Home Up


Definition of abbreviations

AC - Access Condition

AID - Application IDentifier

To identify a card in open networks (e.g. key servers) and for the purpose of Log-In in local or open networks or to a single computer, it is necessary to have unique application numbers. For that reason every card manufacturer or personalizer who makes the card/application ready to run has a unique address. This manufacturer identification is controlled by FSF Europe e.V. and given to every interested manufacturer for free. Only registered manufactures are allowed to produce applications compatible with an OpenPGP application. The system works similar to MAC addresses on network cards. The 2 bytes are coded binary and the values 0000 and FFFF are reserved for test purposes.

ATR - Answer To Reset
AUT - AUThentication
BCD - Binary Coded Decimal
CHV - Card Holder Verification
CLA - CLAss byte
DEC - DECipher
dec. - Decimal
DF - Dedicated File
DO - Data Object
DSA - Digital Signature Algorithm
ECC - Elliptic Curve Cryptography
FCP - File Control Parameter
INS - INStruction byte
MF - Master File
OS - Operating System
PK - Public Key
RFU - Reserved for Future Use
RSA - Rivest-Shamir-Adleman
SE - Security Environment
SIG - SIGnature
SK - Secret Key
URL - Uniform Resource Locator
UTF-8 - UCS Transformation Format 8 (compatible with 7-bit US-ASCII for all characters < 80)


This command either initiates the generation and storing of an asymmetric key pair, i.e., a public key and a private key in the card, or returns the public key of an asymmetric key pair previously generated in the card. In case of key pair generation the command does not set the values of the corresponding fingerprint.

After receiving the public key the terminal has to calculate the fingerprint and store it in the relevant DO. The generation of a key pair for digital signature resets the digital signature counter to zero (000000). The command can only be used after correct presentation of CHV3 for the generation of a key pair. Reading of a public key is always possible.

No (G)UI => Signature key can't be used
Only the Authentication key can be used for now. The reason is that the Signature key requires a PIN login every time the key is used (called UserConsent). But PKCS11 doesn't support userconsent key, so the common solution is to use a (G)UI in the PKCS11 lib that asks the PIN every time the Signature has to be used.

btw: this is not only the case for pins with a userConsent attribute, it's the case for _all_ local pins

Differences with 'official' sources + implications
The following #defines are not set in OpenSC:

* BELPIC_SET_LANG: export a function that allows the application to specify the language for the dialogs
* GET_LANG_FROM_CARD: read the language from the prefs file on the card; takes a while and is hardly or not at all used
* HAVE_ALLOW_SSO: single sign-on support, but works only on top of a proprietory service 
* BELPIC_PIN_PAD: pinpad support but with a propriatory API
* HAVE_GUI: pin and notification dialogs

Windows System Information Registry Key Functions

pcsc-lite, opensc, and openct RPMs for Fedora Core 3 are now available in Fedora Extras

Q: I'm currently working with a Sun Ray system 2.0 on Solaris 8 and wish to use a smart card reader installed into Thin Clients for digital signatures?

A: Make sure that you have the latest patches for SRSS 2.0, and the latest SUNWsrcbp package. That package provides a PC/SC-lite API for the internal Sun Ray reader. That will get you going at the APDU level. Note a couple of things about Sun Ray:

- No T=1 support in SRSS 2.0, you have to load SRSS 3 since T=1 support was added to the Sun Ray firmware and server-side code in SRSS 3.

- Sun Ray internal reader doesn't have an IFD handler yet but it's being worked on.

- pcscd doesn't work with Sun Ray yet since it doesn't provide distinct, protected reader channels based on Sun Ray desktop sessions - modifications to pcscd are being worked on.

The SUNWsrcbp package only provides APDU-level access (the PC/SC-lite API) via the shared library. You don't need a special header file since this is built with the standard winscard.h header file.

People have been building their application on a system that has the MUSCLE dev environment installed.  That can even be a Solaris/Sun Ray system if you install the MUSCLE bits there. Then, just use the library that comes from the SUNWsrcbp package as the PC/SC-lite interface. You don't need to use pcscd and all the rest (and you can't use it to talk to the Sun Ray internal reader yet anyway!).

Other than that, all of the standard MUSCLE stuff such as PAM and PKCS#11 modules work OK on Sun Ray.

Q: I get the x509 certificate from my smartcard. How can I extract the name of the owner and the public key?
I need the public key for use on another PC. The other PC has no connection to the smartcard but the certificate.

A: What has worked is:

pkcs15-tool -r 45 | openssl x509 -noout -text
pkcs15-tool -r 45 | openssl x509 -noout -subject

openssl has the x509 utility with a header file "openssl/x509.h" with functions to do that.

Erasing the whole card using the DELETE MF command

starcos spk 2.3 does not support file deletion. Only some cards/tokens support the "DELETE MF" command erasing the whole card ("test cards"). Whether or not your card supports DELETE MF can be determined from the GET CARD DATA response using  opensc-tool.exe -s 80:f6:00:01:00

The last byte should be 0xc0 if DELETE MF etc. is supported.

Q:  I have a problem with openSSH and eToken Pro.  My smartcard has 2 Private Keys and 2 Certificates.

A:  If you're using OpenSC 0.9.4 (or earlier), you may need this patch: 

Applying this patch (and regenerating the keys and certs) solved problems with two keys and two certs on an eToken Pro.

Q:  How do you make a Mozilla plugin which will speak to a smartcard with pkcs11?

A:  This should be possible with client certificates. Have a look at  and

Q: Where's a link for the IE plugin for PKCS11?

A: The MS-signed CSP #11 acts as a gateway between a pkcs #11 library and the Microsoft Crypto API. (download)

Q: At the moment I may access the cards and read their ATR but don't know if I need different "driver" for signing with different smartcard operating systems. Does Musclecard provide a common interface?

A:  Yes - you need an initiator-side driver for the musclecard "cardedge" - the protocolar interface to a set of _mechanisms_ in a cryptomodule, such as the digital signature mechanism.

Muscle defines is own cardedge, so one can remotely access those devices hosting "muscle" cryptomodules. It define a driver model (with associated API), for remoting the access.

The "musclecard type system" behind the cardedge is generic: I know of three implementations of the muscle cardedge: javacard, oberthur, and that of Giuseppe Sacco. Each uses a different set of upper-layer protocols, when implementing the API. The javacard implementation relies on Javacard APIs and Global Platform, while the Oberthur implementation relies on the standardized inter-industry command set(s).

Muscle and various other groups map the cardedge API on the initiator/host to application-oriented programming APIs, such as CryptoAPI and PKCS#11, which may use a factory/provider pattern, for their security design layer.

Application builders use such basic security frameworks to construct secure (distributed) applications, and leverage them in richer frameworks such as NET framework, or in JAVA 2. The semantics of the security framework in which the cardedge is used dictate what class of secure application one can build.

One can also use the cardedge directly - when designing secure applications. The architecture may or may not exploit API mapping to such as PKCS#11, and may or may not exploit rich frameworks such as .NET framework. In this case, you architect your own communications and system security services, and define your own protection properties.

While the muscle plug-in/provider/driver hierarchy is deep, there are some valid rationales for using this macro architecture: which distinguishes the semantics of the distinct security layers.

(1) Plugging an custom assembly into the .NET framework specializes the interaction of the card, with the wider secure distributed object system.
(2) Providing a custom CryptoAPI module might specialize how the GP functional group and the cardedge functional group shall provide secure messaging support.
(3) A custom musclecard plug-in (aka driver) will protect the signaling of remote operations between smartcard-consumer and smartcard services provider
(4) OCF/PCSC drivers secure the transport/link protocols between cards, and host->cards interactions mediated by card readers.

Hopefully, presenting the wider driver model explains the specific driver issue, when accessing a card's signing function.

Q: How does ActiveCard differ from the Javacard Musclecard?

A: ActiveCard applets have an access control decision function that is not present in the javacard musclecard implementation. It allows the card's  policy to specify "authentication strength" on a per-method basis: e.g. the  host driver must first complete XAUT strong authentication, and only then can one invoke the verify pin method, or access the read bio template method, prior to requesting the match-on-board method, for example.

Q: Explain the difference between smart card readers in a super complex way?

A: Basically you have readers where the 14443-1234 implementation resides completely in firmware (such as Integrated Engineering), readers where some bits are in firmware and others on the host (such as Philips Mifare Pegoda RD-700) and readers where the whole stack resides on the host (such as Omnikey cm5121).

I personally prefer 'stupid' readers since it gives more flexibility to the driver. You can talk to i-code, mifare, 14443-4(T=CL), 15693, etc. - you can activate multiple cards, you can do whatever you want.

Readers with firmware protocol implementations are all limited to some subset of the theoretical functionality that a contactless 13.56MHz reader offers.

Q: Where can I buy smart card related items?


Q: Where can I locate smartcard software?


Q: Where can I find a list of natively supported cardreaders?


Q: Where can I download the latest version of the Apple SmartCardServices source?


Q: Where can I get information for server administrators who wish to Department of Defense DoD PKI enable standard internet protocols on Unix platforms?

A: The U.S. Naval Research Laboratory has an info page at

Q: I've compiled [and am running] pcsc-lite 1.3.1 and the OmniKey 3121 driver on my Fedora [Core 5] box. When I insert and then remove my card, I get data in /var/log/messages. 

I have pulled [and compiled] all the GlobalPlatform code from Sourceforge. I think that I have both GlobalPlatform 3.0.2 and
gpshell 1.3.1 compiled successfully.

So now where do I go/what do I do to see the certificate on my card. How would I, say, change my pin. The OpenManager GUI Screenshot on Sourceforge looks nice, but I don't know how to invoke it.

A: There is a contained README in the OpenManager GUI. But, it does only work for some OpenPlatform 2.0.1' cards, so you must look at your smart card, what it supports. In general you should use gpshell, it is much more stable.

Apart from that, GlobalPlatform and GPShell only install an application on a smart card (A smart card which supports the
OpenPlatform or GlobalPlatform standard), nothing else.  You must install an application on your card, for the MUSCLE project this would be the MuscleCard applet (CardEdge applet). This application on the card can be used with a program on the computer to perform some operations.

Buy a JavaCard, install the CardEdge applet, install the Musclecard components, execute Bundletool for your inserted smart card and run MuscleTool where you must format your card and can later copy objects on the card, e.g. certificates.

Generally this is only meaningful if the application you want to use with the certificate can understand the format and talks to the smart card. The Muscle PKCS#11 module can do this. Use it with Thunderbird, Mozilla, ... and sign your emails. Before
this you must import the certificate from your CA to your card.  There should be a README contained with the PKCS#11 module.

Q: Who is C3P0, apart from the droid on Star Wars?

A: C3PO are a Spanish smart card reader manufacturer, which also sell smart cards. One of the smart cards they distribute is the FNMT Cryptographic smart card, called Criptonita. In order to use it, there is the Opensc-Ceres project.

However, they are not selling nor distributing the Spanish National Digital Identification Card in any way.

Q: What is the difference between e-wallet and e-purse?

A: e-wallet is usually an application software package that runs in a PDA or other portable device (or even on the desktop PC), potentially allowing you to store and use all the things that you would normally keep in your wallet.

e-purse stores only e-money (e.g. Mondex), but by extension the term is also used for tokens usable for a specific purpose (e.g. exchange for a ticket on public transport)

Q: What is the advantage of T=1 protocol compared to T=0 protocol? Which applications use T=1 protocol and which use T=0 protocol?

A: To be blunt T=1 works. T=0, as defined by ISO, doesn't. Never has. Never will.
A major problem with T=0 is the handling of Class 4 APDUs: these have data transmitted in both directions, but TPDUs (as used in T=0) can only handle data in one direction. Some card readers and their drivers handle the 'double TPDU per Class 4 APDU' sequencing, others leave it to the application - this makes offering a universal application impossible.

Q: I've got a smartcard and don't know what to do with it?

A: You must first get the technical information for your smart card. Then decide what application on the card you want to use if you can even install an application on the card. You must know the APDU (If you don't know what APDUs are you should Google or read ISO 7816-4) specification. (The application has nothing to do with the OS on the card, so the OS is not important.)

Download MuscleCard Plugin Writer's DDK from 

You must implement all methods. For an overview of what the functions are look in the MuscleCard API Documentation.

Q: How do I select from a bunch of various certificates rather than just the first one?

A: Try StrongSwan from  which has a regular PKCS#11 smartcard interface and allows to select certificates according to position e.g.


which is the fourth certificate in the enumeration shown by ipsec listcards

Read the details in the strongSwan smartcard configuration howto

Q: I am trying to use openSC java but I get an exception while trying to add OpenSC provider.

A: If you are using opensc-java under Win32 and the JVM process is unable to resolve all dependent DLLs, you might either 
1) add the directory, where additional DLLs referenced by your PKCS#11 module to the PATH env. variable. 

2) Install all additional DLLs referenced by your PKCS#11 module in  %SystemRoot%


3) Set the current working directory the running program to the directory, where additional DLLs referenced by your PKCS#11 module are located.

In order to find dependent DLLs, you might use the 'deoends.exe' tool from MSVC or an equivalent tool. The opensc PKCS#11 module depnds BTW in opensc.dll pkcs15init.dll libeay32.dll libssl32.dll, which are typically installed in your SCB directory.

Q: What is $DISPLAY used for?

A: - $DISPLAY is used for two things - one purpose is as an index into a a port number that uses when it wants to talk to an instance of pcscd (so that if the base port of pscsd is, say, 9000, then $DISPLAY=:7.0 would contact it's pcscd instance on 9007) and the second is as an untrusted key that is used by pcscd to determine if the caller can access the particular instance of pcscd. We use PAM to determine that, and in the Sun Ray case, we know which X display value is associated with which UID, and our Sun Ray PAM module can then take the untrusted $DISPLAY that comes from the caller and the trusted UID that comes from the kernel via the peer credentials that are available on a socket call, and if the two match, then access is granted.

Q: - I have a couple of OLD cryptoflex cards which have been in use for testing about a year ago. Now it seems that these cards are blocked completely. I cannot unblock or erase them. Even knowing the correct PIN and PUK I still get "Authentication method blocked" on unblock. Is there a way to completely erase all keys pins and certificates from a Schlumberger Cryptoflex card (without PUK)?

A: - Try the 32k personalisation tool from Axalto under windows: as the Schlumberger Cryptoflex should be the same like the Axalto Cryptoflex. It works with some Cryptoflex cards, but seems to be for the 32k version only. You will also need the transport key of your card.

Q: Can one Windows workstation can use the smartcard reader of another workstation via the RDC protocoll?

A: On XP PRO the server is enabled by MyComputer->Properties->Remote the click on "Allow users to connect remotely to this computer." On XP PRO the client is under Start->Programs->Accessories->Communication->Remote Desktop Connection. Then run the client and look under Options->Local Resources. The last check box should be "smart cards".

Think of it as ssh to shhd with X windows being tunneled back to the ssh machine. RDC can also share the local printer, local disks, sound and local serial port.

Q: Is the only purpose of passing the $DISPLAY to disambiguate the case where the user is logged into multiple Sun Rays (DTUs, you call them, IIRC) simultaneously?

A: When built with the option, ./configure --enable-inetv4, the default will be for pcscd to use a base port# with xdpy#
added as an offest. will use $DISPLAY to know which port to connect to.

NOTE: ./configure --enable-well-known-port[=port#] would enable a different port numbering scheme.

Server side, pcscd is launched per X session, and is passed it's lifetime unique xdpy# via argv[], to determine which port
to listen on (in default port #'ing scheme). However, that doesn't preclude sending the client's *intended* xdpy# over
the socket (along with the other $DISPLAY components), to provide more info to potentially validate, authenticate
and/or use in making data-routing decisions.

Q: I need to store certificate in a smartcard without storing a privateKEY because certificate is already created and signed by CA. Do I have to use C_Create_Object ? or C_CopyObject ?

A: C_CreateObject() should work. You could have a look at write_object() in pkcs11-tool.c for sample code. If you just want a tool to do this, you could use "pkcs11-tool -w ..." or (preferably) "pkcs15-init -X ..."

Q: Where can I find the PKCS #11 PAM Login Tools?


Q: Where can I find DIKE software from InfoCamere?

A: Here's the link but all the text is in Italian They have versions for Windows, Linux and Mac.

The latest ID Ally Beta 2 software with features including the following:

- Common Access Card Support
- Supports hotplugging of readers
- Import tool for PKCS#12
- Works with OpenSC's PKCS#11 module
- opensc slots must be 1, and P11BaseModule (in registry) must point to OpenSC's P11 module

FREE for personal use

Login to Windows
Email Signing / Encryption using Outlook
Web Authentication using Internet Explorer
Enrollment using Windows 2003 CA
Certificate Auto-Enrollment Options
Mozilla / Firefox Email, Web Authentication
Caching for convenience and speed
Utility for viewing certs and changing pin
Card applet management capability
Optional Screen Lock on Card Removal
Easy to Use Installer and Documentation
Multi-platform - as it is built using the MuscleCard applet ....

It can be downloaded from: as well as full documentation describing the usage, management, and technical specifications of ID Ally.