Search code examples
pythondigital-signaturesmartcardsmartcard-readerpcsc

How to write specific data to a smart card using Python

In my project I'm trying to use a smart card for the purpose of creating digital signature for a specific data.

I'm working with the smart card reader ACR38U-I1 and Linux OS (more precisely with the Raspbian OS)

I already installed all the needed drivers for this device and additional libraries such as pcsc, pcsc-lite ...

Also I got private/public gpg keypair for making the digital signature. As I understand the concept of making digital signature using smart card I have to write the private key to this card and read it when I need to create a signature.

And in this situation I faced with a problem that I don't know how to do this.

I opened pcsc-lite documentation [1] and couldn't find a write methods or examples how to write data to card https://pcsclite.alioth.debian.org/api/group__API.html [1]

I'll be grateful if somebody could direct me on the right way.

Solution

  • (Wanted to write a comment, but it got quite long...)

    (EDIT: While writing this I did not realize that you are working in a non-x86 environment, so this answer is probably useless unless you have a choice to go for x86 (intel edison maybe?))

    This is not a solution, but might be a good direction (I have no experience with this particular card):

    There is a PKCS#11 driver for the card which probably provides some access to its services (pkcs11 is a standardized API to access cryptographic tokens, see here).

    With this driver (assuming it works and provides appropriate mechanisms) you have some choices to continue:

    • use it directly from c code (works for me)

    • use a python wrapper (have no experience with this way, but your question implies python is desired)

    • use openssl (see e.g. here or here -- this worked for me some time ago)

    • use it with gpg (never tried and would not recommend at all)

    It might be a good idea to verify first that the pkcs11 driver is working (you can do that using firefox browser, see e.g. here).

    Additional notes:

    • I recommend to initialize the card and generate the keys with vendor provided utilities and use the pkcs11 driver only to actually sign some data (this way avoids many troublesome parts).

    • Do google for pkcs11 and related stuff, this "extended comment" is just an another "point of view"

    Good luck!