OpenCT on Debian Jessie

03.06.2015 17:12

I use a Schlumberger Cryptoflex (e-Gate) USB key to store some client-side SSL certificates. This is an obsolete device that has been increasingly painful to keep working with each new Debian release. I was especially worried when upgrading my desktop to Debian Jessie since the openct package was removed in this release cycle.

The old openct binary package from Wheezy is still installable in Jessie. In fact, on my system it was left installed (but marked as obsolete) by the upgrade process. The problem was that the USB key was very unreliable. In most cases, it errored out with some random-looking error:

$ pkcs15-tool -D
Using reader with a card: Axalto/Schlumberger/Gemalo egate token 00 00
Failed to connect to card: Generic reader error
$ pkcs15-tool -D
Using reader with a card: Axalto/Schlumberger/Gemalo egate token 00 00
Failed to connect to card: Unresponsive card (correctly inserted?) 

But on a few occasions it would actually work correctly:

$ pkcs15-tool -D
Using reader with a card: Axalto/Schlumberger/Gemalo egate token 00 00
PKCS#15 Card [OpenSC Card]:
	Version        : 0
	Serial number  : ...

After much digging through the internals of the smart card framework, I found out that the e-Gate is only supported by the pcscd daemon through the openct driver (which is just one of the many drivers you can install in Debian). OpenCT starts its own daemon per each connected USB key called ifdhandler. This daemon communicates over a socket with the rest of the framework and must run as long as the USB key is inserted. The main problem on Jessie is that this daemon gets killed at some random time by the new systemd-udevd. Somewhere along the pipeline, something reacts badly to the fact that the ifdhandler disappears, hence the random error messages.

A simple workaround is simply to start the daemon by hand after inserting the USB key:

$ sudo /usr/sbin/ifdhandler -F -H -dddddd -p egate usb /dev/bus/usb/002/104

A better solution is to fix the udev configuration installed by the openct package, so that the daemon doesn't get killed. Fortunately, the solution to this was already found by Mike Kazantsev, who has a a nice write-up on this topic. Of course, I only found his blog post after spending several hours finding the root of the problem.

I've prepared an updated set of openct packages that can be installed on Jessie and have this problem fixed, at least for my specific USB key model. I didn't fix several other packaging problems reported by lintian. The binaries for amd64 can be found here. The updated source is also in a git repository (use git-buildpackage):

$ git clone

Other smart card-related packages work for me as-shipped in Jessie (e.g. opensc 0.14.0-2 and pcscd 1.8.13-1). Also note that my new packages depend on systemd. It is possible that the old Wheezy openct package still works correctly if you prevent the upgrade from migrating your init to systemd.

Other than that, my old instructions on how to set things up on Wheezy still work. One peculiarity I noticed though is that you need to insert the USB key before starting Firefox/Iceweasel. Otherwise the browser will not pick up any client certificate from the key.

Posted by Tomaž | Categories: Code

Add a new comment

(No HTML tags allowed. Separate paragraphs with a blank line.)