I just released a new version of pcsc-lite 2.2.2.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems
The version just enable the support of serial drivers by default. Support of serial drivers is also used by the non-USB drivers like Virtual Smart Card.
20 May 2024
Serial support is ENABLED by default
I just released a new version of pcsc-lite 2.2.1.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.
This version fixes some problems and missing features when using meson to build pcsc-lite (see pcsc-lite now uses meson build tool).
8 May 2024
fix meson related issues
Some code cleanup
With the version 2.2.0 of pcsc-lite I just released (see New version of pcsc-lite: 2.2.0) the recommanded tool to configure and build pcsc-lite is now meson.
The change was motivated by the effects of the xz utils backdoor in March 2024.
Meson (and ninja used by meson) is used by a lot of software, like GNOME libraries and applications. See the list of adopters in the Wikipedia Meson page.
It is also an opportunity to learn new tools.
A typical use case is:
If you need/want to disable some pcsc-lite options then change the first command to use something like:
The available options are (file meson.options):
for embedded systems [limit RAM and CPU resources by disabling features (log)] (disabled by default)
reader filtering using PCSCLITE_FILTER_IGNORE_READER_NAMES and PCSCLITE_FILTER_EXTEND_READER_NAMES environment variables
Direcrory for pcsc-lite internal communication socket (/run/pcscd by default)
Use systemd for daemon auto start
Use libudev (preferred) for USB hotplug
Use libusb for USB hotplug (disabled by default)
Use polkit to enforce access control
Support serial readers (disabled by default)
Path for serial configuration files (/etc/reader.conf.d by default)
Systemd unit directory to use ("user" by default)
Support USB readers
Path for USB drivers (/usr/lib/pcsc/drivers by default)
Another reason to use meson is that the configuration + compilation times should be much shorter.
Computer I used for the tests: MacBook Pro from 2009, MacBookPro5,3, 4 GB of RAM, CPU Core 2 Duo at 2.66 GHz. I just replaced the hard drive by an SSD and installed Debian GNU/Linux (to replace macOS).
I use an old (15 year-old) computer on purpose. The goal is to be able measure times.
bootstrap: 18 seconds (48 %)
configure: 9.5 seconds (25 %)
compile: 10 seconds (26 %)
total: 37.5 seconds
configure: 2 seconds (22 %)
compile: 7 seconds (77 %)
total : 9 seconds
Speed up: x4.1
Here, a lot of time is used to generate the configure script (in the autoconf case) and run it. If you have a lot more files to compile in your project the speed up may be lower for you. I guess meson should always be faster than autoconf/automake.
The move to meson is also an occasion to do some cleanup in the code and features supported by pcsc-lite.
I have not removed anything, but the support of serial readers is not enabled by default. I think I have not had a computer with a serial port since at least 10 years.
In case you need it, you can enable it using:
pcsc-lite has special code for HPUX, OSF, AIX, Solaris and SunOS4. I guess nobody is using these systems anymore.
If you need a special configuration that is not possible using meson it
is still possible to generate and run the configure script and build
pcsc-lite as before:
You can also create a patch and submit it to https://salsa.debian.org/rousseau/PCSC/ or https://github.com/LudovicRousseau/PCSC.
I already fixed Meson issues. So be sure to use the current master branch of the pcsc-lite git repository.
It is funny to note that we have now much faster computers than 20 years ago when the pcsc-lite project was started. But faster tools are developed now to replace the slower ones. How could we be happy to use slower tools on our slower computers?
The erooM principle is a nice idea. I hope to see more examples.
pcsc-lite version 2.2.1 added the meson option filter_names.
I just released a new version of pcsc-lite 2.2.0.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.
3 May 2024
provide files for meson build tool (replaces autoconf/auoomake)
fix a missing symbol in libpcscspy (bug introduced by the previous version)
fix shutdown issues with hotplug_libusb
update pcsc-spy manpage
update copyright date
Some other minor improvements
Ubuntu 24.04 provides a new version of GnuPG (GNU Privacy Guard): 2.4.4, instead of version 2.2.27 in Ubuntu 22.04. This new version changed its way to access smart card readers.
A new bug has already been opened: Yubikey stopped working after noble upgrade
GnuPG2 (or in fact its scdaemon component) tries to directly access
smart card readers using GnuPG2 own implementation of the USB CCID
protocol.
This access conflicts with pcsc-lite also accessing the smart card readers.
As already seen in GnuPG and PC/SC conflicts from 2019 the solution is to disable the CCID driver provided by GnuPG.
From scdaemon documentation https://www.gnupg.org/documentation/manuals/gnupg/Scdaemon-Options.html#index-disable_002dccid
The integrated CCID driver for CCID compliant devices can be available when libusb was detected at build time, and it is used to access the smartcard reader. If access via PC/SC driver is needed, please configure this option to disable CCID driver support (if any). In GnuPG 2.2, there was a fallback mechanism from CCID driver to PC/SC driver. The fallback mechanism worked, because scdaemon in GnuPG 2.2 only supported a single token/reader. To support of multiple tokens/readers at the same time, fallback mechanism was removed.
Since GnuPG v2.4 removed the fallback mechanism to use PC/SC it is even
more important to use the disable-ccid configuration.
To be safe, edit your file ~/.gnupg/scdaemon.conf and add the line:
If you use GnuPG and also one (or more) PC/SC application then you need this change.
I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.
See PyKCS11 introduction or PyKCS11’s documentation.
The project is registered at Pypi: https://pypi.org/project/PyKCS11/
1.5.15 - April 2024, Ludovic Rousseau
fix problems when PYKCS11LIB has incorrect values
fix a problem with swig and "pip install ..."
minor improvements
As explained in How to use LIBPCSCLITE_DELEGATE? a new mechanism has been introduced for PC/SC calls debug.
Compared to the previous version documented in PCSC API spy, update:
no need to play with LD_PRELOAD any more
no need to install/uninstall a spy library
Run your program (here pcsc_scan) with LIBPCSCLITE_DELEGATE defined.
$ LIBPCSCLITE_DELEGATE=libpcscspy.so.0 pcsc_scan PC/SC device scanner V 1.7.1 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr> Using reader plug'n play mechanism Scanning present readers... Waiting for the first reader... ^C SCardGetStatusChange: Command cancelled.
I used Control-C to abort the program because pcsc_scan never ends.
In another window I get:
$ pcsc-spy
SCardEstablishContext
i dwScope: SCARD_SCOPE_SYSTEM (0x00000002)
o hContext: 0x72EC0CEF
=> SCARD_S_SUCCESS [0x00000000] [0.046759]
SCardGetStatusChange
i hContext: 0x72EC0CEF
i dwTimeout: 0x00000000 (0)
i cReaders: 1
i szReader: \\?PnP?\Notification
i dwCurrentState: (0x00000000)
i dwEventState: SCARD_STATE_IGNORE, SCARD_STATE_CHANGED, SCARD_STATE_UNKNOWN, SCARD_STATE_UNAVAILABLE, SCARD_STATE_PRESENT, SCARD_STATE_EXCLUSIVE, SCARD_STATE_INUSE, SCARD_STATE_MUTE (0x55A373FA63AF)
i Atr length: 0x55A373FA63BE (94160513819582)
i Atr: NULL
o szReader: \\?PnP?\Notification
o dwCurrentState: (0x00000000)
o dwEventState: (0x00000000)
o Atr length: 0x55A373FA63BE (94160513819582)
o Atr: NULL
=> SCARD_E_TIMEOUT [0x8010000A] [0.002514]
SCardListReaders
i hContext: 0x72EC0CEF
i mszGroups: (null)
o pcchReaders: 0x00000001
o mszReaders: NULL
=> SCARD_E_NO_READERS_AVAILABLE [0x8010002E] [0.000045]
SCardListReaders
i hContext: 0x72EC0CEF
i mszGroups: (null)
o pcchReaders: 0x00000001
o mszReaders: NULL
=> SCARD_E_NO_READERS_AVAILABLE [0x8010002E] [0.000434]
SCardGetStatusChange
i hContext: 0x72EC0CEF
i dwTimeout: 0x0036EE80 (3600000)
i cReaders: 1
i szReader: \\?PnP?\Notification
i dwCurrentState: (0x00000000)
i dwEventState: (0x00000000)
i Atr length: 0x55A373FA63BE (94160513819582)
i Atr: NULL
SCardCancel
i hCard: 0x72EC0CEF
=> SCARD_S_SUCCESS [0x00000000] [0.000741]
o szReader: \\?PnP?\Notification
o dwCurrentState: (0x00000000)
o dwEventState: (0x00000000)
o Atr length: 0x55A373FA63BE (94160513819582)
o Atr: NULL
=> SCARD_E_CANCELLED [0x80100002] [1.015056]
SCardReleaseContext
i hContext: 0x72EC0CEF
=> SCARD_S_SUCCESS [0x00000000] [0.000632]
Thread 1/2
Results sorted by total execution time
total time: 1.065758 sec
1.017570 sec ( 2 calls) 95.48% SCardGetStatusChange
0.046759 sec ( 1 calls) 4.39% SCardEstablishContext
0.000632 sec ( 1 calls) 0.06% SCardReleaseContext
0.000479 sec ( 2 calls) 0.04% SCardListReaders
Thread 2/2
Results sorted by total execution time
total time: 1.065758 sec
0.000741 sec ( 1 calls) 0.07% SCardCancel
The (Python) program pcsc-spy is provided by pcsc-lite. It is
included in the Debian libpcsclite-dev package.
If you want to use a specific spy library or if the library is installed
in a directory not handled by the GNU/Linux dynamic loader ld.so you
can use an absolute filename.
The script setup_spy.sh is provided by pcsc-lite. It is also
included in the Debian libpcsclite-dev package.
$ sh /usr/share/doc/libpcsclite-dev/setup_spy.sh export LIBPCSCLITE_DELEGATE=/lib/x86_64-linux-gnu/libpcscspy.so.0
If you want to have LIBPCSCLITE_DELEGATE defined and used for all
the future executions (maybe not recommanded) you can execute the
export command using:
It should now be a bit simpler to generate PC/SC call traces.
pcsc-lite 2.1.0 introduced a new mechanism that uses the environement
variable LIBPCSCLITE_DELEGATE (see
New version of pcsc-lite: 2.1.0).
The idea is that all the PC/SC calls of an application can be redirected to another library. This has been designed to be used in 2 use cases:
trace PC/SC calls for debug, performance analysis, etc.
redirect PC/SC calls to a different resource manager, like a remote one.
Redirecting PC/SC calls is needed if you use a remote desktop and you want to use your local smart card reader in an application running in a distant GNU/Linux server.
On the server side the RDP server component will define
LIBPCSCLITE_DELEGATE to use its own RDP library instead of the
default libpcsclite library. The RDP PC/SC library will be in charge of
communicating with the RDP client side.
You can use RDP (Remote Desktop Protocol) defined by Microsoft or another protocol.
The use of LIBPCSCLITE_DELEGATE should allow xrdp (an open-source Remote Desktop Protocol
server) to redirect smart card accesses to RDP clients (from GNU/Linux or
Windows clients).
This solution has been discussed in Delegate WinSCard calls to another library (for a RDP server for example) #161 and XRDP smartcard passthrough via windows RDP client #2625.
LIBPCSCLITE_DELEGATE can also be used to trace all the PC/SC calls
(see PCSC API spy using LIBPCSCLITE_DELEGATE).
To do that you define LIBPCSCLITE_DELEGATE to use
libpcscspy.so.0 and you define LIBPCSCLITE_SPY_DELEGATE (used by
libpcscspy.so.0) to use your xrdp library instead of the default
libpcsclite library.
libpcsclite.so.1 will call libpcscspy.so.0 which will call your
xrdp library.
Is it a new security issue?
No. It was already easy to intercept libpcsclite.so.1 functions
using the dynamic linker LD_PRELOAD mechanism. This was the
mechanism documented to spy PC/SC calls. See
PCSC API spy, third try or PCSC API spy, update.
If you find new/innovative ways to use LIBPCSCLITE_DELEGATE please tell me.
I just released a new version of pcsc-lite 2.1.0.
pcsc-lite is a Free Software implementation of the PC/SC (or WinSCard) API for Unix systems.
12 April 2024
LIBPCSCLITE_DELEGATE is used to redirect to another libpcsclite library
setup_spy.sh displays the LIBPCSCLITE_DELEGATE value to use for spying
provides libfake.c as a sample source code
Some other minor improvements
I just released a new version of pyscard. PySCard is a python module adding smart cards support (PC/SC) to Python.
The PySCard project is available at:
2.0.9 (April 2024)
fix a bug with CardRequestTimeoutException introduced in 2.0.8
Minor changes