Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Monday, December 13, 2010

Configuring your system for pcscd auto-start

Since pcsc-lite 1.6.5 it is possible to start pcscd on demand and run it with less privileges than root.

System configuration


pcscd group

pcscd is run as a user in the pcscd group. So you need to create this group.

$ sudo addgroup --system pcscd

/var/run/pcscd directory

Since pcscd is no more running as root it cannot create the /var/run/pcscd directory itself. The directory must be created as root and the correct permissions must be set:

  • group = pcscd group
  • access rights = rwx

$ sudo mkdir /var/run/pcscd
$ sudo chgrp pcscd /var/run/pcscd
$ sudo chmod g+w /var/run/pcscd

udev rule


pcscd is no more running as root so need permissions changed on the reader device. For USB readers this is done via a udev rule file.

A previous blog entry described such a udev rule file.
libccid provides a udev rule file. I guess other drivers does not (yet) provide one.

Example:

# If not adding the device, go away
ACTION!="add", GOTO="pcscd_ccid_rules_end"
SUBSYSTEM!="usb", GOTO="pcscd_ccid_rules_end"
ENV{DEVTYPE}!="usb_device", GOTO="pcscd_ccid_rules_end"

ATTRS{idVendor}=="0x08E6", ATTRS{idProduct}=="0x0430", GROUP="pcscd"

# All done
LABEL="pcscd_ccid_rules_end"


This example if for the Gemplus GemPC430 reader. It is an old reader and is not CCID. Just replace the idVendor and idProduct by the value of your own USB reader.

Debian


All these steps are already in place for the pcscd and libccid packages in Debian (in experimental for now). The packages for the other drivers should follow.

Conclusion


The auto-start feature needs some configuration before it can be used.
If you do not want to follow all the steps described in this article you can continue to run pcscd as root as before.


Flattr this

Sunday, December 12, 2010

New version of pcsc-lite: 1.6.6

I just released new version of pcsc-lite 1.6.6. This version does not bring new feature bug fixes two bugs.
The version is available here.

Changelog


pcsc-lite-1.6.6: Ludovic Rousseau
12 December 2010
  • SCardGetStatusChange(): fix a bug on 64-bits systems
  • Fix another bug because of a regression in the internal list manager


Flattr this

Friday, December 3, 2010

New version of libccid: 1.4.1

I just released a new version of libccid.

Changelog


1.4.1 - 3 December 2010, Ludovic Rousseau

  • Add support of Gemalto Smart Guardian (SG CCID), ReinerSCT cyberJack RFID basis, Akasa AK-CR-03, BZH uKeyCI800-K18, Free Software Initiative of Japan Gnuk token readers
  • Remove O2 Micro Oz776 and Blutronics Bludrive II CCID since they are no more supported since version 1.4.0
  • SecurePINVerify & SecurePINModify: Accept big and little endian byte orders for multibytes fields. The application should not use HOST_TO_CCID_16() and HOST_TO_CCID_32() any more and just use the normal byte order of the architecture.
  • Need pcsc-lite 1.6.5 for TAG_IFD_POLLING_THREAD_WITH_TIMEOUT
  • Add --enable-embedded (default is no) to build libccid for an embedded system. This will activate the NO_LOG option to disable logging and limit RAM and disk consumption.
  • Remove --enable-udev option since it is not used anymore with libhal. The udev rules file is now used to change the access rights of the device and not send a hotplug signal to pcscd. See http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html
  • some minor bugs removed

Flattr this

New version of pcsc-lite: 1.6.5

I just released new version of pcsc-lite. Some of the improvements or changes have already been described in previous blog articles.

Changelog


pcsc-lite-1.6.5: Ludovic Rousseau
3 December 2010
  • Power on the card _only_ if an application requests a connection. You can disable the feature using DISABLE_ON_DEMAND_POWER_ON in src/pcscd.h.in If DISABLE_AUTO_POWER_ON is defined then do not automatically power on the card. The card will be powered on on the first SCardConnect() See http://ludovicrousseau.blogspot.com/2010/10/card-auto-power-on-and-off.html
  • SCardReconnect(): return SCARD_E_NO_SMARTCARD when card is removed and SCARD_W_UNRESPONSIVE_CARD when card is unresponsive instead of SCARD_E_PROTO_MISMATCH
  • Install pcscd as sgid pcscd instead of suid root See http://ludovicrousseau.blogspot.com/2010/09/pcscd-auto-start.html
  • SCardSetTimeout() is no more provided. This function is not provided by Microsoft and is deprecated since 2004 in pcsc-lite.
  • SCardCancelTransaction() is no more provided. This function is not provided by Microsoft and is deprecated since 2005 in pcsc-lite.
  • Parsing the CCID Info.plist (159 readers supported) was, on a i386 machine, done in 264306 s and is now done 5547 s => gain x47 or 4600% See http://ludovicrousseau.blogspot.com/2010/08/ram-and-cpu-improvements-in-pcsc-lite.html
  • It is now possible to configure the local socket name to use using the environment variable PCSCLITE_CSOCK_NAME See http://ludovicrousseau.blogspot.com/2010/11/pcsc-client-and-server-on-two-different.html
  • Wait until all connected readers have a chance to power up a possibly inserted card before accepting clients.
  • restrict pcscd features when not run by root (so using suid): APDU logging or setting parameters are disabled for example
  • fix compilation problem on kfreebsd-* systems
  • PCSC/reader.h: HOST_TO_CCID_16() and HOST_TO_CCID_32() are now identity functions Since libccid 1.4.1 (revision 5252) the byte order is no more important
  • If you want to use IFDHCreateChannel() instead of IFDHCreateChannelByName() then do not use any DEVICENAME line in the configuration file. IFDHCreateChannel() will then be called with the CHANNELID parameter.
  • the CHANNELID parameter can also be a decimal number.
  • Remove the support of IFDHandler v1 API. I don't know any driver using this API. See http://ludovicrousseau.blogspot.com/2010/10/ifdhandler-version-1-support-removed.html
  • avoids a buffer overflow with badly formed ATR
  • some other minor improvements and bug corrections
Flattr this

New PyKCS11 1.2.3 available

I just released a new version of PyKCS11, a Python wrapper above the PKCS#11 API.

Changelog


1.2.3 - December 2010, Ludovic Rousseau

  • Add new classes CK_SLOT_INFO, CK_INFO, CK_SESSION_INFO, CK_MECHANISM_INFO and CK_TOKEN_INFO instead of the low level ones to have a __repr__() method. It is now possible to just print an object of these classes and have a human readable version.
  • Add a new class CK_OBJECT_HANDLE() to replace the low level one and have a __repr__() method for objects returned by findObjects()
  • Move initToken() from class Session to class PyKCS11Lib and add a slot parameter.
  • Add generateKeyPair() and destoryObject() support in high level interface

What next?


This new release should restart the publication of articles on this wrapper. I have not published anything since June.

This new version 1.2.3 is more easy and fun to use in an interactive Python interpreter. You can just display objects using print. More to come...


Flattr this

Friday, November 19, 2010

PCSC sample in C#

Here is the PCSC sample in C# language I promised in PC/SC sample in different languages.

Available wrappers

After searching I found different projects to wrapper PC/SC from C#.


So much projects for the same service gives different messages:

  • the service is needed by "many" users
  • the C# community is fragmented and do not have a central point of discussion (forum, mailing list, web site, etc.) to setup on just one implementation?
  • the authors suffer from the NIH syndrome?

Installation

Prerequisite

Install the Mono c# compiler:
sudo aptitude install mono-gmcs

I recommend you to use the nice working development IDE, monodevelop:
sudo aptitude install monodevelop

Build pcsc-sharp

  1. Download pscs-sharp, current version is 2010-11-10 (update 5 Nov 2015: the project moved to github project pcsc-sharp and the current version is 3.3.0.0 from Oct 2015)
  2. Unpack the source.
  3. Go into the pcsc-sharp/ directory and simply run make.
    It will compile the PC/SC classes within a second. By default, a "Release" version without debug information will be build. You can change the configuration target by editing the Makefile file. If you do not like the command line, you can use 'monodevelop', the graphical IDE as well. Monodevelop uses Visual Studio's file format for its solution and project files.

Create the HelloWorld application with Monodevelop

  1. Start monodevelop, click at File -> New -> Solution
  2. Select C#" as programming language, use the "Console Project" template and name it "HelloWorld". You can skip the package feature dialog.
  3. You need to add a reference to the pcsc-sharp.dll file.
    To do this right-click at "References" in the Solution panel and choose "Edit References". Click at ".Net Assembly" and browse to the path where the pcsc-sharp.dll file is located. Double click the dll and it will be added to the project.
  4. Use the HelloWorld.cs code listed below.

Source code

using System;
using System.Text;

using PCSC; 

namespace HelloWorld
{
    class Program
    {
        static void CheckErr(SCardError err)
        {
            if (err != SCardError.Success)
                throw new PCSCException(err,
                    SCardHelper.StringifyError(err));
        }
        static void Main(string[] args)
        {
            try
            {
                // Establish SCard context
                SCardContext hContext = new SCardContext();
                hContext.Establish(SCardScope.System);

                // Retrieve the list of Smartcard readers
                string[] szReaders = hContext.GetReaders();
                if (szReaders.Length <= 0)
                    throw new PCSCException(SCardError.NoReadersAvailable,
                        "Could not find any Smartcard reader.");
                
                Console.WriteLine("reader name: " + szReaders[0]);

                // Create a reader object using the existing context
                SCardReader reader = new SCardReader(hContext);

                // Connect to the card
                SCardError err = reader.Connect(szReaders[0],
                    SCardShareMode.Shared,
                    SCardProtocol.T0 | SCardProtocol.T1);
                CheckErr(err);

                long pioSendPci;
                switch (reader.ActiveProtocol)
                {
                    case SCardProtocol.T0:
                        pioSendPci = SCardPCI.T0;
                        break;
                    case SCardProtocol.T1:
                        pioSendPci = SCardPCI.T1;
                        break;
                    default:
                        throw new PCSCException(SCardError.ProtocolMismatch,
                            "Protocol not supported: "
                            + reader.ActiveProtocol.ToString());
                }

                byte[] pbRecvBuffer = new byte[256];

                // Send SELECT command
                byte[] cmd1 = new byte[] { 0x00, 0xA4, 0x04, 0x00, 0x0A, 0xA0, 
                    0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01 };
                err = reader.Transmit(pioSendPci, cmd1, ref pbRecvBuffer);
                CheckErr(err);

                Console.Write("response: ");
                for (int i = 0; i < pbRecvBuffer.Length; i++)
                    Console.Write("{0:X2} ", pbRecvBuffer[i]);
                Console.WriteLine();

                pbRecvBuffer = new byte[256];

                // Send test command
                byte[] cmd2 = new byte[] { 0x00, 0x00, 0x00, 0x00 };
                err = reader.Transmit(pioSendPci, cmd2, ref pbRecvBuffer);
                CheckErr(err);

                Console.Write("response: ");
                for (int i = 0; i < pbRecvBuffer.Length; i++)
                    Console.Write("{0:X2} ", pbRecvBuffer[i]);
                Console.WriteLine();

                hContext.Release();
            }
            catch (PCSCException ex)
            {
                Console.WriteLine("Ouch: "
                    + ex.Message
                    + " (" + ex.SCardError.ToString() + ")");
            }
        }
    }
}

Output

$ ./HelloWorld.exe
reader name: Gemalto GemPC Twin 00 00
response: 90 00
response: 48 65 6C 6C 6F 20 77 6F 72 6C 64 21 90 00


I don't know how to convert a byte array of ASCII characters to a string. I search a bit for a "%c" equivalent in C# but have not found it. So, exercise for next time: display the "string" returned by the card.

Lessons learned

Monodevelop

Monodevelop is a nice tool.

I got caught by a strange (for me) behavior of monodevelop. The HelloWorld project embark/copy its own version of pcsc-sharp.dll the PCSC wrapper in the bin/Debug/ directory. So if you modify the wrapper you need to rebuild the HelloWorld project, not just rerun it.

Maybe it is possible to install the DLL in a system directory or something like that. So that different applications can share the same file.
The HelloWorld.exe file is 5120 bytes, or 5 kiB.
The pcsc-sharp.dll file is 83456 bytes or 81 kiB.

C#

A C# program can be executed directly from the shell on my GNU/Linux system. It is surprising since it is recognised as a Windows binary:
$ file HelloWorld.exe
HelloWorld.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit Mono/.Net assembly


I also tried to execute on Windows XP the binary generated on Gnu/Linux. And it works! No change needed.

Thanks

Thanks to Daniel Mueller, author of pcsc-sharp, for writing the sample code and a large part of the documentation included in this article.

Update 5 Nov 2015

The project moved to github project pcsc-sharp. It has been active in 2015.

I have not checked my sample code still work with the latest version of the wrapper.

Thursday, November 11, 2010

PSSI: SIM card phone book listing (part 2)

Just a week after my post about a missing SIM card explorer in free software I discover in a the French MISC magazine article "Python Simple Smartcard Interpreter" that such a project exists.


PSSI: Python Simple Smartcard Interpreter


The project is hosted at http://code.google.com/p/pssi/ and uses GNU GPLv3 licence.
" Python script that provides an abstract layer for smartcard reading. Thanks to it, it is possible to read a smartcard by simply adding its structure in the form of a plugin, without taking care of the communication layer. The tool comes with several plugins, namely SIM, EMV, and NAVIGO. "
The project is quiet new. The project was created 30 July 2010 on code.google.com and the first commit occured on 19 Sept 2010. No stable/numbered release is available.

Plugins


The software is not just for SIM cards but is generic and uses plugins.

SIM

This plugin displays a lot of information about the SIM:
  • Telecom provider
  • Phone book
  • SMS

EMV

This plugin also displays a lot of information about the bank card:

Applications on the card



 ATR                         : 3B 65 00 00 66 04 6C 90 00
 Content                    
    Applications List          
       ====   1   ====
          ====   1   ====
             Application information    
                EMV Application information
                   Application ID              : a0 00 00 00 42 10 10 
                   Application name            : CB
                   Application priority        : 1
          ====   2   ====
             Application information    
                EMV Application information
                   Application ID              : a0 00 00 00 03 10 10 
                   Application name            : VISA
                   Application priority        : 2

Card holder name


Application information    
   Track 2 data                : 49 78 38 00 XX XX XX XX YY YY YY YY 
   Cardholder                  : MR ROUSSEAU LUDOVIC       
   Track 1 discretionary data  : 329627000000000673000000

Card validity dates and card number


Application information    
   Validity beginning          : 01 / 09 / 08
   Validity end                : 30 / 09 / 10
   Card number                 : 49 78 38 00 XX XX XX XX 
   PAN sequence number         : 4

The card number has been obscured by me. Even if the card expired a few months ago I think it is safer like this :-)

Transactions


====   1   ====
====   2   ====
   Amount          : 126.63          ()
   CID             : 64              (Cryptogram Information Data)
   Country         : FRANCE          (Country where the terminal is located)
   Currency        : Euro            ()
   Date            : 18 / 09 / 10    ()
   Type            : Payment         ()
====   3   ====
   Amount          : 36.80           ()
   CID             : 64              (Cryptogram Information Data)
   Country         : FRANCE          (Country where the terminal is located)
   Currency        : Euro            ()
   Date            : 31 / 08 / 10    ()
   Type            : Payment         ()
====   4   ====
   Amount          : 202.60          ()
   CID             : 64              (Cryptogram Information Data)
   Country         : FRANCE          (Country where the terminal is located)
   Currency        : Euro            ()
   Date            : 25 / 08 / 10    ()
   Type            : Payment         ()


NAVIGO

Navigo is the smart card used by the RATP in Paris public transport system. I do not have such a card so could not use this plugin.

ccid-utils

Another project to dump an EMV card is ccid-utils but this project did not work with my French bank card so I thought my card was not EMV compliant. But I was wrong since PSSI works great with this card.

Another problem with ccid-utils is that even if the program uses Python the core of the project uses C and directly talks to a CCID reader instead of using the PC/SC API through Pyscard. ccid-utils is also very limited regarding the CCID readers it supports.

Conclusion

PSSI is much more than a SIM card explorer. It also works for EMV and Navigo cards. The display of information is nice. The code is Python only so I had no problem using it on Mac OS X. I think I will continue playing with the software and maybe implement other features.


Flattr this

Monday, November 8, 2010

PC/SC client and server on two different hosts

Estobuntu (a remastered Kubuntu Lucid Live CD that uses Estonian by default) uses LTSP (Linux Terminal Server Project) and a modified version of ssh to redirect the pcsc-lite client-server communication channel.

The feature has been added in revision r5373 and will be available in pcsc-lite version 1.6.5.

Architecture

  • pcscd is running on the remote terminal, where the smart card reader is connected.
  • SSH is used to redirect the pcscd socket /var/run/pcscd/pcscd.comm from the client terminal to a file on the server and then used by the libpcsclite.so client library.
  • On the server each client session must have its own socket to a different pcscd running on different terminals. So the file is located in the user home directory: $HOME/.pcscd.com

Setup

On the pcscd side the socket /var/run/pcscd/pcscd.comm is redirected by ssh.

On the libpcsclite.so side the redirection is done by configuring the environment variable PCSCLITE_CSOCK_NAME.

$ export PCSCLITE_CSOCK_NAME=$HOME/.pcscd.comm
$ the_program

Issues

This setup cannot use the auto start feature. The auto start feature allows to start the pcscd daemon only when the libpcsclite.so is used by an application. Since the pcscd and libpcsclite.so are now on two different machines it is a bit more complex than just fork+exec. The libpcsclite.so would have to start pcscd on a different machine. This is possible but is not implemented.

Conclusion

This feature could also be used outside of Estobuntu and LTSP.

SSH does not, natively, redirect a Unix domain socket to a remote Unix domain socket. But maybe a simple tool exists for doing just that. If you know something like that please add a comment. One problem is that Unix domain socket can do more than Internet sockets (like transfer a file handle with SCM_RIGHTS or Unix credentials with SCM_CREDENTIALS), but pcsc-lite does not use these services.


Flattr this

Wednesday, November 3, 2010

SIM card phone book listing

During the Debian minconf Paris 2010 I was asked for a program to use a SIM card.

I do not know any program to correctly manage a SIM card in free software on Unix (but I have not really search for it).

SIM explorer v3.0

In 2004 I wrote a simple Perl program to dump the phone book of a SIM card using the PC/SC Perl wrapper. The program is available on my web site.

The program is very rude and only displays the phone book. No way to edit the phone book.

Conclusion

I am surprised to see so little interest in the area of SIM/USIM cards. The market penetration of GSM was already above 100% in 22 European markets in 2006. So I guess every smart card hacker also has one GSM/3G phone. So we do not lack developers.

Note: I do not have a GSM/3G/smart phone myself :-)


Flattr this

Monday, November 1, 2010

Debian Miniconf Paris/2010

I presented a talk titled "Smart cards in Debian" at the Debian Miniconf Paris, October 2010.

The slides (in English) of my talk are available online. The idea was to stay at a high level and present the different layers use in the smart card world. So no lines of code or screen dumps.

The topics are:
  • ISO 7816-1, 2, 3 and 4
  • Private/proprietary specifications
  • Publicly documented specifications
  • Programmable smart cards
  • CCID
  • PC/SC
  • PKCS#11
  • Python PC/SC wrapper
  • Python PKCS#11 wrapper
  • Electronic ID cards
I did not go into details. I wanted to show a big picture of the different smart card layers. That may be one of the most difficult things in a domain: know what to install and what layer is used by which one.

Comments are welcome.


Flattr this

Thursday, October 28, 2010

GnuPG v2 card and extended APDU

A user reported a problem with a GnuPG v2 card and a OmniKey 4321 ExpressCard smart card reader. The same card works fine with a SCM SCR33x reader.

GnuPG v2 card








The card ATR is: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C and is known as GnuPG card V2.

According to the GnuPG v2 specification:

Reader (informative)
  • A common driver (CCID, PC/SC or CT-API) shall be supported.
  • The driver should be available for several platforms (e.g. Win32, Linux, Macin­
    tosh)
  • T=1 and T=0 shall be supported for cards with contacts.
  • High-Speed protocols should be supported.
  • Extended length shall be supported.

The important point is highlighted. Of course you do not read the card user manual before buying a smart card reader for your card. And the notion of "Extended length" can be quiet obscure for a user.

Extended length APDU


The difference between the two readers is that:

  • The OMNIKEY CardMan 4321 is a "Short APDU level exchange" reader
  • The SCM Microsystems Inc. SCR33x USB Smart Card Reader is a "TPDU level exchange" reader

I tried to document the problems with extended APDU in a special page Extended APDU support of the CCID driver.

But this is also obscure for a normal smart card user.

PC/SC and extended APDU


One major problem is that an application at the PC/SC level has no way to know if the reader does or does not support extended APDU.

I tried to propose a mechanism so that an application can know if the reader support extended APDU. The idea is that the application can display a human readable error message. That would avoid me to receive bug reports. But the idea was more or less refused by the PC/SC workgroup. Short APDU should be defined before defining extended APDU. And short APDU are not yet defined by the PC/SC workgroup :-(

One day I will blog about the PC/SC workgroup.

Conclusion

Extended APDU are more and more common. Maybe I should add a clear indication of the support or not of extended APDU in the reader matrix. If you have an idea of logo or presentation then just tell me.



Flattr this

Tuesday, October 26, 2010

PCSC sample in PHP

In PC/SC sample in different languages I "promised" to give the implementation of the same sample program in many different programing languages. I am now less motivated and some languages have not yet been treated. PHP is one of them.

Wrapper for PHP


SCardSCR is a PC/SC wrapper for PHP4. As indicated on the web page:
SCardSCR is a PHP4 based project, and for many (good) reasons, it primarily targets Microsoft Windows (Win32/i386).

And since I am not an expert or even user of Windows I do not think I will ever work on this wrapper. I am also not a user of PHP.

Comments


The project is dated 17/01/2005 and is for PHP4. PHP5 is available since 2004. So maybe the SCardSCR  project is not really active/maintained anymore.

Note that my name is in the Credits :-)
Thanks to Ludovic Rousseau for his pcsc-tools package (C program and Perl scripts) that is the basis of most SCardSCR sample scripts.

Conclusion


I left as an exercise the writing of the sample.php program in PHP. If you write it just tell me so I can add it here.


Flattr this

Sunday, October 24, 2010

Card auto power on and off

pcsc-lite 1.6.5 (not yet released but the code is available in the subversion repository or here) contains a new feature that was described in the TODO file as:
power on the card only if an application requests a connection. See Alioth bug #301965. That could be implemented by polling the reader only if an application requests it.

How to power off a card


In previous versions of pcsc-lite, a card, when inserted, was always powered on. The only way to power off a card is to call SCardDisconnect(SCARD_UNPOWER_CARD), SCardEndTransaction(SCARD_UNPOWER_CARD) or SCardReconnect(SCARD_UNPOWER_CARD).

After the SCardEndTransaction(SCARD_UNPOWER_CARD) or SCardReconnect(SCARD_UNPOWER_CARD) calls the card is still used by the application. The power off action is just to force a cold reset to the card. So the card is powered on right after the power off.

Auto power off


After SCardDisconnect() the card is not used since the connection with the card is closed. It is the only case where the card may stay in the powered off.

dwDisposition argument of SCardDisconnect() can be:

  • SCARD_LEAVE_CARD - Do nothing.
  • SCARD_RESET_CARD - Reset the card (warm reset).
  • SCARD_UNPOWER_CARD - Unpower the card (cold reset).
  • SCARD_EJECT_CARD - Eject the card.

SCARD_EJECT_CARD is not used. I do not know any smart card reader with mechanical features to eject a card.
If SCARD_UNPOWER_CARD is used the card is and will stay powered off
If SCARD_LEAVE_CARD or SCARD_RESET_CARD is used the card is still powered but is subject to a power off.

Auto power on


Once the card has been powered off it must be powered on again on the next use.
The only way to "use" a card is to call SCardConnect(). So when SCardConnect() is called and the card is not powered then the card is powered on first.

Smarter auto power off


The described scheme works great. One side effect is that the card may be powered off just before being used.

For example imagine the following scenario:
  1. you insert a card in the reader
  2. the card is powered on to get its ATR
  3. the card is not used by any application so the card is powered off
  4. an application was waiting in SCardGetStatusChange() and is now notified that a card is present
  5. the application call SCardConnect() to use the card
  6. the card is powered on again

To avoid the double power on action a delay is used before powering off the card in step 3. The card is powered off only if the card is not used during 5 seconds.

For the same reason the card is not powered off just at SCardDisconnect() but after being unused during 5 seconds.

Compilation options


The compilation options are in the file src/pcscd.h.in.

/** time to wait before powering down an unused card */
#define PCSCLITE_POWER_OFF_GRACE_PERIOD 5*1000 /* 5 second */

/* Uncomment the next line if you do NOT want to use auto power off */
/* #define DISABLE_ON_DEMAND_POWER_ON */

/* Uncomment the next line if you do not want the card to be powered on when inserted */
/* #define DISABLE_AUTO_POWER_ON */

You can change the 5 seconds delay before the automatic power off: PCSCLITE_POWER_OFF_GRACE_PERIOD. It looks like on Windows the delay is 15 seconds.

If you do not like the new feature then define DISABLE_ON_DEMAND_POWER_ON and you will continue to have the previous behavior.

If you do not want the card to be powered on on insertion then define DISABLE_AUTO_POWER_ON. With this option the card will be powered on only when SCardConnect() is called, not when the card is inserted in the reader. This has side effects and is not an innocent choice. SCardGetStatusChange() will report a card is present but will not report the card ATR. To get the card ATR you have to use SCardStatus() or call SCardGetStatusChange() once again after the card has been powered off using SCardConnect().

Impacts on the reader drivers


In order to respect the 5 seconds of delay I had to replace TAG_IFD_POLLING_THREAD by TAG_IFD_POLLING_THREAD_WITH_TIMEOUT and add a timeout parameter.

I modified my CCID driver to use the new function. I do not know any other driver supporting TAG_IFD_POLLING_THREAD and needing an upgrade.

If your reader driver does not support TAG_IFD_POLLING_THREAD the delay before powering off the card will be 400 milliseconds (PCSCLITE_STATUS_POLL_RATE) instead of 5 seconds.

Conclusion


The power consumption of the smart card reader should be reduced a bit when the card is not powered on.

Some readers have a LED to indicate the state of the reader. For example the Gemalto GemPC Twin reader has a blinking LED when the reader is connected and a still LED when the card is powered on. I generally use the LED to know if the CCID driver and pcsc-lite are working correctly. A still LED indicates the PC/SC layer is working correctly. With the new mechanism the LED is useful only during 5 seconds after inserting the card. A blinking instead of still LED does not, always, indicates a broken PC/SC layer any more.

Powering off the card is also a new step on the road to suspending the reader at the USB level, and further reduce the power consumption.


Flattr this

Tuesday, October 19, 2010

pcsc-lite upgrade and Ubuntu special configuration

Ubuntu uses a special configuration of pcsc-lite. The libpcsclite.so.1 library is not in /usr/lib but in /lib. See the file list of the libpcsclite1 Ubuntu package for example. This is because libpcsclite.so.1 is used by the wpa_supplicant software and this software should be accessible before /usr is mounted. See Debian bug #531592 "libpcsclite1: move to /lib" and Ubuntu bug #44194 "wpasupplicant doesn't start when the network start"

The problem

By default pcsc-lite install its files in /usr/local but this path can be changed using the --prefix= argument. The standard way to install a software is to use:
./configure --prefix=/usr
make
sudo make install

This will install the daemon pcscd in /usr/sbin/pcscd and the library in /usr/lib.

The daemon provided by the pcscd package is replaced by the new one. But the new library does not replace the old one. So the system will have:

  • /usr/sbin/pcscd: new version
  • /lib/libpcsclite.so.1: old version
  • /lib/libpcsclite.so.1.0.0: old version
  • /usr/lib/libpcsclite.so.1: new version
  • /usr/lib/libpcsclite.so.1.0.0: new version

Of course programs provided by Ubuntu are linked with /lib/libpcsclite.so.1 so they will not use the new version. The old libpcslite will try to communicate with the new pcscd and since I changed the communication protocol that will fail. A typical example can be found in the support request [#312772] RPC Transport error:

$ pcsc_scan
PC/SC device scanner
V 1.4.16 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.5.3
SCardEstablishContext: RPC transport error.

The solution

The solution is to install the new version and also replace the old one. It is not possible to remove the /lib/libpcsclite.so.1* files since they are used by Ubuntu compiled programs.

For example pcsc_scan uses /lib/libpcsclite.so.1

$ ldd -r /usr/bin/pcsc_scan 
linux-gate.so.1 =>  (0x00b71000)
libpcsclite.so.1 => /lib/libpcsclite.so.1 (0x003f3000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x00836000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0x00cee000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x001a1000)
/lib/ld-linux.so.2 (0x009e3000)

So it is not a good idea to remove the libpcsclite1 package since that will also remove other packages (because of dependencies) like libccid libpcsc-perl libpcsclite1 network-manager network-manager-gnome pcsc-tools pcscd ubuntu-desktop wpasupplicant. It is not a good idea to install a non packaged software. But many people do this without knowing what they do. So I propose to help them and avoid answer the many bug report I get because of the special Ubuntu configuration.

Install the new pcsc-lite


$ make install

Fix the old pcsc-lite


$ cd /lib
$ ln -sf /usr/lib/libpcsclite.so.1.0.0

This will repace /lib/libpcsclite.so.1.0.0 by a symbolic link to /usr/lib/libpcsclite.so.1.0.0. /lib/libpcsclite.so.1 is already a symbolic link to /lib/libpcsclite.so.1.0.0.

The Ubuntu wrong solution

wpa_supplicant is linked with /lib/libpcsclite.so.1 so can be run even if /usr is not yet mounted. But the daemon pcscd is in /usr/sbin so can't be used yet. So the smart card part of wpa_supplicant can't be used without /usr mounted.

Ubuntu solved the compilation problem. But it does not solve the usability problem.

You can also note that the libpcsclite1 Ubuntu package is in main but the pcscd Ubuntu package is in universe. That is strange since the two packages are generated from the same source archive.

The correct solution

The correct solution would be to load the libpcsclite.so.1 at run time using an explicit dlopen() only if the smart card is used by wpa_supplicant.
The smart card could only be used after /usr is mounted. But I think that is a very reasonable limitation.

Conclusion

Diverting from a standard (library in /usr/lib in the present case) has a cost. The problem is that the cost is not payed by the one diverting from the standard. The cost is payed by other people (me, in the present case) that get support requests.

In economy that is called a externality. In the present case it is a negative externality.

Update, May 2017

Ubuntu (for example version 14.04 and later) installs the libpcsclite.so.1 library in the directory
  • /lib/x86_64-linux-gnu/ on a Intel/AMD 64-bits system
  • /lib/i386-linux-gnu/ on an Intel/AMD 32-bits system

While Debian uses:
  • /usr/lib/x86_64-linux-gnu/
  • /usr/lib/i386-linux-gnu/

So be careful to use the correct ./configure arguments when re-building pcsc-lite.

Saturday, October 16, 2010

MUSCLE mailing list statistics for 2009

In my previous blog I posted statistics from the MUSCLE mailing list mailing list for the complete period 2005-2010. I now publish statistics for the year 2009 only.

I am still the number one for the number of messages posted :-).



Statistics from 1.1.2009 to 30.12.2009



People who have written most messages:

 Author  Msg  Percent 
1ludovic.rousseau@gmail.com11418.91 %
2squalyl@gmail.com325.31 %
3s.ferey@wanadoo.fr304.98 %
4mstjohns@comcast.net294.81 %
5countzero@sapo.pt274.48 %
6eerbalibera@gmail.com213.48 %
7rsc@runtux.com193.15 %
8martin@paljak.pri.ee152.49 %
9aj@dungeon.inka.de132.16 %
10daniel@benoy.name111.82 %
11Michael.Bender@sun.com111.82 %
12goister@gmail.com111.82 %
13gilles.bernabe@gmail.com101.66 %
14tedtheologian@gmail.com91.49 %
15petcoradipewjepknu@jbohm.dk91.49 %
16aquamaniac@gmx.de81.33 %
17yjfpb04@163.com71.16 %
18puneet.maillist@gmail.com71.16 %
19boltateshaev@gmail.com71.16 %
20tmiller@mitre.org71.16 %
21deengert@anl.gov71.16 %
22ruben.lagar@gmail.com71.16 %
23cucinotta@sssup.it61.00 %
24angella.andrea@gmail.com61.00 %
25knife@toaster.net61.00 %
26tews@cs.ru.nl50.83 %
27linux@tarottoni.com50.83 %
28martin.paljak@gmail.com50.83 %
29gt-dev@gthomas.homelinux.org50.83 %
30alexander.griesser@lkh-vil.or.at40.66 %
other15024.88 %

Best authors, by total size of their messages (w/o quoting):

 Author  KBytes 
1daniel@benoy.name108.7
2squalyl@gmail.com106.8
3ludovic.rousseau@gmail.com62.4
4puneet.maillist@gmail.com59.0
5ruben.lagar@gmail.com56.3
6eerbalibera@gmail.com52.6
7countzero@sapo.pt47.2
8gt-dev@gthomas.homelinux.org47.1
9tmiller@mitre.org40.5
10mstjohns@comcast.net36.1
11s.ferey@wanadoo.fr36.0
12yjfpb04@163.com35.0
13paulaaa1234@hotmail.com31.7
14martin@paljak.pri.ee25.2
15bogusemail98230@yahoo.com24.8
16rsc@runtux.com24.1
17tedtheologian@gmail.com23.1
18Michael.Bender@sun.com22.8
19boltateshaev@gmail.com22.5
20lfuente@it.uc3m.es18.9
21euvieru@gmail.com18.7
22angella.andrea@gmail.com18.3
23goister@gmail.com16.6
24gilles.bernabe@gmail.com16.2
25glen.gray@lincor.com16.0
26wolverinex02@gmail.com14.4
27petcoradipewjepknu@jbohm.dk13.9
28aj@dungeon.inka.de11.6
29tim_harvey@yahoo.com11.4
30raghu@dhatusolutions.com11.1

Best authors, by average size of their message (w/o quoting):

 Author  bytes 
1euvieru@gmail.com19127
2paulaaa1234@hotmail.com10812
3daniel@benoy.name10117
4lfuente@it.uc3m.es9675
5gt-dev@gthomas.homelinux.org9651
6puneet.maillist@gmail.com8630
7ruben.lagar@gmail.com8233
8jan.suhr@privacyfoundation.de6542
9bogusemail98230@yahoo.com6340
10tmiller@mitre.org5926
11tim_harvey@yahoo.com5843
12glen.gray@lincor.com5475
13toomas@eys.ee5219
14yjfpb04@163.com5113
15wolverinex02@gmail.com4909
16sandeep997@gmail.com4619
17ch.ducros@free.fr4611
18aakolov@gmail.com4513
19vhdirk@gmail.com4392
20mtausig@fsmat.at4268
21listen@kapune.de4161
22raghu@dhatusolutions.com3775
23squalyl@gmail.com3418
24piontec@gmail.com3402
25sttn@sttn.de3340
26boltateshaev@gmail.com3291
27angella.andrea@gmail.com3123
28maf@splintered.net3096
29mrv@c3po.es2964
30marcandre.moreau@gmail.com2711

Table showing the most successful subjects:

 Subject  Msg  Percent 
1[Muscle] Cyberflex e-gate 32k install error 6A80325.31 %
2[Muscle] Current state of HAL-support?203.32 %
3[Muscle] GlobalPlatform keys182.99 %
4[Muscle] Protecting a PIN with keyed hashing?172.82 %
5[Muscle] Multiple threads and SCardGetStatusChange152.49 %
6[Muscle] pkcs11?152.49 %
7[Muscle] Export RSA public key out of the card142.32 %
8[Muscle] Gemalto Serial Smartcard Reader Chip121.99 %
9[Muscle] inexpensive pci express card that works with muscle111.82 %
10[Muscle] Can ATR be used for identification?111.82 %
11[Muscle] Re: new (beta) version of pcsc-lite 1.5.6-svn-4527111.82 %
12[Muscle] Support of Ricoh smart card reader111.82 %
13[Muscle] Encrypted contactless data transmission?101.66 %
14[Muscle] help needed rdesktop and etoken91.49 %
15[Muscle] Installing pcscd and stuff on a Thinclient81.33 %
16[Muscle] Door locks81.33 %
17[Muscle] Oberthur Cosmo 5.4 token support81.33 %
18[Muscle] How can I know what's the type of a card through it's61.00 %
19[Muscle] Fly Clear - Registered Traveler smartcard61.00 %
20[Muscle] Re: Oberthur token problem on linux61.00 %
21[Muscle] Favorite contactless reader?61.00 %
22[Muscle] Mobile Security Card and Muscle Apple61.00 %
23[Muscle] How can I know what's the type of a card through50.83 %
24[Muscle] contactless reader and card support under linux50.83 %
25[Muscle] testpcsc not working when not root50.83 %
26[Muscle] muscletools compile error50.83 %
27[Muscle] muscletools and sign50.83 %
28[Muscle] Gemalto Smart Enterprise Guardian50.83 %
29Requestging reader features and card related return codes50.83 %
30[Muscle] support for iso 7816-3/450.83 %
other30350.25 %

Most used email clients:

 Mailer  Msg  Percent 
1(unknown)27846.10 %
2Thunderbird 2.0.0.21 (Windows/20090302)335.47 %
3Mutt335.47 %
4QUALCOMM Windows Eudora294.81 %
5KMail284.64 %
6Internet Messaging Program (IMP) H3 (5.0-cvs)274.48 %
7Apple Mail (2.930.3)142.32 %
8Apple Mail (2.1077)142.32 %
9Evolution 2.24.5 111.82 %
10Thunderbird 2.0.0.19 (Windows/20081209)101.66 %
11Thunderbird 2.0.0.23 (Windows/20090812)101.66 %
12Coremail Webmail Server Version XT_Ux_snapshot build81.33 %
13Evolution 2.24.5 (2.24.5-1.fc10) 71.16 %
14VM 8.0.9 under Emacs 22.2.1 (i486-pc-linux-gnu)50.83 %
15Mozilla/5.x50.83 %
16Thunderbird 2.0.0.23 (X11/20090817)50.83 %
17Mozilla-Thunderbird 2.0.0.19 (X11/20090103)40.66 %
18Thunderbird 2.0.0.21 (X11/20090409)40.66 %
19Thunderbird 2.0.0.22 (X11/20090608)40.66 %
20Evolution 2.6.3 40.66 %
21Microsoft Outlook Express 6.x40.66 %
22Apple Mail (2.1076)40.66 %
23Thunderbird 2.0.0.23 (X11/20091010)40.66 %
24Postbox 1.1.0 (Macintosh/20091201)40.66 %
25YahooMailRC/1155.45 YahooMailWebService/0.7.260.130.50 %
26Thunderbird 2.0.0.19 (X11/20081209)30.50 %
27Thunderbird 2.0.0.21 (X11/20090320)30.50 %
28Zimbra 5.0 (ZimbraWebClient - FF3.030.50 %
29Thunderbird 2.0.0.22 (X11/20090605)30.50 %
30Thunderbird 2.0.0.22 (Windows/20090605)30.50 %
other365.97 %

Table of maximal quoting:

 Author  Percent 
1widerstand@t-online.de88.33 %
2pwt@iosis.co.uk87.38 %
3mdsale@matts-workshop.com82.03 %
4rera_raja@yahoo.com77.27 %
5fschiava@libero.it74.15 %
6christiancatalano@interfree.it72.49 %
7petcoradipewjepknu@jbohm.dk71.99 %
8andreas.schwier@cardcontact.de68.89 %
9alon.barlev@gmail.com66.18 %
10nick@beastbox.net62.00 %
11reet@codelabs.ch59.23 %
12ludovic.rousseau@gmail.com58.10 %
13deengert@anl.gov57.30 %
14mstjohns@comcast.net56.95 %
15home_pw@msn.com54.99 %
16fabeisageek@googlemail.com54.81 %
17Todd.Denniston@ssa.crane.navy.mil49.93 %
18gilles.bernabe@gmail.com49.40 %
19tommaso.cucinotta@sssup.it48.86 %
20joao.poupino@gmail.com48.42 %
21knife@toaster.net45.42 %
22sujatadoshi@gmail.com44.83 %
23asaf@lingnu.com41.36 %
24countzero@sapo.pt40.72 %
25goister@gmail.com40.69 %
26linuxprocess@free.fr39.13 %
27cuibapmy@gmail.com38.58 %
28jonas.gulle@gmail.com37.26 %
29s.ferey@wanadoo.fr36.98 %
30chaljan@gmail.com36.77 %
average30.41 %

Graph showing number of messages written during hours of day:

msgs13
|
4
|
5
|
8
|
5
|
1
|
3
|
8
|
30
|
65
|
43
|
39
|
28
|
28
|
51
|
38
|
41
|
39
|
26
|
18
|
19
|
27
|
25
|
39
|
hour 01234567891011121314151617181920212223

Graph showing number of messages written during days of month:

msgs51
|
17
|
35
|
9
|
22
|
6
|
10
|
6
|
6
|
16
|
25
|
18
|
11
|
12
|
34
|
14
|
62
|
23
|
26
|
13
|
23
|
11
|
38
|
12
|
12
|
9
|
21
|
19
|
16
|
13
|
13
|
day 12345678910111213141516171819202122232425262728293031

Graph showing number of messages written during days of week:

msgs66
|
103
|
130
|
123
|
96
|
33
|
50
|

MonTueWedThuFriSatSun

Warning: 2 message(s) not counted.


Maximal quoting:

Author : ludovic.rousseau@gmail.com
Subject : [Muscle] Re: Oberthur token problem on linux
Date : Tue, 14 Apr 2009 10:43:00 +0200
Quote ratio: 94.06% / 4109 bytes

Longest message:

Author : petcoradipewjepknu@jbohm.dk
Subject : [Muscle] Cyberflex e-gate 32k install error 6A80
Date : Wed, 27 May 2009 22:08:17 +0200
Size : 28689 bytes

Most successful subject:

Subject : [Muscle] Cyberflex e-gate 32k install error 6A80
No. of msgs: 32
Total size : 127085 bytes

Final summary:

Total number of messages: 603
Total number of different authors: 118
Total number of different subjects: 195
Total size of messages (w/o headers): 1865346 bytes
Average size of a message: 3093 bytes


Input file last updated: Sat Oct 16 14:43:02 2010Generated by MailListStat v1.3


Flattr this