Programming

OpenSC and Open-Source Smart Card Tools

Guide to OpenSC and open-source smart card tools for initialization, key management, and PKCS#15 structure management.

| 3 min read
  1. OpenSC and Open-Source Smart Card Tools
  2. Architecture Overview
  3. pkcs11-tool — PKCS#11 Operations
  4. pkcs15-tool — PKCS#15 File System
  5. opensc-tool — Low-Level Card Access
  6. Card-Specific Drivers
  7. OpenSC in the Browser
  8. Troubleshooting

OpenSC and Open-Source Smart Card Tools

OpenSC is the most widely deployed open-source framework for accessing smart cards and cryptographic tokens. It provides a PKCS#11 module, a PC/SC driver stack, and a suite of command-line utilities covering everything from card identification to certificate import and PIN management. Distributed under the LGPL, OpenSC runs on Linux, macOS, and Windows and supports hundreds of card models through a plug-in driver architecture.

Architecture Overview

Application
    │
    ├── PKCS#11 (opensc-pkcs11.so / .dll)
    │       │
    │       └── libopensc  ←── card drivers (*.so)
    │               │
    │               └── PC/SC layer (libpcsclite / WinSCard)
    │                       │
    │                       └── Reader driver (USB CCID / NFC)

OpenSC's libopensc implements the ISO 7816 file system, PIN management, and cryptographic operations. Card-specific quirks are handled by individual drivers (e.g. card-piv.c, card-openpgp.c, card-cac.c).

pkcs11-tool — PKCS#11 Operations

pkcs11-tool exercises the OpenSC PKCS#11 module directly and is the fastest way to verify card functionality.

# List available slots and tokens
pkcs11-tool --module opensc-pkcs11.so --list-slots

# List objects on the card (requires PIN login)
pkcs11-tool --module opensc-pkcs11.so --login --list-objects

# Generate an RSA-2048 key pair on the card
pkcs11-tool --module opensc-pkcs11.so --login \
    --keypairgen --key-type RSA:2048 --id 01 --label "My Key"

# Sign a file with the on-card private key
pkcs11-tool --module opensc-pkcs11.so --login \
    --sign --id 01 --mechanism SHA256-RSA-PKCS \
    --input-file data.txt --output-file sig.bin

# Verify with the public key
pkcs11-tool --module opensc-pkcs11.so \
    --verify --id 01 --mechanism SHA256-RSA-PKCS \
    --input-file data.txt --signature-file sig.bin

Use the APDU Builder to cross-check the APDU sequences that pkcs11-tool sends when --verbose is set.

pkcs15-tool — PKCS#15 File System

PKCS#15 (ISO 7816ISO 7816StandardPrimary standard for contact smart cards.Click to view →-15) defines a standardised on-card file structure for certificates, keys, and PINs. pkcs15-tool reads and writes this structure directly.

# Dump all PKCS#15 objects
pkcs15-tool --dump

# Read a DER certificate by ID and convert to PEM
pkcs15-tool --read-certificate 01 | openssl x509 -inform DER -text

# Change PIN
pkcs15-tool --change-pin --auth-id 01

# Initialise a blank JavaCard with a PKCS#15 structure
pkcs15-init --create-pkcs15 --profile pkcs15+onepin

# Enroll a certificate
pkcs15-init --store-certificate cert.pem --id 01 --auth-id 01

opensc-tool — Low-Level Card Access

opensc-tool provides raw card access without the PKCS#15 abstraction layer.

# Print ATR (identify the card)
opensc-tool --atr

# Send raw APDU and see response
opensc-tool --send-apdu 00:A4:04:00:07:D2:76:00:00:85:01:01

# List all files in the card's MF (Master File)
opensc-tool --list-files

Parse the ATR output with the ATR Parser to identify the card platform and supported protocols (T=0, T=1).

Card-Specific Drivers

Driver Cards Supported
card-piv US PIVPIVIdentityUS federal identity card standard.Click to view → (FIPS 201FIPS 201ComplianceUS federal standard defining PIV smart card specifications.Click to view →), CACCACIdentityUS DoD identification smart card.Click to view →
card-openpgp OpenPGP Card v2/v3
card-cac US DoD Common Access Card
card-npa German nPA (electronic identity card)
card-epass2003 Feitian ePass2003 series
card-coolkey Red Hat / Fedora CoolKey
card-iasecc IAS-ECCECCCryptographyEfficient public-key cryptography using elliptic curves.Click to view → (French national eIDeIDIdentityNational ID with embedded chip.Click to view →)

OpenSC in the Browser

Browsers access smart cards via the PKCS#11 module loaded into NSS or through OS-level middleware. See Smart Card Web Authentication for integration steps.

Troubleshooting

Symptom Likely Cause Fix
No card readers found pcscd not running sudo systemctl start pcscd
Unsupported card No matching driver Check opensc-tool --list-drivers
C_Login failed Wrong PIN or PIN locked Verify with pkcs15-tool --dump (PIN flags)
C_Sign: key not found Mismatched CKA_ID Use --list-objects to confirm IDs

For identifying unknown cards, combine opensc-tool --atr with the Card Identifier tool.

Häufig gestellte Fragen

Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.