pcsc-lite and polkit

Red Hat and derivatives (Fedora, etc.) use polkit to restrict access to the smart cards.

You can find documentation at Chapter 7. Controlling access to smart cards using polkit. polkit Authorization Manager is documented at polkit — Authorization Manager.

Test on Fedora 39

Local execution

I login on the console and run pcsc_scan or scriptor (both from pcsc-tools): no problem.

Remote execution

I login using ssh and I get:

$ ssh localhost
[...]
[remote ~]$ pcsc_scan
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
SCardEstablishContext: Access denied.

Logs

The message from pcscd logs is more explicit than the numerical value SCARD_W_SECURITY_VIOLATION (0x8010006A) returned by SCardEstablishContext().

$ journalctl --unit=pcscd --follow
[...]
nov. 13 18:41:38 fedora39 pcscd[1353]: 40822797 auth.c:143:IsClientAuthorized() Process 6512 (user: 1000) is NOT authorized for action: access_pcsc
nov. 13 18:41:38 fedora39 pcscd[1353]: 00000189 winscard_svc.c:336:ContextThread() Rejected unauthorized PC/SC client

New rule

To get access, when connecting from remote, I need to create a file /usr/share/polkit-1/rules.d/03-polkit-pcscd.rules containing:

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "rousseau") {
            return polkit.Result.YES;
    }
});

The programming language in the rules file is JavaScript. You can change the code to be whatever you want.

Of course change the test subject.user == ... to use your own login name.

And now I can access PC/SC even when connected from remote.

$ pcsc_scan -r
0: Alcor Micro AU9540 00 00

There is another control, this time at the smart card reader level. Even if I can access PC/SC to list readers I may not be allowed to access the readers. For example if I use scriptor to use the smart card inserted in the reader I get:

$ scriptor
No reader given: using Alcor Micro AU9540 00 00
Can't allocate Chipcard::PCSC::Card object: Access denied.

To access a specific reader I need to add a new rule in /usr/share/polkit-1/rules.d/03-polkit-pcscd.rules.

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader").startsWith('Alcor Micro AU9540') &&
        subject.user == "rousseau") {
            return polkit.Result.YES;    }
});

Note the test action.lookup("reader").startsWith('Alcor Micro AU9540'). You could use the test for string equality == but the reader name is "Alcor Micro AU9540 00 00" and I don't care about the numbers at the end of the reader name. The numbers indicate the index and slot. See What is in a PC/SC reader name?. I want to be able to access this specific reader even if it is the second reader connected with index=01 insead of 00.

With this second polkit rule I can access the reader and I get:

$ scriptor
No reader given: using Alcor Micro AU9540 00 00
Using T=0 protocol
Reading commands from STDIN

See Controlling access to smart cards for more examples.

Disabling polkit

You can disable polkit at build time using ./configure --disable-polkit. But you may not want to rebuild a package provided by your GNU/Linux distribution.

It is also possible to disable polkit at runtime using pcscd --disable-polkit. In general pcscd (the PC/SC daemon) is started by systemd so the solution is to create a file /etc/default/pcscd with the content:

PCSCD_ARGS=--disable-polkit

Issues

This default configuration is causing some problems when you access a remote system (RDP, ssh, etc.). For example see Bug 1478345 - Repeated authentication requests in remote session.

It is the job of the system administrator to define who has access to what in the system. The default is to refuse the smart card accesses from a non local user. I think this is a good choice, but we can discuss it and change the default behaviour.

Non Red Hat systems

Debian now provides a recent enough version of polkit library polkit-gobject-1. I have enabled polkit support by default in pcsc-lite. So Debian, Ubuntu and derivatives systems and other GNU/Linux distribution will also benefit from polkit security feature.

Conclusion

polkit is a nice security feature.

I have other possible security improvements for pcsc-lite in my list like Use systemd to restrict pcscd rights. If you want to have them implemented please contact me.

New version of pcsc-perl: 1.4.15

I just released a new version 1.4.15 of pcsc-perl, the Perl wrapper for PC/SC.

SCARD_W_SECURITY_VIOLATION error code

I wanted to make a new release to add support of the SCARD_W_SECURITY_VIOLATION PC/SC error code.

This code is returned when the client access is denied because of a polkit security policy.

The error is now:

$ scriptor
Could not create Chipcard::PCSC object: Access denied.

Instead of:

$ scriptor
Could not create Chipcard::PCSC object: Unknown (reader specific ?) error...

Lost archives

The previous version 1.4.14 was released in November 2015, 8 years ago.

Pcsc-perl was using the versioning tool CVS (Concurrent versions system). The bad new is that I lost my CVS archives. I think I removed the archive directory because I thought I migrated all my software projects to subversion or git. But that was not the case and the development history of pcsc-perl is mostly lost. Yes, I do have backups, but not as old as 8 years.

The code is now in a git repository at Salsa and github.

Changes:

1.4.15 - 18 November 2023, Ludovic ROUSSEAU

  • add support of SCARD_W_SECURITY_VIOLATION error code

Apple's own CCID driver in Sonoma

OS X has built-in support for USB CCID class-compliant SmartCard readers

From SmartCardServices(7) manpage in macOS Sonoma:

USB SMART CARD READER DRIVERS

OS X has built-in support for USB CCID class-compliant SmartCard readers. For other readers, install the reader driver in /usr/local/libexec/SmartCardServices/drivers. Each driver is a bundle. The bundle contains an XML file Info.plist which contains the device's USB vendor ID and product ID. For detailed description of the plist format and how to write a reader driver, see http://pcsclite.alioth.debian.org/api/group__IFDHandler.html

The built-in SmarCard reader driver is prefered by the System and it is possible to change the preference to the IFD CCID by setting the global preference:

sudo defaults write /Library/Preferences/com.apple.security.smartcard useIFDCCID -bool yes

Check status

it is easy to check which CCID driver is enabled on macOS Sonoma.

Built-in (Apple) driver enabled

% defaults read /Library/Preferences/com.apple.security.smartcard.plist useIFDCCID
2023-09-29 13:38:28.133 defaults[1145:25704]
The domain/default pair of (/Library/Preferences/com.apple.security.smartcard.plist, useIFDCCID) does not exist

IFD CCID (my driver) enabled

% defaults read /Library/Preferences/com.apple.security.smartcard.plist useIFDCCID
1

The result is 1 so the "external" (non-Apple) CCID driver is enabled.

To dump the complete configuration of com.apple.security.smartcard do:

% defaults read /Library/Preferences/com.apple.security.smartcard.plist
{
    CardsNeedsBaseFiDi =     (
        3B6E000080318065B00302015E8300009000,
        3BD518008131FE7D8073C82110F4
    );
    Logging = 0;
    useIFDCCID = 1;
}

Logs

You can use my script log_macOS_ifdbundle.sh to have some logs when you connect a reader:

% ./log_macOS_ifdbundle.sh -d
2023-09-28 14:49:11.678646+0200 0x22aa     Debug       0x0                  858    0    com.apple.ifdreader: [com.apple.CryptoTokenKit:smartcard] deviceRemovalHandler invoked (entryId=4294970735)
2023-09-28 14:49:11.678780+0200 0x22aa     Debug       0x0                  858    0    com.apple.ifdreader: [com.apple.CryptoTokenKit:smartcard] installed device removal notification
2023-09-28 14:49:11.680320+0200 0x22aa     Debug       0x0                  858    0    com.apple.ifdreader: (CoreFoundation) [com.apple.defaults:User Defaults] found no value for key useIFDCCID in CFPrefsPlistSource<0x14a906640> (Domain: com.apple.security.smartcard, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: No)
2023-09-28 14:49:11.681744+0200 0x22aa     Info        0x0                  858    0    com.apple.ifdreader: [com.apple.CryptoTokenKit:smartcard] new device skipped: 0x0529/0x0620 100000 (entryId=4294970735)

The com.apple.ifdreader component is looking for the useIFDCCID key. Here the key is not found so the Apple driver will be used.

Enable my CCID driver

So it is possible to switch from the Apple driver to my CCID driver (also included in macOS Sonoma) using the command:

sudo defaults write /Library/Preferences/com.apple.security.smartcard useIFDCCID -bool yes

Apple driver

The Apple own CCID driver is /System/Library/CryptoTokenKit/usbsmartcardreaderd.slotd.

It contains typical CCID names:

% strings /System/Library/CryptoTokenKit/usbsmartcardreaderd.slotd/Contents/MacOS/usbsmartcardreaderd | grep PC_
PC_to_RDR_IccPowerOn
PC_to_RDR_IccPowerOff
PC_to_RDR_GetSlotStatus
PC_to_RDR_XfrBlock
PC_to_RDR_GetParameters
PC_to_RDR_ResetParameters
PC_to_RDR_SetParameters
PC_to_RDR_Escape
PC_to_RDR_IccClock
PC_to_RDR_T0APDU
PC_to_RDR_Secure
PC_to_RDR_Mechanical
PC_to_RDR_Abort
PC_to_RDR_SetDataRateAndClockFrequency
RDR_to_PC_DataBlock
RDR_to_PC_SlotStatus
RDR_to_PC_Parameters
RDR_to_PC_Escape
RDR_to_PC_DataRateAndClockFrequency
RDR_to_PC_NotifySlotChange
RDR_to_PC_HardwareError

These names are the command names used in the USB CCID specification.

I note that this file was already present in the previous macOS version: Ventura. But this driver was not enabled by default.

I guess Apple now decided its own CCID driver was mature enough to enable it by default.

Source code?

I don't think Apple will publish the source code of its CCID driver. At least I was not able to find it at Open Source at Apple for the version of macOS Sonoma 14.0 or 14.1.

Apple already replaced pcsc-lite by their own version of the resource manager in macOS Yosemite in 2014 (OS X Yosemite and smart cards status). They now replace the Free Software CCID driver by their own version.

History

Since the source code is not public it will be difficult to know what are the changes in the Apple CCID driver.

In Sonoma 14.0 we had:

$ codesign --verbose=3 --verify --display /System/Library/CryptoTokenKit/usbsmartcardreaderd.slotd
Executable=/System/Library/CryptoTokenKit/usbsmartcardreaderd.slotd/Contents/MacOS/usbsmartcardreaderd
Identifier=com.apple.usbsmartcardreaderd
Format=bundle with Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=2102 flags=0x0(none) hashes=55+7 location=embedded
Platform identifier=15
Hash type=sha256 size=32
CandidateCDHash sha256=555a981af8457fcb972e0301c087361e410a52ef
CandidateCDHashFull sha256=555a981af8457fcb972e0301c087361e410a52ef76c7cea851f838ecb7393f62
Hash choices=sha256
CMSDigest=555a981af8457fcb972e0301c087361e410a52ef76c7cea851f838ecb7393f62
CMSDigestType=2
CDHash=555a981af8457fcb972e0301c087361e410a52ef
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=15 Sep 2023 at 23:49:40
Info.plist entries=20
TeamIdentifier=not set
Sealed Resources version=2 rules=2 files=0
Internal requirements count=1 size=80

In Sonoma 14.1 we now have:

$ codesign --verbose=3 --verify --display /System/Library/CryptoTokenKit/usbsmartcardreaderd.slotd
Executable=/System/Library/CryptoTokenKit/usbsmartcardreaderd.slotd/Contents/MacOS/usbsmartcardreaderd
Identifier=com.apple.usbsmartcardreaderd
Format=bundle with Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=2102 flags=0x0(none) hashes=55+7 location=embedded
Platform identifier=15
Hash type=sha256 size=32
CandidateCDHash sha256=b1723b968b6f316aca6172bea0ee75cc4c9de56a
CandidateCDHashFull sha256=b1723b968b6f316aca6172bea0ee75cc4c9de56a962ab2d8bc00659d000f860d
Hash choices=sha256
CMSDigest=b1723b968b6f316aca6172bea0ee75cc4c9de56a962ab2d8bc00659d000f860d
CMSDigestType=2
CDHash=b1723b968b6f316aca6172bea0ee75cc4c9de56a
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=6 Oct 2023 at 05:45:18
Info.plist entries=20
TeamIdentifier=not set
Sealed Resources version=2 rules=2 files=0
Internal requirements count=1 size=80

The signature date changed from "15 Sep 2023" to "6 Oct 2023" and the SHA256 hash also changed.

I do not plan to reverse engineer the Apple driver.

My comments

Class driver

The Apple driver is a class driver. Any USB device declared with bInterfaceClass set to 0x0b (Smart Card) should work.

Tweaks

My CCID driver is now old (The first commit was in August 2003. My CCID driver: 20 years anniversary). And I added a lot of special patches to support specific readers.

If you have such a reader the Apple driver may not work for you. In that case you can install a custom driver, or enable my CCID driver 1.5.1 included in macOS Sonoma as seen above in Enable my CCID driver.

Can Apple reuse my tweaks to improve their driver?

The source code of my driver is available so Apple developers can read it.

My driver is protected by the GNU Lesser General Public License version 2.1+ (LGPL). So if Apple wants to reuse some of my code it has to use the same LGPL license for its code. My guess is that Apple worked on its own CCID driver in particular to avoid any use of a GPL or LGPL protected code in macOS.

So Apple will have to design its own tweaks, or do not support some readers.

Bugs reported in Sonoma

The bug macOS Sonoma bug: SCardControl() returns SCARD_E_NOT_TRANSACTED is now easy to understand.

The Apple driver does NOT support SCardControl(). And since it was enabled by default in Sonoma 14.0 all the applications that use SCardControl() failed to work.

What happened in Sonoma 14.1?

I started this article using Sonoma 14.0, the initial release of Sonoma. Apple now provides a first update of Sonoma with a version 14.1.

In this version the Apple CCID driver is no more enabled by default and my CCID driver is enabled instead.

$ defaults read /Library/Preferences/com.apple.security.smartcard.plist
{
    Logging = 0;
    useIFDCCID = 1;
}

I guess Apple received (too) many bug reports and decided to revert the change and keep using my CCID driver for now.

If your smart card application fails to work with Sonoma 14.0 the best thing to do is to upgrade to Sonoma 14.1.

Conclusion

Writing a CCID driver is not an easy task. It is even more complex if you want to support a many different models.

Apple tries to do that but is not ready yet.

New version of libccid: 1.5.4

I just released version 1.5.4 of libccid the Free Software CCID class smart card reader driver.

This version is just a bug fix for the previous version released 4 days ago.

I accepted a patch that looked good but was not complete. You can try to read the 2 patches (the bogus one and the fix) by yourself to see if the problem was obvious.

Changes:

1.5.4 - 29 October 2023, Ludovic Rousseau

  • fix a regression introduced in 1.5.3

New parse program in libccid 1.5.3

The parse tool is used to extract the configuration from a CCID smart card reader. I need this information to be able to add a new reader in my list.

Automatic file creation

parse now creates the expected file by itself. No need to redirect the standard output anymore. Some poople had problems with that.

You just need to run parse and it will create the file output.bin.

Prebuild parse

It is now possible to run the parse command without compiling the libccid driver.

I provide already build binaries for these systems:

  • Darwin-arm64 (Apple computers with Apple Silicon CPUs)

  • Darwin-x86_64 (Apple computers with Intel CPUs)

  • Linux-armv7l (Raspberry Pi 3 and compatibles)

  • Linux-x86_64 (major GNU/Linux systems)

To know if your system is in this list run:

echo $(uname)-$(uname -m)

and compare the result to the list above.

If your system is not supported you can contact me.

You can use the prebuild parse as documented in https://ccid.apdu.fr/#CCID_compliant

curl https://ccid.apdu.fr/files/parse.sh | bash -

Conclusion

I hope it will be simpler to use parse and to send me the result for readers that are not yet in my lists.

New version of libccid: 1.5.3

I just released version 1.5.3 of libccid the Free Software CCID class smart card reader driver.

Changes:

1.5.3 - 25 October 2023, Ludovic Rousseau

  • Add support of

    • ACS ACR1552 1S CL Reader

    • ACS ACR1552 CL Reader

    • ACS ACR1581

    • ACS ACR40T ICC Reader

    • ACS ACR40U ICC Reader

    • ACS WalletMate 1S CL Reader

    • Aktiv Rutoken SCR 3101 NFC Reader

    • CIRIGHT ONE PASS U2F

    • Dexon Tecnologias Digitais LTDA eSmartDX

    • Excelsecu Card reader

    • GHI NC001

    • Identiv uTrust Token Flex

    • SpringCard M519 with idProduct: 0x6212

    • SpringCard M519 with idProduct: 0x621A

    • WCMi SD5931

  • parse: create output.bin file

  • udev: Disable USB-persist for CCID devices

  • configure: fail if flex is not found

  • Some other minor improvements

My CCID driver: 20 years anniversary

The first version of my CCID driver was released on August 13th 2003.

From the README.md file:

0.1.0 - 13 August 2003, Ludovic Rousseau
   - First public release

The first commit was:

commit 631107ca310243cb8c9068c160106a580fd6ed64
Author: Ludovic Rousseau <ludovic.rousseau@free.fr>
Date:   Tue Aug 12 12:40:23 2003 +0000

        Initial revision


        git-svn-id: svn://anonscm.debian.org/svn/pcsclite/trunk/Drivers/ccid@269 0ce88b0d-b2fd-0310-8134-9614164e65ea

 AUTHORS                 |   1 +
 COPYING                 | 340 ++++++++++++++++++++++++++++
 Makefile                |  16 ++
 README                  |  63 ++++++
 readers/CardMan3121.txt |  35 +++
 readers/GemPC433_SL.txt |  35 +++
 readers/GemPCKey.txt    |  36 +++
 readers/GemPCTwin.txt   |  35 +++
 readers/LTC31.txt       |  35 +++
 readers/SCR331.txt      |  35 +++
 readers/SCR335.txt      |  35 +++
 src/.dependencies       |   0
 src/Info.plist          |  71 ++++++
 src/Makefile            |  86 +++++++
 src/capabilities.c      |  30 +++
 src/ccid_ifdhandler.h   | 141 ++++++++++++
 src/ccid_usb.c          | 486 ++++++++++++++++++++++++++++++++++++++++
 src/ccid_usb.h          |  47 ++++
 src/check               | 189 ++++++++++++++++
 src/commands.c          | 254 +++++++++++++++++++++
 src/commands.h          |  34 +++
 src/config.h            |  42 ++++
 src/debug.c             |  72 ++++++
 src/debug.h             | 100 +++++++++
 src/defs.h              |  58 +++++
 src/ifdhandler.c        | 579 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/parse.c             | 238 ++++++++++++++++++++
 src/parser.h            |  22 ++
 src/pcscdefines.h       |  51 +++++
 src/tokenparser.l       | 144 ++++++++++++
 src/utils.c             |  37 ++++
 src/utils.h             |  32 +++
 32 files changed, 3379 insertions(+)

It was not a git commit. git was not yet invented. It was a Subversion (SVN) commit.

Maybe I should sell this first commit as an NFT and become super rich? Ha ha ha! Any offer?

Readers

Readme v0.1.0 extract:

Supported CCID readers:
=======================

- Gemplus GemPCKey
- Gemplus GemPC 433 SL
- GemPC Twin

Unsupported CCID readers:
=========================

- none known

Only 3 readers were supported in the version 0.1.0. And 0 readers were unsupported.

Today the CCID driver lists readers in 4 categories. The current version has:

My reader collection

I physically have 172 different readers in 10 cardboard boxes. Yes, that is many readers.

Statistics

Thanks to nova_git_stats I was able to generate nice statistics. Here are some extracts:

Hour of day of the commits

/images/2023/10/charts_hour_of_day.svg

Not so many commits during the night. Not really surprising :-)

Year of the commits

/images/2023/10/charts_year.svg

The activity is decreasing because the driver is now stable. I am surprised as I was expecting a lower activity in recent years.

Files by date

/images/2023/10/charts_files_by_date.svg

Lines by date

/images/2023/10/charts_lines_by_date.svg

Thanks

From the Authors statistics you can see 24 people contibuting.

  • Achmad Yusri Afandi

  • Aitor Pazos

  • Deividas Puplauskas

  • Erki Aring

  • Fabio Araujo

  • Feitian Technologies

  • Godfrey Chung

  • Guido Trentalancia

  • Ingo Fankner

  • Ludovic Rousseau

  • Maksim Ivanov

  • Martin Paljak

  • Nathan Barrett-Morrison

  • Nicolas Schneider

  • Petr Vaněk

  • Ray Veldkamp

  • Rodrigo

  • Santiago Gimeno

  • Stephan Guilloux (home)

But many patches are applied by me and the real author name is in the commit message with a line like "Thanks to John Doe for the patch/bug report/idea".

We have around 110 different names in that case:

$ git log | grep "Thanks" | sed -E "s/for .*//" | sort -u | wc -l
         112
  • Abraham Macías Paredes

  • Adam Laurie

  • Alan Kozlay

  • Alexander Abarzhi

  • Alexander Georg

  • Alon Bar-Lev

  • Anders Storsveen

  • Benoit Gonzalvo

  • Bruce Stephens

  • Byron Johnson

  • Chris Calvesbert

  • Christian Schaubschläger

  • Daniel Kucera

  • David L. Markowitz

  • David Markowitz

  • David Woodhouse

  • Diego Elio Pettenò

  • Diego Elio Pettenò and Dario Leone

  • Dominik Heidler

  • Douglas E. Engert

  • Dr Jean-Pierre Szikora

  • Dr Russel Winder

  • El Tuba

  • Elatec

  • Emmanuel Deloget

  • Fabrizio del Tin

  • Florent VIBERT

  • Frederic Dumas

  • Gerald Richter

  • Godfrey Chung

  • Godfrey Chung

  • Harm Braams

  • Hasso Tepper

  • Hendrik Donner

  • Henryk Plötz

  • Hiroyuki Yamamoto

  • Ivan Vilata i Balaguer

  • Jaidev Bhattacharjee

  • Jakub Jelen

  • Jan Suhr

  • Jean Lusetti

  • Jeffrey Dai

  • Jim Dawson

  • Joachim Breitner

  • Johann Dantant

  • John Billings

  • Jörg Grundmann

  • Jose Ramon Alvarez-Sanchez

  • Josep Monés Teixidor

  • Karl Dahlén

  • Kenjiro Tsuji

  • Kjell M. Myksvoll

  • Loïs Lherbier

  • Luka Logar

  • Maarten

  • Maksim Ivanov

  • Marc Kewitz

  • Martin Elshuber

  • Martin Paljak

  • Martin Preuss

  • Martin Rauch

  • Martin Vogt

  • Matt and Tim Banchi

  • Maximilian Stein

  • Michael Wegner

  • Nicolas Stalder

  • Niki W. Waibel

  • Niki Waibel

  • Peter Koch

  • Rachid HARBI-ASSYSTEM

  • Rafael Dominguez Vega

  • Robert Relyea

  • Roman Pasechnik

  • Stas Sergeev

  • Stef Hoeben

  • Stefan Bühler

  • Stefan Neis

  • Stéphane Durand

  • Takuto Matsuu

  • Thomas Capricelli

  • Thomas Vetter

  • Tilman Linneweh

  • Tilman Linneweh

  • Tomasz Kłoczko

  • Torsten Maykranz

  • Toshimune Konno

  • Ulrich Vogl

  • Ville Skyttä

  • Vladimir K

  • Wolfgang Glas

  • ZF Friedrichshafen AG

  • Zheng Ruoqin

  • Zoltan Kelemen

  • el Tuba

  • ronie19

  • somova

I want to say a great thank you to all the contibutors.

Conclusion

Long live to libccid.

macOS Sonoma: The reader name should include the USB serial number

This is part of the series: macOS Sonoma and smart cards: known bugs.

If you have two identical smart card readers connected then it is hard to differentiate the readers.

See also

I reported this idea of improvement to Apple as FB13274416 "The reader name should include the USB serial number".

Example

For example I have 2 Gemalto ID Bridge CT 30 readers.

/images/2023/10/readersLow.png

I will use the tool pcsc_scan from pcsc-tools as this application works fine and is available for the 3 major plateforms.

On macOS Sonoma, I connect one reader and the PC/SC name is Gemalto USB SmartCard Reader. I connect the second reader and the PC/SC name is Gemalto USB SmartCard Reader 01.

The only difference is the 01 appended to the second reader name.

rousseau@MacBook-Pro-de-Ludovic pcsc-tools-1.7.0 % ./pcsc_scan
PC/SC device scanner
V 1.7.0 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Plug'n play reader name not supported. Using polling every 3600000 ms.
Scanning present readers...
Waiting for the first reader... found one
Scanning present readers...
0: Gemalto USB SmartCard Reader

Fri Oct 13 15:55:38 2023
 Reader 0: Gemalto USB SmartCard Reader
  Event number: 0
  Card state: Card removed,
 Scanning present readers...
0: Gemalto USB SmartCard Reader 01
1: Gemalto USB SmartCard Reader

Fri Oct 13 15:55:44 2023
 Reader 0: Gemalto USB SmartCard Reader 01
  Event number: 0
  Card state: Card removed,
 Reader 1: Gemalto USB SmartCard Reader
  Event number: 0
  Card state: Card removed,

Screenshot (with nice colors):

screenshot of the pcsc_scan command on Sonoma

The reader (re)ordering is also visible if you insert a smart card in the first reader. You have:

rousseau@MacBook-Pro-de-Ludovic pcsc-tools-1.7.0 % ./pcsc_scan
PC/SC device scanner
V 1.7.0 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Plug'n play reader name not supported. Using polling every 3600000 ms.
Scanning present readers...
Waiting for the first reader... found one
Scanning present readers...
0: Gemalto USB SmartCard Reader

Fri Oct 13 15:58:55 2023
 Reader 0: Gemalto USB SmartCard Reader
  Event number: 0
  Card state: Card inserted,
  ATR: 3B 6F 00 00 80 5A 28 13 02 10 12 2B 75 0D D3 82 82 90 00
 Scanning present readers...
0: Gemalto USB SmartCard Reader 01
1: Gemalto USB SmartCard Reader

Fri Oct 13 15:58:58 2023
 Reader 0: Gemalto USB SmartCard Reader 01
  Event number: 0
  Card state: Card removed,
 Reader 1: Gemalto USB SmartCard Reader
  Event number: 0
  Card state: Card inserted,
  ATR: 3B 6F 00 00 80 5A 28 13 02 10 12 2B 75 0D D3 82 82 90 00
rousseau@MacBook-Pro-de-Ludovic pcsc-tools-1.7.0 %

The smart card is inserted in the reader connected first. But after the second reader is connected the reader with the smart card inserted becomes the second reader in the list. This should not be problematic for applications but it is a bit surprising.

Windows

On Windows I get results very similar to macOS.

PS C:\Users\Ludovic\Downloads> .\pcsc_scan.exe
PC/SC device scanner
V 1.7.0 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Press shift key to quit
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader... found one
Scanning present readers...
0: Gemalto USB Smart Card Reader 0

Sat Oct 14 10:59:42 2023
 Reader 0: Gemalto USB Smart Card Reader 0
  Event number: 0
  Card state: Card removed,
 Reader 1: \\?PnP?\Notification
  Event number: 1
  Card state:
 Scanning present readers...
0: Gemalto USB Smart Card Reader 0
1: Gemalto USB Smart Card Reader 1

Sat Oct 14 10:59:44 2023
 Reader 0: Gemalto USB Smart Card Reader 0
  Event number: 0
  Card state: Card removed,
 Reader 1: Gemalto USB Smart Card Reader 1
  Event number: 0
  Card state: Card removed,
 Reader 2: \\?PnP?\Notification
  Event number: 2
  Card state:
PS C:\Users\Ludovic\Downloads>

The first reader name is Gemalto USB Smart Card Reader 0. The second reader name is Gemalto USB Smart Card Reader 1.

Screenshot:

screenshot of the pcsc_scan command on Windows

GNU/Linux

On GNU/Linux I get:

[rousseau:~/Documents/sc/pcsc-tools] master* 2s ± ./pcsc_scan
PC/SC device scanner
V 1.7.0 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader... found one
Scanning present readers...
0: Gemalto PC Twin Reader (F8345B4A) 00 00

Fri Oct 13 11:46:11 2023
 Reader 0: Gemalto PC Twin Reader (F8345B4A) 00 00
  Event number: 0
  Card state: Card removed,
 Scanning present readers...
0: Gemalto PC Twin Reader (F8345B4A) 00 00
1: Gemalto PC Twin Reader (70D7E2EE) 01 00

Fri Oct 13 11:46:15 2023
 Reader 0: Gemalto PC Twin Reader (F8345B4A) 00 00
  Event number: 0
  Card state: Card removed,
 Reader 1: Gemalto PC Twin Reader (70D7E2EE) 01 00
  Event number: 0
  Card state: Card removed,

Here the PC/SC reader name includes an hexadecimal number (F8345B4A or 70D7E2EE). This number is the USB device serial number.

Screenshot:

screenshot of the pcsc_scan command on GNU/Linux

So even if you change the order to connect the readers you will always have one reader name containing F8345B4A and the other reader name containing 70D7E2EE. You have a link between a physical reader and a PC/SC reader name.

USB serial number

The USB serial number is visible on macOS using the system_profiler command.

rousseau@MacBook-Pro-de-Ludovic ~ % system_profiler SPUSBDataType
USB:

        USB 3.1 Bus:

          Host Controller Driver: AppleT8103USBXHCI

                USB SmartCard Reader:

                  Product ID: 0x3437
                  Vendor ID: 0x08e6  (Gemalto SA)
                  Version: 2.01
                  Serial Number: F8345B4A
                  Speed: Up to 12 Mb/s
                  Manufacturer: Gemalto
                  Location ID: 0x00100000 / 1
                  Current Available (mA): 500
                  Current Required (mA): 50
                  Extra Operating Current (mA): 0

        USB 3.1 Bus:

          Host Controller Driver: AppleT8103USBXHCI

                USB SmartCard Reader:

                  Product ID: 0x3437
                  Vendor ID: 0x08e6  (Gemalto SA)
                  Version: 2.00
                  Serial Number: 70D7E2EE
                  Speed: Up to 12 Mb/s
                  Manufacturer: Gemalto
                  Location ID: 0x01100000 / 1
                  Current Available (mA): 500
                  Current Required (mA): 50
                  Extra Operating Current (mA): 0

Not all USB devices have a serial number.

For example with an older model of the same reader I have:

rousseau@MacBook-Pro-de-Ludovic ~ % system_profiler SPUSBDataType
USB:

        USB 3.1 Bus:

          Host Controller Driver: AppleT8103USBXHCI

                USB SmartCard Reader:

                  Product ID: 0x3437
                  Vendor ID: 0x08e6  (Gemalto SA)
                  Version: 1.00
                  Speed: Up to 12 Mb/s
                  Manufacturer: Gemplus
                  Location ID: 0x00100000 / 1
                  Current Available (mA): 500
                  Current Required (mA): 200
                  Extra Operating Current (mA): 0

No "Serial Number:" field is displayed.

My proposal to add the USB serial number in the PC/SC name will not work with all the smart card readers. But at least it will be usable with the USB devices providing the serial number.

Conclusion

It is not a bug in macOS Sonoma. It is not a regression compared to the previous macOS version, or compared to Windows.

But it would be nice to be have a strong link between a physical smart card reader and the corresponding PC/SC reader name.

See also What is in a PC/SC reader name? to know how a PC/SC reader name is generated by pcsc-lite on GNU/Linux.

macOS Sonoma bug: The reader name should include the CCID interface name

This is part of the series: macOS Sonoma and smart cards: known bugs.

If you have a composite smart card reader (one USB device with 2 or more CCID interfaces) it is impossible to identify which interface is which since the reader names are the same (except for a number).

See also

I reported this problem to Apple as FB13259373 "The smart card reader name should include the CCID interface name".

Example

For example with a composite device Gemalto Prox DU with 2 CCID interfaces:

% ./pcsc_scan
PC/SC device scanner
V 1.7.0 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Plug'n play reader name not supported. Using polling every 3600000 ms.
Scanning present readers...
Waiting for the first reader... found one
Scanning present readers...
0: Gemalto Prox Dual USB PC Link Reader
1: Gemalto Prox Dual USB PC Link Reader 01

The problem is that I do not know what interface is the contact reader, and what interface is the contactless reader.

The situation is even worse since the order in which the interfaces are detected/listed is not stable.

To test that I insert a card in the contact reader. I get:

Scanning present readers...
0: Gemalto Prox Dual USB PC Link Reader
1: Gemalto Prox Dual USB PC Link Reader 01

Wed Oct 11 14:02:08 2023
 Reader 0: Gemalto Prox Dual USB PC Link Reader
  Event number: 0
  Card state: Card removed,
 Reader 1: Gemalto Prox Dual USB PC Link Reader 01
  Event number: 0
  Card state: Card inserted,
  ATR: 3B 6F 00 00 80 5A 28 13 02 10 12 2B 75 0D D3 82 82 90 00

The first reader (Reader 0) is the contactless interface, the second reader (Reader 1) is the contact interface since that is where the contact card is reported as inserted.

Then I disconnect the USB device and connect it again. This time I get:

Waiting for the first reader... found one
Scanning present readers...
0: Gemalto Prox Dual USB PC Link Reader
1: Gemalto Prox Dual USB PC Link Reader 01

Wed Oct 11 14:02:20 2023
 Reader 0: Gemalto Prox Dual USB PC Link Reader
  Event number: 0
  Card state: Card inserted,
  ATR: 3B 6F 00 00 80 5A 28 13 02 10 12 2B 75 0D D3 82 82 90 00
 Reader 1: Gemalto Prox Dual USB PC Link Reader 01
  Event number: 0
  Card state: Card removed,

Note that the 2 reader names are the same as before Gemalto Prox Dual USB PC Link Reader and Gemalto Prox Dual USB PC Link Reader 01 but this second time the contact card is reported in the first reader instead of the second reader.

The contact reader was named Gemalto Prox Dual USB PC Link Reader 01 but is now named Gemalto Prox Dual USB PC Link Reader.

It looks like the ordering between the 2 interfaces is random.

pcsc-lite

On a GNU/Linux system I get:

$ pcsc_scan
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Prox Dual USB PC Link Reader [Prox-DU Contactless_10500231] 00 00
1: Gemalto Prox Dual USB PC Link Reader [Prox-DU Contact_10500231] 01 00

Wed Oct  4 10:08:20 2023
 Reader 0: Gemalto Prox Dual USB PC Link Reader [Prox-DU Contactless_10500231] 00 00
  Event number: 0
  Card state: Card removed,
 Reader 1: Gemalto Prox Dual USB PC Link Reader [Prox-DU Contact_10500231] 01 00
  Event number: 0
  Card state: Card removed,

The CCID interface name (here Prox-DU Contactless_10500231 and Prox-DU Contact_10500231) is included in the reader names.

See What is in a PC/SC reader name? for more details about the reader name construction in pcsc-lite.

Windows

On a Windows system I get:

PS C:\Users\Ludovic\Downloads> .\pcsc_scan.exe
PC/SC device scanner
V 1.7.0 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Press shift key to quit
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Prox-DU Contact_10500231 0
1: Gemalto Prox-DU Contactless_10500231 0

Sun Oct 15 09:35:48 2023
 Reader 0: Gemalto Prox-DU Contact_10500231 0
  Event number: 0
  Card state: Card removed,
 Reader 1: Gemalto Prox-DU Contactless_10500231 0
  Event number: 0
  Card state: Card removed,
 Reader 2: \\?PnP?\Notification
  Event number: 2
  Card state:

This is similar to what I have on GNU/Linux.

Workaround

None known.

New version of pcsc-tools: 1.7.0

I just released a new version of pcsc-tools, a suite of tools for PC/SC.

This version includes the localized gscriptor in French and Russian I talked about in gscriptor now also in French and Russian.

Changes:

1.7.0 - 7 October 2023, Ludovic ROUSSEAU

  • 182 new ATRs

  • pcsc_scan :

    • add debug option -d

    • add PnP option -p

  • gscriptor : i18n and l10n in English (default), French and Russian

  • configure: add --enable-ATRparser=foobar to specify an ATR parser

  • minor fixes and improvements