smart card under linux

Wed Oct 22 11:19:30 CEST 2014

On 21/10/14 00:36, Philip Jackson wrote:
> I've followed, I believe, all the instructions in the gnupg.com smartcard howto.
>  In para 2.3.1 CCID : I've tried both the instructions under 'with udev
> (preferred installation)' and further down 'with hotplug (deprecated in modern
> systems)'

These steps were superfluous for me for Debian jessie/testing because the
necessary udev rules are included in the gnupg package already. However, I use
an SPR532 here. The SCM3512 is not mentioned in the rules file, so you might
need to add an entry.

Here's how it looks for me:

----------------------8<------------------->8----------------------
$ lsusb
[...]
Bus 005 Device 005: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard
Reader
[...]

$ cd /dev/bus/usb/005
$ ls -l
total 0
crw-rw-r--  1 root root 189, 512 Oct 22  2014 001
crw-rw-r--  1 root root 189, 513 Oct 22  2014 002
crw-rw-r--  1 root root 189, 514 Oct 22  2014 003
crw-rw-r--  1 root root 189, 515 Oct 22  2014 004
crw-rw-r--+ 1 root root 189, 516 Oct 22 10:53 005
----------------------8<------------------->8----------------------

Notice the +. There's an ACL active here.

----------------------8<------------------->8----------------------
$ getfacl 005
# file: 005
# owner: root
# group: root
user::rw-
user:peter:rw-
group::rw-
mask::rw-
other::r--
----------------------8<------------------->8----------------------

Ah, I have write access! You will definitely need write access, although maybe
not for this specific character device. An USB device might create several
"nodes" in /dev, I'm not sure which one you need write access to.

And here is the file that gives me the access:

----------------------8<------------------->8----------------------
$ cat /lib/udev/rules.d/60-gnupg.rules
# do not edit this file, it will be overwritten on update

SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
ACTION!="add", GOTO="gnupg_rules_end"

# USB SmartCard Readers
[...]
## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532)
[...]
ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1",
ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
[...]
----------------------8<------------------->8----------------------

The ID_SMARTCARD_READER environment variable is used in
/lib/udev/rules.d/70-uaccess.rules and /lib/udev/rules.d/99-systemd.rules.
Somewhere there the write access is actually set up. These files are from the
systemd package. Note that I actually use sysvinit as init system, not systemd,
but this is still where it is set up for Debian. It allows access to smartcard
readers for people who are logged in to a "head" of the system (I presume).

So let's suppose your device is not 04e6:e003 but 04e6:1234. If I were to have
that device, I would need to add the following file:

----------------------8<------------------->8----------------------
$ cat >/etc/udev/rules.d/60-gnupg-extra.rules <<EOF
SUBSYSTEM!="usb", GOTO="gnupg_extra_rules_end"
ACTION!="add", GOTO="gnupg_extra_rules_end"

# The venerable SCM 1234 reader (it can count!)
ATTR{idVendor}=="04e6", ATTR{idProduct}=="1234", ENV{ID_SMARTCARD_READER}="1",
ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"

LABEL="gnupg_extra_rules_end"
EOF
----------------------8<------------------->8----------------------

That last line is not part of the file, it signals end-of-file to the cat
command. Also, there's a long line that's split but shouldn't be.

And that would be all I need to add to udev! And it would work for anyone
logging into X on your monitor and keyboard (the "head").

TL;DR: Make sure your user has write access to the USB device. Also, differences
in Linux distributions mean the HOWTO might not be the optimal way to do it, or
even that you might not need to do anything at all.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>