A legendary guy named Frank Morgner has been working on a virtual smart card and virtual reader concept for many many years, and it’s become quite an efficient solution. Basically you install a virtual PCD smart card driver on your computer, which opens a TCP port and listens for connections from a virtual card reader - in my case, an Android app. That Android app will proxy reader interactions with cards over TCP to the host computer, as if the card was being scanned by a reader attached to the host computer itself.

The project links can be found here;

VPCD - Virtual Smart Card

This package is installed on your computer. It opens port TCP 35963 and listens for connections. On Windows, you will need to manually open that port on your Windows Firewall and allow edge traversal for that inbound rule as well… or you could just disable your firewall, but that’s not recommended.

https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html

Release v0.8

Because the release contains an unsigned UMDF driver, the MSI package included in the release will not install on Windows 10 or later as these operating systems require signed drivers by default. You can disable that check and put Windows into test mode, install the VPCD driver, then re-enable checks and bring Windows out of test mode. To do this, check out my issue post

Android Virtual Card Reader

Just install this app on your phone from F-Droid, tap the 3 dot menu, tap settings, put in the IP address of your host computer that is running VPCD. Ensure your phone and computer are on the same network / wifi. It should now “just work”… provided you have installed the VPCD driver properly on your computer.

https://frankmorgner.github.io/vsmartcard/ACardEmulator/README.html

that is a very nice feature, will test this out later

The vsmartcard tools are a really nice software suite. It also works on Linux using pcsc-lite!

Make sure your WiFi connection is stable though, it does not like long timeouts.

I use the suite to emulate a simulated javacard (via jcardsim) via Android host card emulation. This kind of relay is also very useful for debugging black-box peers.

Well, I will say this is very exciting!
I’ve spent the better part of a day trying to figure out a solution for using the Apex Flex’s OpenPGP applet for Windows logon, which so far has been painful. But I’ve tracked that particular issue down to an unimplemented command in BixVReader. I will see if I can’t get EIDAuthenticate to accept it. Looking promising…

Here’s it showing up in Certutil!
To get this working, I needed to add my own “minidriver” definition in the registry, which is easy enough. Duplicate HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenPGP card v3.x and adjust the ATR to match. You can grab that by running certutil -scinfo with your chip on your phone’s reader.

image742×1200 34.5 KB

Sorry for the delay… the trick here is you have to have the card “inserted” before you run the command of course.

I just deployed SmartPGP but did not push any keys in yet. This is the output I got from certutil;

C:\Users\authorized>certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Virtual Smart Card Architecture Virtual PCD 0
--- Reader: Virtual Smart Card Architecture Virtual PCD 0
--- Status: SCARD_STATE_EMPTY
--- Status: No card.
---   Card:

=======================================================
Analyzing card in reader: Virtual Smart Card Architecture Virtual PCD 0

--------------===========================--------------

Done.
CertUtil: -SCInfo command completed successfully.

C:\Users\authorized>certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Virtual Smart Card Architecture Virtual PCD 0
--- Reader: Virtual Smart Card Architecture Virtual PCD 0
--- Status: SCARD_STATE_PRESENT
--- Status: The card is available for use.
---   Card:
---    ATR:
        3b 8a 80 01 00 31 c1 73  c8 40 00 00 90 00 90      ;....1.s.@.....


=======================================================
Analyzing card in reader: Virtual Smart Card Architecture Virtual PCD 0
SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Cannot retrieve Provider Name for SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Cannot retrieve Provider Name for
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

Is that this

What did you think of Frank’s response?

It turns out, that you need to activate the OpenSC minidriver by registering the ATR in the regestry so that OpenSC actually gets loaded for your card.

Are you using EIDAuthenticate for this or another solution?

the trick here is you have to have the card “inserted” before you run the command of course

Yes, “inserted”
I ended up disabling my phone’s screen timeout and propped it against my right hand. Worked pretty well, just had to use the PC one-handed during … debugging.

What did you think of Frank’s response?

Honestly, I think he’s missing my point… I ensured the “card” was working correctly (as seen in my terminal screenshot) before even attempting to use it for anything practical. I did not, though, include a specific note saying I’d been using it with the OpenSC terminal commands without much trouble. I believe EIDAuthenticate is doing some “reader checks” as part of its setup flow (even the more straightforward “any NFC card” EID login app threw the same internal consistency check failed error)

I’ve not yet had a chance to come back to this and start debugging properly, so for now I can’t say for sure… I do have a nagging feeling that there’s something missing in the Fidesmo-published Smart PGP implementation that OpenSC is expecting to work. I’ll keep this thread updated with my findings!

You can find the source code of Smart PGP we distribute here: GitHub - ANSSI-FR/SmartPGP: SmartPGP is a JavaCard implementation of the OpenPGP card specifications

Just to be clear, have you had a chance to test this with an attached USB reader and have it work fine? If the only variable is vsmartcard / VPCD then I could see that being a valuable bit of evidence that the problem rest with Frank’s code somewhere.

No, unfortunately, I don’t have a USB reader I can use… Got any suggestions for a cheap one you know works?

no ideas for a cheap one but if you want to get a legit one I’d get an ACR1252U from ACS…

Okay, I got that reader, but I’m still getting the consistency check failure. (And, fortunately, much faster, too - it’s agony waiting for communication over the network. I’m sure there’s lots to be improved there)

I thought it might have been caused by having multiple applets on my VivoKey, so I tried removing them all. Unfortunately, this didn’t change anything either.

I played around with OpenSC’s config file and made a custom entry - that didn’t change anything. I’ve been playing around with the various PKCS/OpenPGP tools, and while I can verify my pin is correct (and change it), I seem unable to generate keys at all. I get this error: Incorrect parameters in APDU.
So far I’ve not turned up anything promising.

Checking the Windows Event Viewer yields a few new IOCTL TRANSMIT rejections, with command headers: 00 a4 04 00, 00 a4 04 0c, 00 ca 7f 68, 00 a4 00 0c.
I’ve not looked into any of these errors yet, but I suspect they’re key. I need to get setup with verbose debug logs!

Fortunately, I’ve been able to rule out BixVReader here, so I’ll likely close that issue soon