Card reader ReinerSCT cyberJack pinpad

Posted by jzarl on 0

Yesterday I got my FSFE smartcard. Since I already had a card reader with pinpad
lying around (from an earlier Austrian state-initiative called “Bürgerkarte” around 2006),
I thought I’d try using my reader with gpg.

First off, there are several revisions of the cyberJack, which can be distinguished by their product id:

Product ProductID
REINER SCT cyberJack pinpad USB 0x100
REINER SCT cyberJack e-com USB 0x100
REINER SCT cyberJack pinpad_a USB 0x300

(From /usr/share/doc/libifd-cyberjack6/README.txt.gz in package libifd-cyberjack6.)

$ dmesg usb 6-2.2: new full-speed USB device number 6 using ehci-pci usb 6-2.2: New USB device found, idVendor=0c4b, idProduct=0300 usb 6-2.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 6-2.2: Product: cyberJack pinpad(a) usb 6-2.2: Manufacturer: Reiner-SCT usb 6-2.2: SerialNumber: 0780782899

This means mine is a *ReinerSCT cyberJack pinpad(a)*.

Newly installed packages:

  • gnupg-pkcs11-scd (probably not needed)
  • fxcyberjack pcsc-tools (for diagnostics)
  • libifd-cyberjack6 pcscd

The card reader seems to work in principle, as pcsc_scan (in package pcsc-tools) recognises the reader and identifies cards correctly.
One nice thing about the reader: ReinerSCT not only provides drivers for Linux, but the drivers are licensed as GPLv2.

Troubleshooting

Even though I couldn’t get gpg running with the cyberJack, here’s the pitfalls that I did encounter and the solutions as far as I found any:

pcscd not running

  • Symptoms
    $ gpg –card-status –disable-ccid
    gpg: pcscestablishcontext failed: no service (0x8010001d)
    gpg: card reader not available
    gpg: OpenPGP card not available: general error
  • Solution
    Start pcscd. For debugging, you can also run it like this:
    $ pcscd –foreground –apdu –debug
    You should then see events like the card being plugged in or removed,
    as well as any access by any program using the pcsc api.

scdaemon could not be started

  • Symptoms
    This only seems to be an issue for gpg2. Version 1 can communicate with the reader
    when scdademon is not running.
    $ gpg2 –card-status
    gpg: OpenPGP card not available: No SmartCard daemon
  • Solution
    • Try starting scdaemon by hand to see if there are some errors.
      $ gpgconf –list-components |grep scdaemon
      scdaemon:Smartcard Daemon:/usr/lib/x8664-linux-gnu/gnupg2/scdaemon
      $ /usr/lib/x86      64-linux-gnu/gnupg2/scdaemon
      scdaemon[19052]: invalid debug-level `debug’ given
    • Check ~/.gnupg/scdaemon.conf and ~/.gnupg/gpg-agent.conf.
      (in case of the error above, change “debug-level” to advanced)

Card presence recognised, communication not possible

  • Symptoms
    $ gpg –card-status –disable-ccid
    gpg: detected reader `REINER SCT cyberJack ppa (0780782899) 00 00′
    gpg: apdu    sendsimple(0) failed: no card
    Please insert the card and hit return or enter ‘c’ to cancel:
    Upon inserting the card and hitting return:
    gpg: pcsc    connect failed: unresponsive card (0x80100066)
    gpg: pcscconnect failed: unresponsive card (0x80100066)
    gpg: apdu    send_simple(0) failed: general error
    Please insert the card and hit return or enter ‘c’ to cancel: c
  • Solution
    None, yet. It seems that although the presence of the card is correctly recognised,
    communication doesn’t work. (Why?)
    Note: this is only encountered when scdaemon is not running. Otherwise gpg seems
    to use scdaemon to access the card reader and fails in a slightly less verbose way (see below).

Same thing, but with scdaemon

  • Symptoms
    Without card:
    $ gpg –card-status –disable-ccid
    gpg: selecting openpgp failed: ec=6.112
    gpg: OpenPGP card not available: general error
    With card:
    $ gpg –card-status –disable-ccid
    gpg: selecting openpgp failed: ec=6.108
    gpg: OpenPGP card not available: general error
    In gpg2, output is even more terse in this situation:
    $ gpg2 –card-status
    gpg: selecting openpgp failed: Card error
    gpg: OpenPGP card not available: Card error

Conclusion

The ReinerSCT cyberJack supports PC/SC and (supposedly) CT-API, but not CCID.
Therefore the pinpad is definitely not supported:

“There is no support for PINpads when using pcscd. We could add it but I
prefer the internal driver which works very well with my readers.”
, Werner Koch

Presumably, it should work (without the pinpad) via pcscd. Alas, I couldn’t get this to work, either.
Maybe I’ll try again some time, but currently I’ll try to get my hands on another card reader.

Further reading

While fiddling aroung, I stumbled upon some other people’s experiences with the cyberJack (and similar models):