console.log(`Reader ${reader.name}: Test command successful`);

          // convert from bytes to string and display
          console.log(String.fromCharCode.apply(null, resp.data));
        } else {
          // something went wrong ..
          console.error(
            `Reader ${reader.name}: error SW=${resp.SW.toString(16)}`,
          );
        }
      } else {
        // something went wrong ..
        console.error(
          `Reader ${reader.name}: error SW=${resp.SW.toString(16)}`,
        );
      }

      // unpower and disconnect
      await card.disconnect(PCSC.Disposition.UnpowerCard);
    } else {
      console.log(`Reader ${reader.name}: NO CARD`);
    }
  }
  // release the PC/SC context
  context.shutdown();
} catch (e: PCSCException) {
  console.log(e, "error");
}

Output

$ deno run --unstable --allow-ffi blog.ts
Using reader: Gemalto PC Twin Reader (F8345B4A) 00 00
Reader Gemalto PC Twin Reader (F8345B4A) 00 00: applet successfully selected
Reader Gemalto PC Twin Reader (F8345B4A) 00 00: command successful
Hello world!

Conclusion

Nothing special to say. Thanks Sean for the wrapper.

If you work on a Free Software PC/SC wrapper that is not yet in my list please let me know.

As I wrote in "One smart card reader accessible from many computers" it is possible to share a smart card reader between 2 or more systems.

Problem

I recently received a bug report about a problem between pcsc-lite and VirtualBox. When the smart card reader is connected to the VM guest then the kernel on the host reports errors like:

2022-11-11T14:25:01.186983-08:00 track pcscd[2474]: 00000001 eventhandler.c:336:EHStatusHandlerThread() Error communicating to: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311514247933) 00 00 

2022-11-11T14:25:01.186993-08:00 track pcscd[2474]: 00000005 ccid_usb.c:1356:InterruptRead() libusb_submit_transfer failed: LIBUSB_ERROR_IO 

2022-11-11T14:25:01.188050-08:00 track kernel: [ 1247.705353][ T2521] usb 1-2: usbfs: process 2521 (pcscd) did not claim interface 0 before use 

2022-11-11T14:25:01.188053-08:00 track kernel: [ 1247.705386][ T2521] usb 1-2: usbfs: process 2521 (pcscd) did not claim interface 0 before use 

2022-11-11T14:25:01.587034-08:00 track pcscd[2474]: 00400173 ccid_usb.c:865:WriteUSB() write failed (1/2): -1 LIBUSB_ERROR_IO 

2022-11-11T14:25:01.587076-08:00 track pcscd[2474]: 00000008 ifdwrapper.c:364:IFDStatusICC() Card not transacted: 612

And after some times (in days) the host kernel crashes.

A Linux kernel crash is never a good thing. pcsc-lite may be very powerful but it can't crash the Linux kernel. Only a bug in the kernel itself can generate a crash. Here I suspect the VirtualBox Linux kernel module to do something bad.

Solution

Instead of connecting the USB smart card reader in the guest VM (and disconnecting it from the host) it is possible to share the smart card reader(s) between the host and guest with some help from pcsc-lite.

Setup

My demo setup:

• Host: Debian testing system
• Guest: NetBSD 9.3 running inside KVM (Kernel Virtual Machine).
  

I use 2 very different operating systems, GNU/Linux and NetBSD, on purpose. It is to show it is possible to mix systems. 

Host

In the host, no change to the configuration. But we will redirect (inject) /run/pcscd/pcscd.comm in the virtual machine. 

On the Debian host I run:

$ ssh -N -R/tmp/pcscd.comm:/run/pcscd/pcscd.comm VMNetBSD

Guest

On the NetBSD VM I use:

$ export PCSCLITE_CSOCK_NAME=/tmp/pcscd.comm

Then I can run any application using pcsc-lite and get access to the smart card(s) and reader(s) from the host. For example: 

$ pcsc_scan -c

Wed Nov 16 17:26:55 2022
 Reader 0: Alcor Micro AU9540 00 00
  Event number: 0
  Card state: Card inserted, 
  ATR: 3B A7 00 40 18 80 65 A2 08 01 01 52

With a screenshot:

Limitations

pcsc-lite to pcsc-lite

As I demonstrated the solution is not limited to GNU/Linux. Any Unix system using pcsc-lite can be used. But you must use the same pcsc-lite protocol on both sides.

For example the current protocol version used by pcsc-lite 1.9.9 (current version) is 4.4. It is the same protocol version since pcsc-lite 1.8.24 released in Oct 2018.

macOS or Windows host

It should be technically possible to use Windows or macOS as the host OS. That would involve a new development. Contact me if you need something like that.

Conclusion

No need to disconnect/reconnect the USB reader in the VM. Just share it with the host.

You will be able to use the same smart card at the same time on the two sides. Isn't it nice?

Ventura (macOS 13.0) is now available since October, 2022.

I will compare this version to the previous one in Monterey I presented in macOS Monterey and smart cards status. 

CCID

$ grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist
	<key>CFBundleShortVersionString</key>
	<string>1.5.0</string>

The CCID driver has been upgraded from version 1.4.34 as in Monterey to version 1.5.0.

Apple Open Source

The Open Source components included in macOS are listed at https://opensource.apple.com/releases/

 

In addition to a .tar.gz archive, the source code is also available in a github (acquired by Microsoft in 2018) repository at https://github.com/apple-oss-distributions/SmartcardCCID.

 

It is then easy to see the patches applied by Apple to the CCID driver:

• ForceWithoutPcsc.patch
• ccid-info-plist.patch
• destDirFix.patch
• headerpadLDFlags.patch
• osxConfigure.patch 
  

But the patches have no documentation on the why the patches are needed.

 

The only obvious patch is ccid-info-plist.patch that changes the value of ifdLogLevel from Info.plist configuration file from 3 (CRITICAL + INFO) to 1 (CRITICAL) in order to generate less logs.

 

It is also easy to compare two versions. For example the differences between the version for Monterey and the version for Ventura is available as a github diff between tags SmartcardCCID-55028 and SmartcardCCID-55031.

Crypto Token Kit

Nothing special to say. The source code of this part is not available.

 

My Objective-C sample "PC/SC" sample in Objective-C (synchronous) still builds and works fine.

 

Security message on first connection

On the first connection of my USB smart card reader I got this dialogue box:

It is nice to see the security improvements.

 

As expected, I do not get the dialogue box again after I selected "Allow".

Conclusion

No big changes in Ventura for the smart card world.

I just released version 1.5.1 of libccid the Free Software CCID class smart card reader driver.

Changes:

In 2015 (7 years ago) I ported my CCID driver to UEFI (Unified Extensible Firmware Interface). For example read "UEFI Smart Card Reader Protocol implementation" and "PCSC sample in C for UEFI".

New version

I now updated the driver to use:

• source code from CCID driver 1.5.0
• source code from pcsc-lite 1.9.9
• build using edk2 stable version edk2-stable202208

The driver is no more a patch for edk2 but an independent UEFI driver in its own repository UEFI-SmartCardReader. It should now be easier to build.

I also updated my samples applications in UEFI-SmartCardReader-Samples.

Conclusion

This driver will not be used by a lot of people. The driver is for applications that are run in the UEFI (i.e. before the main operating system is started) and with a need to access smart cards.

If you use it and want to have new features, or just want to discuss, you can contact me. I am curious to know what people can do with it.

Problem

Since Ubuntu 22.04 LTS there is a problem with PC/SC daemon automatic start. pcscd is supposed to start when an application makes the first PC/SC call. See "pcscd auto start using systemd". In some cases pcscd will not start and SCardEstablishContext() will receive the error SCARD_E_NO_SERVICE.

A ticket is opened at Ubuntu with bug #1971984: pcscd 1.9.5-3 do not start automatically, only manual

The problem is present on some configurations only. I have no idea why on some systems it works fine and on some others we have the problem.

For an unknown reason pcscd.socket is inactive.

$ systemctl status pcscd.socket
○ pcscd.socket - PC/SC Smart Card Daemon Activation Socket
     Loaded: loaded (/lib/systemd/system/pcscd.socket; disabled; vendor preset: enabled)
     Active: inactive (dead)
   Triggers: ● pcscd.service
     Listen: /run/pcscd/pcscd.comm (Stream)

Fix

The fix is easy:

sudo systemctl enable pcscd.socket

And reboot.

No problem on Debian

The same pcscd package has no problem on Debian.

I compared the configuration scripts between the Ubutun and Debian packages and they are the same. I guess the problem comes from systemd or dpkg on Ubuntu and the systemd configuration files are not always installed correctly. Again, no idea why.

Conclusion

The bug is opened since 2022-05-06. I don't know if someone at Ubuntu is working on it.

The pcscd package is in the section Universe (Community-Maintained, Open-Source Software) at Ubuntu. It is not in the section Main (Officially Supported, Open-Source Software) so maybe no engineer from Ubuntu is looking at this issue.

The problem may not be fixed until Ubuntu 24.04, the next LTS version.

I just released a new version 2.0.5 of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.

The PySCard project is available at:

• pypi
• github
• sourceforge

This version is a not even a bug fix release. No code has changed.

The problem is that for the previous version, 2.0.4, I uploaded a incorrect source archive to Pypi. I inadvertently included some generated files in the .tar.gz archive. I discovered the problem while creating the Debian package. I removed the incorrect file from Pypi. But then it is not possible to upload a new file with a name that was already present on Pypi.

The source .tar.gz is already present in the pyscard project on sourceforge.net so I thought it was OK.

But then I received bug reports like Missing source release for 2.0.4? or pyscard 2.0.4 not available on linux from pypi so I had to do something.

Changes:

I just released a new version of pcsc-lite 1.9.9.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems. 

Changes:

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See "PyKCS11 introduction" or "PyKCS11’s documentation".

Changes:

1.5.11 - September 2022, Ludovic Rousseau

• add deriveKey() with CKM_ECDH1_DERIVE and CK_ECDH1_DERIVE_PARAMS
• support pSourceData in OAEP params
• remove use of (deprecated) distutils
• samples: port to Python 3
• fix code coverage generation