(Not So) Smart Cards.

I recently decided to invest in a smart card + reader to toss my GPG keys on for decrypting my password stores and unlocking my laptop. Of course, when plugging in to Windows, it worked immediately.

On my elementary OS Freya laptop, not so much....my soul turned as dark as the reader's activity LED for a few moments.

After some searching, I found this Zendesk article detailing how to make the smart card itself work with Linux, but of course, the instructions are missing a few steps here and there.

Let's start with the drivers...

First you should install these packages with your favorite package manager:

  • libccid
  • pcsc-tools
  • pcscd

This will give you almost everything you need to make your smart card work. The next step is to add the card and reader to the CCID driver.

The hardware IDs are stored in the driver's Info.plist file: /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist.

Inside the driver's plist, you'll want to find three sections:

  • ifdVendorId
  • ifdProductId
  • ifdFriendlyName

The easiest way to find these sections is by searching for:

<key>ifd...</key>  

At the bottom of the ifdVendorId array, you'll want to add these IDs:

<string>0x096e</string> <!-- (Only if using PIVKey C910) -->  
<string>0x096e</string> <!-- (Only if using PIVKey C910) -->  
<string>0x04e6</string> <!-- (Replace with your reader's ID) -->  

Then, at the bottom of the ifdProductId array, add the following:

<string>0x080f</string> <!-- (Only if using PIVKey C910) -->  
<string>0x0603</string> <!-- (Only if using PIVKey C910) -->  
<string>0x5814</string> <!-- (Replace with your reader's ID) -->  

Finally, at the bottom of ifdFriendlyName add:

<string>PIVKey Token</string> <!-- (Only if using PIVKey C910) -->  
<string>PIVKey Token</string> <!-- (Only if using PIVKey C910) -->  
<string>SCR3500 A Contact Reader</string> <!-- (Replace with your reader's ID) -->  

Then, restart pcscd! You're about 83.2% there!

Use opensc-tool to get the ATR of your card:

sean@sjohnson-mbp:~$ opensc-tool -a  
Using reader with a card: SCR3500 A Contact Reader [CCID Interface] (54301522601555) 00 00  
3b:fc:18:00:00:81:31:80:45:90:67:46:4a:00:64:16:06:f2:72:7e:00:e0  

Now, take your ATR and put it in the OpenSC config at /etc/opensc/opensc.conf. The section you add should be near # PIV Cards need an entry similar to this one: and look like this:

card_atr 3b:fc:18:00:00:81:31:80:45:90:67:46:4a:00:64:16:06:f2:72:7e:00:e0 {  
  name = "PIVKey Card";
  driver = "piv";
}

To test that you've set up the card correctly, run piv-tool -c piv serial and you should end up with some output that looks like this:

sean@sjohnson-mbp:~$ piv-tool -c piv --serial  
Using reader with a card: SCR3500 A Contact Reader [CCID Interface] (54301522601555) 00 00  
32 FF D5 5B FF 41 0D 4C B5 C3 9C DD 0B 53 42 A4 2..[.A.L.....SB.  

Now you're done!


Finding the Reader ID

If you're trying to find the ID for your card reader, the easiest ways to find it are via lsusb or from your system's syslog.

lsusb

From lsusb, you'll see a bunch of info like this:

--- BUS ------ DEV  -- VEND:PROD FRIENDLY
Bus 002 Device 006: ID 05ac:0252 Apple, Inc. Internal Keyboard/Trackpad (ANSI)  
Bus 002 Device 005: ID 05ac:8242 Apple, Inc. Built-in IR Receiver  
Bus 002 Device 009: ID 05ac:821d Apple, Inc.  
Bus 002 Device 004: ID 0a5c:4500 Broadcom Corp. BCM2046B1 USB 2.0 Hub (part of BCM2046 Bluetooth)  
Bus 002 Device 003: ID 0424:2513 Standard Microsystems Corp. 2.0 Hub  
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub  
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub  
Bus 001 Device 003: ID 05ac:8509 Apple, Inc. FaceTime HD Camera  
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub  
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub  
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub  
Bus 003 Device 008: ID 04e6:5814 SCM Microsystems, Inc.  
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub  

As you can see, my reader shows up with SCM Microsystems, Inc. as the friendly name. You can see that the hex device IDs (VEND and PROD) are 04e6 and 5814 respectively.

syslog

Some systems will have USB (dis)connection info in /var/log/syslog, others may have it in /var/log/messages or /var/log/dmesg.

If you replug your reader, you should end up with something like this in the logs, if the device is working correctly:

Jul 30 15:54:40 sjohnson-mbp kernel: [ 2174.304606] usb 3-1: new full-speed USB device number 7 using xhci_hcd  
Jul 30 15:54:40 sjohnson-mbp kernel: [ 2174.437126] usb 3-1: New USB device found, idVendor=04e6, idProduct=5814  
Jul 30 15:54:40 sjohnson-mbp kernel: [ 2174.437131] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=5  
Jul 30 15:54:40 sjohnson-mbp kernel: [ 2174.437133] usb 3-1: Product: SCR3500 A Contact Reader  
Jul 30 15:54:40 sjohnson-mbp kernel: [ 2174.437135] usb 3-1: Manufacturer: Identiv  
Jul 30 15:54:40 sjohnson-mbp kernel: [ 2174.437136] usb 3-1: SerialNumber: 54301522601555  
Jul 30 15:54:40 sjohnson-mbp mtp-probe: checking bus 3, device 7: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-1"  
Jul 30 15:54:40 sjohnson-mbp mtp-probe: bus: 3, device: 7 was not an MTP device  

And you can see the vendor and product IDs here idVendor=04e6, idProduct=5814.

Enjoy your working smartcard!

Sean Johnson

Software developer, music enthusiast, college student, and cat lover. Currently enthralled by the world of networking, security, and cloud technology.

San Antonio, TX https://blog.maio.me

Subscribe to Land of Weird Things

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!