Smartcards

This page explains how to setup your system in order to use a smart card reader.

Smartcards are, generally speaking, an ISO-7810 ID-1 sized plastic card with a microcontroller and some memory embedded in them, and usually interface with a computer or other equipment through a electrical contact pad on the card. Through their design, smartcards cannot be reprogrammed after their 'fuses' have been set after programming by the manufacturer. Because of this, the behaviour of a smartcard can not be altered afterwards. This in turn enables the microcontroller to be programmed in such a way that it does not allow external dumping of the internal memory, and therefor protecting the information such as private keys contained within the smartcard.

Smartcards can have cryptographic hardware modules embedded into their design, supporting one or more cryptographic algorithms. This combined with their protected memory allows these cards to be used as a secure hardware element, and have been used for payment processing, system or user authentication and related uses for decades. Examples are, but are not limited to, payment cards (EMV), mobile telephony SIM-cards and public-private cryptography.

Please be aware that the term "Smartcard" generally does not include EEPROM-cards (so called memory cards) or protected EEPROM-cards (so called logic cards) such as SLE4442 cards. These cards either contain a straight EEPROM, or a very basic microcontroller without any cryptographic functionalities.

Dual-Interface cards provide both contactless (NFC) and contact-based communication interfaces. However, depending how the card has been programmed by the manufacturer or the user, not all services may be available through the contactless interface.

Install pcsclite and ccid.

Enable and start pcscd.service.

OpenSC provides an optional set of libraries and utilities to work with smart cards using pcsclite.

Install opensc. Installing opensc-p11-kit-module^AUR may be required, such as when using systemd-cryptenroll.

If the card reader does not have a PIN pad, append the line(s) and set enable_pinpad = false in the opensc configuration file /etc/opensc.conf.

Javacard (such as J3R180) with FIDO2 applet installed can provide similar functions like a yubikey.

To use this card for ecdsa-sk ssh authentication, install libfido2 or libfido2-full^AUR

The browser needs to set the new security-related device. Open the Security Devices page (reach it via Preferences > Privacy & Security > Certificates > Security Devices), then click Load and set the Module Name to CAC Module and module filename to /usr/lib/opensc-pkcs11.so.

Chromium uses NSS. Open a shell in your home directory and verify that the CAC Module is not already present:

$ modutil -list -dbdir $HOME/.pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
    ....

If not, close any browser and add the module (an user interaction for confirmation is required):

$ modutil -dbdir sql:$HOME/.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Module "CAC Module" added to database.

Check for the correct execution of the command:

$ modutil -list -dbdir $HOME/.pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
    ....
  2. CAC Module
    library name: /usr/lib/opensc-pkcs11.so
       uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.19
     slots: 1 slot attached
    status: loaded

Install pcsc-tools and start the pcsc_scan(1) utility, then connect the Smart card reader and finally insert a card. If you see output like this, the smart card reader and also the card have been successfully recognized.

$ pcsc_scan

PC/SC device scanner
V 1.5.2 (c) 2001-2017, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Alcor Micro AU9560 00 00

Sat Aug  5 18:49:32 2017
 Reader 0: Alcor Micro AU9560 00 00
  Card state: Card removed, 
  
Sat Aug  5 19:00:35 2017
 Reader 0: Alcor Micro AU9560 00 00
  Card state: Card inserted, 
  ATR:  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

ATR:  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ TS = 3B --> Direct Convention
+ T0 = DF, Y(1): 1101, K: 15 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 7D --> Block Waiting Integer: 7 - Character Waiting Integer: 13
+ Historical bytes: 00 6B 02 0C 01 82 01 11 01 43 4E 53 10 31 80
  Category indicator byte: 00 (compact TLV data object)
    Tag: 6, len: B (pre-issuing data)
      Data:  FF FF FF FF FF FF FF FF FF FF
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 10 (Proprietary)
      SW: 3180 (Error not defined by ISO 7816)
+ TCK = FC (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
      Italian healtcare card (TS) National Service Card (CNS) (HealthCare)

When interfacing with a TV-card for live TV and recording (PVR/DVR), you may need to assign the smartcard reader to the video user group allowing decryption. When using a Smargo Smartreader consider the following udev rule:

/etc/udev/rules.d/98-smargo.rules

SUBSYSTEM=="tty", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", GROUP="video", MODE="0666", SYMLINK+="smargo"

Set /dev/smargo as the reader device when using softcam applications like OSCam.

If using packages from the GnuTLS suite which utilize p11-kit, such as p11tool, the OpenSC driver might not properly load. This can be determined if you run p11tool --list-tokens and you do not see your hardware token in the list.

Install the opensc-p11-kit-module^AUR package in order to enable loading of the OpenSC module.

Alternatively, it is possible to manually create a file that allows the OpenSC driver to be properly loaded:

/usr/share/p11-kit/modules/opensc.module

module: opensc-pkcs11.so

Class of Tokens and SmartCards from ThalesGroup. Used by companies like Certisign.

Install the sac-core^AUR to pkcs11 library installation.

Module needs to be added to nssdb:

$ modutil -dbdir sql:$HOME/.pki/nssdb/ -add "eToken" -libfile /usr/lib/libeToken.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:

Module "eToken" added to database.

To confirm it's installed:

$ modutil -dbdir sql:$HOME/.pki/nssdb/ -list

Listing of PKCS #11 Modules

  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.98
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. eToken
        library name: /usr/lib/libeToken.so
           uri: pkcs11:library-manufacturer=SafeNet,%20Inc.;library-description=SafeNet%20eToken%20PKCS%2311;library-version=10.8
         slots: 8 slots attached
        status: loaded

         slot: Gemalto PC Twin Reader 00 00
        token: eCPF Certisign
          uri: pkcs11:token=eCPF%20Certisign;manufacturer=Gemalto;serial=AF3E411BD8A8E169;model=ID%20Prime%20MD

         slot:
        token:
          uri: pkcs11:

         slot:
        token:
          uri: pkcs11:

         slot:
        token:
          uri: pkcs11:

         slot:
        token:
          uri: pkcs11:

         slot:
        token:
          uri: pkcs11:

         slot:
        token:
          uri: pkcs11:

         slot:
        token:
          uri: pkcs11:

If the browser is not able to use the smart card data, probably it is not aware of the service which provides access to the device. This happens if you plug in the smart card reader after you open Firefox. To solve this issue, simply restart Firefox.

PC/SC can conflict with GnuPG for access to smartcards. See Ludovic Rousseau's blog and GnuPG#GnuPG with pcscd (PCSC Lite).

• Debian:Smartcards