Smart card Usage in Debian: middleware

See "Smart card Usage in Debian: pcscd and drivers" for the previous article.

The next layer above the smart card reader driver and PC/SC resource manager are middleware. These software are between PC/SC and the user application.

I try to maintain a list of smart card middleware available in Debian.
I updated the list when writing this blog article. New Debian packages have been added, and others have been removed.

cackey: CAC and PIV Smartcard PKCS #11 cryptographic module

coolkey: Smart Card PKCS #11 cryptographic module

libckyapplet1: Smart Card Coolkey applet

libckyapplet1 is a dependency of coolkey. So they are both installed at the same time.

libckyapplet1-dev: Smart Card Coolkey applet development files

libcacard0: Virtual Common Access Card (CAC) Emulator (runtime library)

libcacard0 is a dependency of all the qemu-system-* packages. That can explain why this package is installed in so much systems.

libcacard-dev: Virtual Common Access Card (CAC) Emulator (development files)

libchipcard6: library for accessing smartcards

libchipcard-data: configuration files for libchipcard

libchipcard-dev: API for smartcard readers

libchipcard-tools: tools for accessing chipcards

libengine-pkcs11-openssl: OpenSSL engine for PKCS#11 modules

libgnokii7: Gnokii mobile phone interface library

libopenconnect5: open client for Cisco AnyConnect, Pulse, GlobalProtect VPN - shared library

libopenconnect5 is a dependency of plasma-nm (Plasma5 networkmanager library). Plasma is the KDE graphical workspaces environment.

libosmosim0: Osmo SIM library

Part of libosmocore: Open Source MObile COMmunications CORE library (metapackage)

libpam-p11: PAM module for using PKCS#11 smart cards

Part of pam-p11: PAM module for using PKCS#11 smart cards

libpam-pkcs11: Fully featured PAM module for using PKCS#11 smart cards

libpam-poldi: PAM module allowing authentication using a OpenPGP smartcard

libpcscada0.7.5: Ada bindings to PC/SC middleware

libspice-client-glib-2.0-8: GObject for communicating with Spice servers (runtime library)

libspice-client-glib-2.0-8 is a dependency of vinagre: remote desktop client for the GNOME Desktop

libspice-client-gtk-3.0-5: GTK3 widget for SPICE clients (runtime library)

libspice-client-gtk-3.0-5 is also a dependency of vinagre: remote desktop client for the GNOME Desktop

libykpiv1: Library for communication with the YubiKey PIV smartcard

openjdk-8-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

openjdk-11-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

We can see that openjdk-8-jre-headless has been replaced by openjdk-11-jre-headless.

openjdk-13-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

openjdk-13-jre-headless is not yet in Debian stable. So the number of installation is low. This version is also replaced by openjdk-14-jre-headless since 2020.

openjdk-14-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

openjdk-15-jre-headless: OpenJDK Java runtime, using Hotspot JIT (headless)

openjdk-15-jre-headless is very new. It is in Debian unstable but has not yet migrated to Debian testing. So the number of installation is very low.

opensc-pkcs11: Smart card utilities with support for PKCS#15 compatible cards

python3-pykcs11: PKCS#11 wrapper for Python

python3-pyscard: Python3 wrapper above PC/SC API

python3-pyscard is a dependency of python3-yubikey-manager. Users are installing this package not because they love this software (I am the upstream maintainer) but because they use a yubikey.


Package # of installation % of Debian systems
libcacard0 54878 27,83 %
libspice-client-glib-2.0-8 53935 27,35 %
openjdk-11-jre-headless 51455 26,10 %
libspice-client-gtk-3.0-5 49029 24,87 %
openjdk-8-jre-headless 42921 21,77 %
opensc-pkcs11 24375 12,36 %
libopenconnect5 19034 9,65 %
python3-pyscard 369 0,19 %
openjdk-14-jre-headless 340 0,17 %
libengine-pkcs11-openssl 312 0,16 %
openjdk-13-jre-headless 300 0,15 %
libchipcard-data 199 0,10 %
libckyapplet1 193 0,10 %
coolkey 190 0,10 %
libchipcard6 182 0,09 %
libykpiv1 178 0,09 %
libcacard-dev 135 0,07 %
libchipcard-tools 131 0,07 %
libpam-pkcs11 90 0,05 %
openjdk-15-jre-headless 78 0,04 %
libpam-poldi 39 0,02 %
libpam-p11 33 0,02 %
libosmosim0 29 0,01 %
python3-pykcs11 19 0,01 %
libchipcard-dev 18 0,01 %
cackey 12 0,01 %
libckyapplet1-dev 3 0,00 %
libpcscada0.7.5 3 0,00 %
libgnokii7 2 0,00 %


Many (all?) smartcard middleware packages with an important installation base are not installed for themselves but because they are a dependency of another package.

So users are installing packages with smart card features or services but without any need or use of the smart card features.
It is not a problem. It is how dependencies works.