Changes:

1.7.0 - 2 October 2025, Ludovic Rousseau

• Add support of

  • GIGA-TMS NFC CCID Reader

  • Identiv Identiv SmartOS Reader

  • SEC1210URT, single slot variant of SEC1210 serial

  • TOKEN2 FIDO2 Security Key(0013),PIN+ Mini with OTP + PGP

  • TOKEN2 FIDO2 Security Key(0014),PIN+ Mini with FIDO + PGP

  • TOKEN2 FIDO2 Security Key(0015),PIN+ Mini with PGP

  • TOKEN2 FIDO2 Security Key(0016),PIN+ Mini with OTP + PGP + FIDO

  • TOKEN2 FIDO2 Security Key(0023),PIN+ Series with OTP + PGP

  • TOKEN2 FIDO2 Security Key(0024),PIN+ Series with FIDO + PGP

  • TOKEN2 FIDO2 Security Key(0025),PIN+ Series with PGP

  • TOKEN2 FIDO2 Security Key(0203),Bio3 Dual with OTP + PGP

  • TOKEN2 FIDO2 Security Key(0204),Bio3 Dual with FIDO + PGP

  • TOKEN2 FIDO2 Security Key(0205),Bio3 Dual with PGP

  • TOKEN2 FIDO2 Security Key(0206),Bio3 Dual with OTP + PGP + FIDO

  • TOKEN2 Molto2 (older version)

  • VIX TECHNOLOGY SECURE READER

• Remove support of

  • SIMHUB pcsc reader

• Give pcscd group permission to CCID devices in udev rule

• Avoid a timeout issue with the Thales Fusion NFC reader

• Provide the option to synchronize the 2 interfaces of a SEC1210 (see Card state synchronisation on SEC1210 reader 2 interfaces)

• Some other minor improvements

Conclusion

If you live in France or have access to French magazines I suggest you buy issue 61 of Hackable. It is the July-August 2025 edition.

You can also buy and read the online version at Murmurons à l'oreille de nos cartes SIM.

Changes:

1.5.18 - August 2025, Ludovic Rousseau

• add CKM_EXTRACT_KEY_FROM_KEY mechanism

• add CKM_EDDSA and CK_EDDSA_PARAMS support

• C_Initialize(): allow OS locking

• PyKCS11.load() & .unload(): make the methods tread-safe

• bugfix: store CKM_CONCATENATE_BASE_AND_KEY parameter in mechanism context

• IsNum(): CKA_HW_FEATURE_TYPE is also a numeric value

• improve support for multi-part encryption/decryption

• fix some Python typing issues

• Fix issue with vendor defined (CKM_VENDOR_DEFINED) mechanisms

• fix/ignore all pylint warnings

• use pytest for running tests

• minor improvements

Changes:

2.3.0 (July 2025)

• PCSCCardRequest: fix waitforcardevent() initialization

• PCSCCardConnection: raise exception for .connect() after .release()

• Fix race issue in SCardListReaders() and SCardListReaderGroups()

• Use SCARD_AUTOALLOCATE where defined (everywhere except macOS)

• Use SCardFreeMemory() on Unix (except macOS)

• CardMonitoringThread: Fix a thread safeness issue

• fix/ignore all pylint warnings

• Minor changes

Parse tool

As early as the first version of my CCID driver, I provided a tool called parse to analyze the USB descriptor and see if a connected device is declared as a CCID devide (USB interface class = 11).

The parse tool is written in C and you have to build it from source code. This is not an easy task for non-developers.

Non-developers

For non developers, it wasn't easy. Hence the idea of providing pre-built versions of the parse tool.

I can't provide a binary for all possible systems (Unix, not just GNU/Linux).

I provide a binary version for:

• Linux x86_64 (GNU/Linux on Intel/AMD 64 bits CPU)

• Linux aarch64 (GNU/Linux on ARM 64 bits CPU)

• Linux armv7l (GNU/Linux on for example on a Raspberry)

• Darwin x86_64 (macOS on Intel 64 bits CPU)

• Darwin arm64 (macOS on Apple M1, M2, etc. CPU)

You do not have to know what system or processor you have. Just use, in a terminal:

curl https://ccid.apdu.fr/files/parse.sh | bash -

Statistics

From last month's HTTP server logs, I get:

Unsurprisingly, the majority of users are on a GNU/Linux system with an Intel/AMD 64-bits processor.

I am pleasantly surprised to see GNU/Linux systems on ARM processors.

Security

I understand that some people prefer to build a program from source code rather than run a binary retrieved from the Internet.

I also do not like using:

curl https://random.web.site/install_script.sh | bash -

This is why is is still possible to rebuild the parse binary from the source code.

Conclusion

It should (now) be easy to check if a USB smart card reader complies with hthe CCID standard.

If you are the product owner of a new smart card reader and don't have a GNU/Linux developer available to help you, this tool will allow you to send me the details as documented at Check reader's compliance to CCID specification.

I can then add your reader in the "Should work but untested by me" list. If you want to have your reader listed in the "Supported CCID readers/ICCD tokens" list, contact me.

Enable a good CCID driver

It is very simple. Just do, in a Terminal:

sudo defaults write /Library/Preferences/com.apple.security.smartcard useIFDCCID -bool yes

If the problem is solved then there is no need to report it to me.

You will find more information in Apple's own CCID driver in Sonoma.

Update of my CCID driver

In macOS Sonoma 14.0 Apple provided version 1.5.1 of my CCID driver (macOS Sonoma and smart cards status) whereas the current version was 1.5.2.

In macOS Sequoia 15.0 my CCID driver was still version 1.5.1 whereas the current version was 1.6.1 (macOS Sequoia and smart cards status).

If you want/need a version of my CCID driver newer than 1.5.1, or a custom installer for macOS, you can contact me.

Conclusion

An issue was reported recently (MacOS NFC reader issue for large APDUs) and activating my CCID driver solved the problem.

First step is to use a good CCID driver.

SEC1210 reader

The Microchip SEC1210 smart card reader is a chip that you can integrate in your hardware projects.

A development board is available.

The board has 2 CCID interfaces that are seen as 2 CCID readers at the USB level (it is a composite device). See the USB descriptor:

idVendor: 0x0424
 iManufacturer: SMSC
idProduct: 0x1202
 iProduct: SMSC USX101x Reader
bcdDevice: 2.22 (firmware release?)
bLength: 9
bDescriptorType: 4
bInterfaceNumber: 0
bAlternateSetting: 0
bNumEndpoints: 3
 bulk-IN, bulk-OUT and Interrupt-IN
bInterfaceClass: 0x0B [Chip Card Interface Device Class (CCID)]
[...]

idVendor: 0x0424
 iManufacturer: SMSC
idProduct: 0x1202
 iProduct: SMSC USX101x Reader
bcdDevice: 2.22 (firmware release?)
bLength: 9
bDescriptorType: 4
bInterfaceNumber: 1
bAlternateSetting: 0
bNumEndpoints: 2
 bulk-IN and bulk-OUT
bInterfaceClass: 0x0B [Chip Card Interface Device Class (CCID)]

The 2 interfaces have the same descriptor, except for:

• bInterfaceNumber: 0 or 1

• bNumEndpoints: 2 or 3

One interface provides the Interrupt-IN endpoint while the other interface does not. This means one interface will provide card movements notification on the interrupt pipe while the other interface will not.

In fact the 2nd interface does not support RDR_to_PC_NotifySlotChange but also does not support card presence using the CCID command PC_to_RDR_GetSlotStatus. The reader will always report a card is inserted even if no card is inserted.

This second interface is, in general, used with a SAM (Secure access module) that is rarely removed from the reader.

New use case

A user of this reader asked me to add the option of duplicating the card presence status of the 1st interface on the 2nd interface. The idea is to be able to insert or remove 2 cards from both interfaces at the same time.

The 2nd interface can then be used as a almost normal reader.

Custom code

The patch is visible at https://salsa.debian.org/rousseau/CCID/-/commit/4842c97561794acb7269dfcba21c877d42895a4e

The code is not active by default. You need to uncomment a line and rebuild the driver:

// Uncomment if you want to synchronize the card movements on the 2
// interfaces of the Microchip SEC 1210 reader
// #define SEC1210_SYNC

The code is a bit complex, as each interface is managed by a different pcsc-lite thread. The 2 threads are synchronized with a pthread_cond and share some states.

Conclusion

The 2 interfaces of the Microchip SEC1210 smart card reader can be used mostly as normal interfaces. The (industrial) user is happy.

If you need custom development of the CCID driver and/or pcsc-lite, please don't hesitate to contact me. See About me.