Smartcards
This page explains how to setup your system in order to use a smart card reader.
Installation
If the card reader does not have a PIN pad, append the line(s) and set enable_pinpad = false in the opensc configuration file /etc/opensc.conf .
Note: The package ccid provides a generic USB interface driver for smart card reader. If the smart card at hand is not supported by the generic driver or simply it needs a specific one, feel free to install the best for that device.
Tip: If you get the error Failed to start pcscd.service: Unit pcscd.socket not found. , just reload systemd units with a daemon-reload.
Scan for card reader
Install pcsc-tools and start the pcsc_scan utility, then connect the Smart card reader and finally insert a card. If you see output like this, the smart card reader and also the card have been successfully recognized.
PC/SC device scanner V 1.5.2 (c) 2001-2017, Ludovic Rousseau Using reader plug'n play mechanism Scanning present readers. 0: Alcor Micro AU9560 00 00 Sat Aug 5 18:49:32 2017 Reader 0: Alcor Micro AU9560 00 00 Card state: Card removed, Sat Aug 5 19:00:35 2017 Reader 0: Alcor Micro AU9560 00 00 Card state: Card inserted, ATR: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ATR: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + TS = 3B --> Direct Convention + T0 = DF, Y(1): 1101, K: 15 (historical bytes) TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s TC(1) = 00 --> Extra guard time: 0 TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 ----- TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 7D --> Block Waiting Integer: 7 - Character Waiting Integer: 13 + Historical bytes: 00 6B 02 0C 01 82 01 11 01 43 4E 53 10 31 80 Category indicator byte: 00 (compact TLV data object) Tag: 6, len: B (pre-issuing data) Data: FF FF FF FF FF FF FF FF FF FF Mandatory status indicator (3 last bytes) LCS (life card cycle): 10 (Proprietary) SW: 3180 (Error not defined by ISO 7816) + TCK = FC (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF Italian healtcare card (TS) National Service Card (CNS) (HealthCare)
Note: In this example the smart card reader is an Alcor Micro AU9560 and the inserted card is an Italian CNS card.
Configuration
This article or section is out of date.
Reason: The Chrome, Firefox, Thunderbird and SeaMonkey are automatically processed with pkcs11-register(1) at each login. (Discuss in Talk:Smartcards)
Mozilla Firefox
The browser needs to set the new security-related device. Open the Security Devices page (reach it via Preferences > Privacy & Security > Certificates), then click Load and set the Module Name to CAC Module and module filename to /usr/lib/opensc-pkcs11.so .
Chromium
Chromium uses NSS. Open a shell in your home directory and verify that the CAC Module is not already present:
$ modutil -list -dbdir $HOME/.pki/nssdb/
Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module .
If not, close any browser and add the module (an user interaction for confirmation is required):
$ modutil -dbdir sql:$HOME/.pki/nssdb/ -add "CAC Module" -libfile /usr/lib64/opensc-pkcs11.so
WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q ' to abort, or to continue: Module "CAC Module" added to database.
Check for the correct execution of the command:
$ modutil -list -dbdir $HOME/.pki/nssdb/
Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module . 2. CAC Module library name: /usr/lib/opensc-pkcs11.so uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.19 slots: 1 slot attached status: loaded
Tips and tricks
Smargo/TV Card reader
When interfacing with a TV-card for live TV and recording (PVR/DVR), you may need to assign the smartcard reader to the video user group allowing decryption. When using a Smargo Smartreader consider the following udev rule:
/etc/udev/rules.d/98-smargo.rules
SUBSYSTEM=="tty", ATTRS=="0403", ATTRS=="6001", GROUP="video", MODE="0666", SYMLINK+="smargo"
Set /dev/smargo as the reader device when using softcam applications like OSCam.
p11tool
If using packages from the GnuTLS suite which utilize p11-kit, such as p11tool, the the OpenSC driver might not properly load. This can be determined if you run p11tool —list-tokens and you do not see your hardware token in the list.
Install the opensc-p11-kit-module AUR package in order to enable loading of the OpenSC module.
Alternatively, it is possible to manually create a file that allows the OpenSC driver to be properly loaded:
/usr/share/p11-kit/modules/opensc.module
Troubleshooting
Firefox can’t access data
If the browser is not able to use the smart card data, probably it is not aware of the service which provides access to the device. This happens if you plug in the smart card reader after you open Firefox. To solve this issue, simply restart Firefox.
LIBUSB_ERROR_BUSY
PC/SC can conflict with GnuPG for access to smartcards. See Ludovic Rousseau’s blog and GnuPG#GnuPG with pcscd (PCSC Lite).