Frequently Asked Questions
Table of Contents
Generic concepts
Q: What is PKCS#11?
A: PKCS#11 is a software API for accessing cryptographic hardware like smart cards or HSMs. PKCS#11 is NOT a hardware standard or hardware interface.
Q: What is PKCS#15
A: PKCS#15 is a format of on-card structures that defines a "filesystem layout" for smart cards. PKCS#15 does not define how those structures are generated or written to the card.
Q: Can I use PKCS#15 and PKCS#11 simultaneously?
A: Most probably. The two standards do not conflict with each other. A PKCS#15 compatible smart card may not have a PKCS#11 module for platform X or a smart card might come with a PKCS#11 provider for platform X but format data on the card differently than PKCS#15 defines.
Q: I have a PKCS#11 compatible smart card. Can I use it with OpenSC?
A: Not necessarily. PKCS#11 is a software interface, it means the vendor provides a PKCS#11 module with their hardware. You can use all PKCS#11 compatible software with the vendor PKCS#11 provider, if you want (see ApplicationSupport for a list of applications). If your card is also supported by OpenSC, you can use OpenSC PKCS#!11 provider. But you may not be able to modify the card content or even if you are able to modify the card content, you may not be able to use keys created by OpenSC with the vendor PKCS#11 provider and vice versa.
Q: I have a blank smart card which claims PKCS#15 support. Can I initialize it with OpenSC?
A: Only if a pkcs15-init driver exists for the card. PKCS#15 defines how to look for objects, it does not define how the objects get written to the card.
Q: My smart card comes with a PKCS#11 module. Do I need OpenSC?
A: No, unless you want your software to be open source or if your vendor does not provide a binary PKCS#11 module for you operating system or platform (for example ARM Linux)
Smart card reader issues
Q: Do I need OpenCT to use OpenSC?
A: No, unless you are using Linux and an USB token or exotic reader which is not CCID compatible, comes without a driver for pcsc-lite and at the same time is supported by OpenCT. The recommended method for accessing smart card readers is PC/SC and thus pcsc-lite.
Q: I have installed OpenSC, OpenCT, pcsc-lite and ccid and I'm having troubles connecting to my CCID compatible reader.
A: The preferred access method for CCID readers is via pcsc-lite. You have installed two CCID drivers which may compete for resources. You should remove OpenCT.
Q: I'm using Ubuntu/Debian and OpenSC does not find any PC/SC readers (but pcsc_scan does)
A: The location of libpcsclite.so.1 is wrong in OpenSC, which has been fixed in OpenSC SVN ( Ubuntu bug, Debian bug). The quick fix to edit opensc.conf:
provider_library = libpcsclite.so.1
Q: I have a smart card reader installed by a Java application does not see it
A: Java looks for smart card readers via /usr/lib/libpcsclite.so which is not present on Debian/Ubuntu. You need to create a symlink, depending on your distribution:
sudo ln -s /lib/libpcsclite.so.1 /usr/lib/libpcsclite.so # For Ubuntu sudo ln -s /usr/lib/libpcsclite.so.1 /usr/lib/libpcsclite.so # For Debian
Card support / card driver related
Q: What does "Unsupported INS byte in APDU" mean?
A: It is a very technical way of saying "Your card is unsupported".
Q: How can I verify that my card is supported by OpenSC?
A: Check SupportedHardware list. Verify it with opensc-tool --name to see if some driver knows how to handle your card. The expected result of the command is a line with a card driver name.
Q: What to do if my card is not supported by OpenSC?
A: Somebody needs to write a driver for it. You can start by sending as much information as you can about the card to opensc-devel mailing list. Be sure to send the card ATR by sending the output of opensc-tool --atr
Q: Can I use Aladdin eToken with OpenSC?
A: Yes. But you can not use an initialized token (where objects on the card have been created by the Aladdin middleware) with OpenSC but if there is free space on the token, a parallel structure can be created on the card with pkcs15-init. New keys must be generated and keys created by Aladdin middleware can not be used through OpenSC.
Application support questions
Q: Is it possible to make GDM automatically ask for the PIN when a card is inserted?
A: Currently no. See this post on the MUSCLE mailing list for more information.
Q: Can I store my GnuPG key on a smart card? Can I use gnupg with OpenSC?
A: GnuPG supports OpenPGP card in a direct fashion. That support has nothing to do with OpenSC or PKCS#11. There also exists a PKCS#11 based solution for GnuPG, see gnupg-pkcs11 for more information.
Q: Do I need to install both OpenCT and OpenSC ?
A: OpenSC does not depend on OpenCT. Unless you have a USB token that does not support ICCD or CCID, you don't need OpenCT. <link to openct tokens>
Miscellaneous questions
Q: Where can I buy smart cards ?
- http://www.cryptoshop.com - ships from Austria
- http://www.gooze.eu - ships from France
- http://www.smartcardfocus.com - ships from UK