A legendary guy named Frank Morgner has been working on a virtual smart card and virtual reader concept for many many years, and it’s become quite an efficient solution. Basically you install a virtual PCD smart card driver on your computer, which opens a TCP port and listens for connections from a virtual card reader - in my case, an Android app. That Android app will proxy reader interactions with cards over TCP to the host computer, as if the card was being scanned by a reader attached to the host computer itself.
The project links can be found here;
VPCD - Virtual Smart Card
This package is installed on your computer. It opens port TCP 35963 and listens for connections. On Windows, you will need to manually open that port on your Windows Firewall and allow edge traversal for that inbound rule as well… or you could just disable your firewall, but that’s not recommended.
Because the release contains an unsigned UMDF driver, the MSI package included in the release will not install on Windows 10 or later as these operating systems require signed drivers by default. You can disable that check and put Windows into test mode, install the VPCD driver, then re-enable checks and bring Windows out of test mode. To do this, check out my issue post
Android Virtual Card Reader
Just install this app on your phone from F-Droid, tap the 3 dot menu, tap settings, put in the IP address of your host computer that is running VPCD. Ensure your phone and computer are on the same network / wifi. It should now “just work”… provided you have installed the VPCD driver properly on your computer.
Well, I will say this is very exciting!
I’ve spent the better part of a day trying to figure out a solution for using the Apex Flex’s OpenPGP applet for Windows logon, which so far has been painful. But I’ve tracked that particular issue down to an unimplemented command in BixVReader. I will see if I can’t get EIDAuthenticate to accept it. Looking promising…
Here’s it showing up in Certutil!
To get this working, I needed to add my own “minidriver” definition in the registry, which is easy enough. Duplicate HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenPGP card v3.x and adjust the ATR to match. You can grab that by running certutil -scinfo with your chip on your phone’s reader.
the trick here is you have to have the card “inserted” before you run the command of course
I ended up disabling my phone’s screen timeout and propped it against my right hand. Worked pretty well, just had to use the PC one-handed during … debugging.
What did you think of Frank’s response?
Honestly, I think he’s missing my point… I ensured the “card” was working correctly (as seen in my terminal screenshot) before even attempting to use it for anything practical. I did not, though, include a specific note saying I’d been using it with the OpenSC terminal commands without much trouble. I believe EIDAuthenticate is doing some “reader checks” as part of its setup flow (even the more straightforward “any NFC card” EID login app threw the same internal consistency check failed error)
I’ve not yet had a chance to come back to this and start debugging properly, so for now I can’t say for sure… I do have a nagging feeling that there’s something missing in the Fidesmo-published Smart PGP implementation that OpenSC is expecting to work. I’ll keep this thread updated with my findings!
Just to be clear, have you had a chance to test this with an attached USB reader and have it work fine? If the only variable is vsmartcard / VPCD then I could see that being a valuable bit of evidence that the problem rest with Frank’s code somewhere.
Okay, I got that reader, but I’m still getting the consistency check failure. (And, fortunately, much faster, too - it’s agony waiting for communication over the network. I’m sure there’s lots to be improved there)
I thought it might have been caused by having multiple applets on my VivoKey, so I tried removing them all. Unfortunately, this didn’t change anything either.
I played around with OpenSC’s config file and made a custom entry - that didn’t change anything. I’ve been playing around with the various PKCS/OpenPGP tools, and while I can verify my pin is correct (and change it), I seem unable to generate keys at all. I get this error: Incorrect parameters in APDU.
So far I’ve not turned up anything promising.
Checking the Windows Event Viewer yields a few new IOCTL TRANSMIT rejections, with command headers: 00 a4 04 00, 00 a4 04 0c, 00 ca 7f 68, 00 a4 00 0c.
I’ve not looked into any of these errors yet, but I suspect they’re key. I need to get setup with verbose debug logs!
Fortunately, I’ve been able to rule out BixVReader here, so I’ll likely close that issue soon