I first came across the idea of using a GnuPG (GPG) smartcard on the LUGRadio forums, during a discussion about some changes to UK laws that gave the government the power to demand secret encryption keys and passphrases. The idea of a GPG smartcard appealed to me because typing in my GPG passphrase almost every time I want to send an e-mail is a pain in the arse, and because it seemed like a cool gadget. So I started looking into it a bit more, seeing what I’d need to make it all work.
Years ago I bought a cheap kit for backing up my mobile phone SIM card to my PC. It had a fairly crap Windows application (that required several patches and downloads from the developers to even run) and came with a USB card reader. Because I’ve never found anything that will help me backup my SIM card under Linux (can anyone recommend something?) the card reader has been sat gathering dust for years. When looking at the various smartcard readers available for use with the OpenPGP smartcards, it occured that my SIM card reader might also be useable. After all, a smartcard is basically just a chip that’s programmed to run particular software. There are many different types of smartcard (mobile SIMs, set-top boxes, credit cards, OpenPGP cards, identity cards etc.) all of which are physically compatible with smartcard readers. Googling suggested that my device was actually a general smartcard reader from a company called ACS, the model being the ACR30U-CFC (aka ACR30). According to the websites I found, it supports the PC/SC standard for communication with PCs, which is used on Windows, Mac OS and Linux. Google also showed it seemed to be supported by something called OpenSC.
So I had a reader, but no real idea where to start and no smartcard to test it with. OpenGPG smartcards are issued to members of the Free Software Foundation Europe and members can have the keys on them signed by Werner Koch, a key author on GPG. At 120 euros per year though, membership seemed a bit pricey to me, especially as I didn’t know if I would even be able to make the card reader work at all. Fortunately Darran kindly sent me an old smartcard he had knocking about. This wasn’t an OpenGPG smartcard, but it would be enough to see if I could get my PC talking to the reader.
I did some reading around on smartcards under Linux, including the HOWTO, MUSCLE and OpenSC pages. I had also read the OpenGPG card HOWTO, which only concentrates (rightly) on working with the OpenGPG smartcard, not getting your reader working. Searching through the packages available for installation on my Ubuntu Dapper system suggested that packages like
openct might be needed. Smartcard readers don’t seem to require specific kernel drivers (other than generic USB / serial support), with the drivers being implemented in userspace. (Apparently PCMCIA devices do require some degree of kernel support though.) In general, the documentation on smartcards under Linux seems to suffer from the usual problems with documentation in FLOSS projects; HOWTOs are out-of-date, wikis and websites assume a technical understanding of how the technology works, what seem to be the most relevant mailing list posts are years old. I’m always dubious about relying on old mailing list posts for categorical answers, as a lot of things can change in a piece of software in a few years.
I installed and played around with the
openct package. OpenCT is part of the OpenSC project, and provides the drivers for various smartcard readers. I already knew from my research that my reader was supported and fortunately it was fairly straight-forward to get up and running. Issuing the “ATR” command to a smartcard via a reader is a basic test of communication, like issuing the ATZ command to a modem. The reply to the ATR (issued using the
openct-tool atr command) is a string that identifies the type of card in the reader. (The file
/usr/lib/pcsc/smartcard_list.txt in the
pcsc-tools package includes some card types and their ATR strings. However, this isn’t an indicator of support in OpenSC, but rather support in the PCSCLite project discussed later.) I put some details about these experiments on my wiki. I also found I was suffering from a known bug in
openct, to do with Ubuntu’s use of tmpfs.
The next “layer” in the software is the OpenSC part, the
opensc package in Ubuntu. This package provides support for different types of smartcard. (The list of types of smartcard supported by OpenSC, including OpenGPG, is on the wiki page.) The OpenSC tools can communicate with card readers using three different backends, including devices supported by OpenCT above. So, because my card reader is supported by OpenCT, I was able to query the card using OpenSC. Another backend supported by OpenSC is the PC/SC interface, more about which later.
At this point though, I reached an empasse. The smartcard I had wasn’t supported by OpenSC, so trying to make it respond just returned errors. I didn’t understand how OpenSC, OpenCT and PC/SC related at the time and didn’t feel entirely certain I understood everything. But since the reader was working and OpenGPG was listed as a supported card type in OpenSC, I decided to order a cheap OpenGPG card and see whether I could make that work. Little did I know that I had gone in completely the wrong direction thus far, software-wise.Pin It