Accept a CCID device instead of a ctaphid device

sosthene-nitrokey · sosthene-nitrokey · commit bd2dbdab8c11 · 2025-11-12T17:28:05.000+01:00
diff --git a/poetry.lock b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.1.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand.
 
 [[package]]
 name = "alabaster"
@@ -1069,6 +1069,38 @@ files = [
 [package.extras]
 windows-terminal = ["colorama (>=0.4.6)"]
 
+[[package]]
+name = "pyscard"
+version = "2.3.1"
+description = "Smartcard module for Python."
+optional = false
+python-versions = ">=3.9"
+groups = ["main"]
+files = [
+    {file = "pyscard-2.3.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:5bd277142644441cba8fe71bc991fe83108147f3ba22c01e8b9a5a3f41a31f69"},
+    {file = "pyscard-2.3.1-cp310-cp310-win32.whl", hash = "sha256:717ea958ee77d7d4514ff0a6eb238082f9437e7882479ee6f742bb9db54419d4"},
+    {file = "pyscard-2.3.1-cp310-cp310-win_amd64.whl", hash = "sha256:91b27548eddcd6c21f115d5e6151ced9b348aae989b0e4fcc1ad4c479e61610c"},
+    {file = "pyscard-2.3.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:341eca9151318093d5543fa812736546de19020d214e01aff9bbc231d1429949"},
+    {file = "pyscard-2.3.1-cp311-cp311-win32.whl", hash = "sha256:be78734964621b59f8b63c90b822169dc804571df57f574733ccf585a31769af"},
+    {file = "pyscard-2.3.1-cp311-cp311-win_amd64.whl", hash = "sha256:52da45a3becfb6807dcd9427d763aeb154c9c9e9ad324a13a2bf322fa31baca5"},
+    {file = "pyscard-2.3.1-cp311-cp311-win_arm64.whl", hash = "sha256:e228c78e028b74e5411a604c765852bdc8fd04321f03e62d25cad8e90de27597"},
+    {file = "pyscard-2.3.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:acb9f4842cb08110d916e7e37ef225c755a1da627017364c55df547b6f187dcf"},
+    {file = "pyscard-2.3.1-cp312-cp312-macosx_15_0_x86_64.whl", hash = "sha256:abf5091d5067ac4945eb2a283b60bddce7530595e585868449da12d3b9e885ee"},
+    {file = "pyscard-2.3.1-cp312-cp312-win32.whl", hash = "sha256:c5d9fde122ffd41a74af72364166e8b23760230163e20c4c130aa0616bf4a786"},
+    {file = "pyscard-2.3.1-cp312-cp312-win_amd64.whl", hash = "sha256:561889413866141b3a44099f043d10344ee64b0604d2fecb275975b54aa584c6"},
+    {file = "pyscard-2.3.1-cp312-cp312-win_arm64.whl", hash = "sha256:06ae5e5421a5dd380e8c80046b4242e7b98ed381247117f4cf2c1c8328f74bce"},
+    {file = "pyscard-2.3.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:c11a596407e18cdcf16a4ccd8cdeaa55846d4f7ec2eefc529483e201f6906658"},
+    {file = "pyscard-2.3.1-cp313-cp313-macosx_15_0_x86_64.whl", hash = "sha256:72b1ab922fad5e050144ec72762e36741271b09d2389cda9b976b61ee0564e71"},
+    {file = "pyscard-2.3.1-cp313-cp313-win32.whl", hash = "sha256:a0b59d1961ff9fb15d980ad64edae13e4512b7e641ea8959e86133f34091aa5c"},
+    {file = "pyscard-2.3.1-cp313-cp313-win_amd64.whl", hash = "sha256:df2b256bc719b701807114bdd179f7b303f309a954d5689188b088adfc33ead2"},
+    {file = "pyscard-2.3.1-cp313-cp313-win_arm64.whl", hash = "sha256:f58b46cd78455a29a0abceabff21b37da81a385a737b29e6dd5e25acb7e3f3da"},
+    {file = "pyscard-2.3.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:a36bab071c6f4b1d74a8778a784ccf3cc04bf35a6c677bce15e70fdbeac5b932"},
+    {file = "pyscard-2.3.1.tar.gz", hash = "sha256:a24356f57a0a950740b6e54f51f819edd5296ee8892a6625b0da04724e9e6c13"},
+]
+
+[package.extras]
+gui = ["wxPython"]
+
 [[package]]
 name = "pyserial"
 version = "3.5"
@@ -1605,4 +1637,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.10, <4"
-content-hash = "50d9098be4b28ec32e2a90380e814e870de37ea7947ca366e7c8a7eb864865ad"
+content-hash = "49fe33bc1e81966a26952b14664aacdbd9855b07be2f8c5f998102406ce9c30f"
diff --git a/pyproject.toml b/pyproject.toml
@@ -31,6 +31,7 @@ dependencies = [
     # nrf52
     "protobuf >=5.26, <7",
     "pyserial >=3.5, <4",
+    "pyscard >=2, <3"
 ]
 
 [project.urls]
diff --git a/src/nitrokey/nk3/_device.py b/src/nitrokey/nk3/_device.py
@@ -5,9 +5,10 @@
 # http://opensource.org/licenses/MIT>, at your option. This file may not be
 # copied, modified, or distributed except according to those terms.
 
-from typing import List
+from typing import List, Optional
 
 from fido2.hid import CtapHidDevice
+from smartcard.CardConnection import CardConnection
 
 from nitrokey import _VID_NITROKEY
 from nitrokey.trussed import Fido2Certs, Model, TrussedDevice, Version
@@ -33,8 +34,12 @@
 class NK3(TrussedDevice):
     """A Nitrokey 3 device running the firmware."""
 
-    def __init__(self, device: CtapHidDevice) -> None:
-        super().__init__(device, FIDO2_CERTS)
+    def __init__(
+        self,
+        device: Optional[CtapHidDevice],
+        device_ccid: Optional[CardConnection] = None,
+    ) -> None:
+        super().__init__(device, FIDO2_CERTS, device_ccid)
 
     @property
     def model(self) -> Model:
@@ -51,8 +56,12 @@ def name(self) -> str:
         return "Nitrokey 3"
 
     @classmethod
-    def from_device(cls, device: CtapHidDevice) -> "NK3":
-        return cls(device)
+    def from_device(
+        cls,
+        device: Optional[CtapHidDevice],
+        device_ccid: Optional[CardConnection] = None,
+    ) -> "NK3":
+        return cls(device, device_ccid)
 
     @classmethod
     def list(cls) -> List["NK3"]:
diff --git a/src/nitrokey/nkpk.py b/src/nitrokey/nkpk.py
@@ -8,6 +8,7 @@
 from typing import List, Optional, Sequence, Union
 
 from fido2.hid import CtapHidDevice
+from smartcard.CardConnection import CardConnection
 
 from nitrokey import _VID_NITROKEY
 from nitrokey.trussed import Fido2Certs, TrussedDevice, Version
@@ -46,8 +47,16 @@
 
 
 class NKPK(TrussedDevice):
-    def __init__(self, device: CtapHidDevice) -> None:
-        super().__init__(device, _FIDO2_CERTS)
+    def __init__(
+        self,
+        device: Optional[CtapHidDevice],
+        device_ccid: Optional[CardConnection] = None,
+    ) -> None:
+        super().__init__(
+            device,
+            _FIDO2_CERTS,
+            device_ccid,
+        )
 
     @property
     def model(self) -> Model:
@@ -62,8 +71,12 @@ def name(self) -> str:
         return "Nitrokey Passkey"
 
     @classmethod
-    def from_device(cls, device: CtapHidDevice) -> "NKPK":
-        return cls(device)
+    def from_device(
+        cls,
+        device: Optional[CtapHidDevice],
+        device_ccid: Optional[CardConnection] = None,
+    ) -> "NKPK":
+        return cls(device, device_ccid)
 
     @classmethod
     def list(cls) -> List["NKPK"]:
diff --git a/src/nitrokey/trussed/_device.py b/src/nitrokey/trussed/_device.py
@@ -14,6 +14,9 @@
 from typing import List, Optional, Sequence, TypeVar, Union
 
 from fido2.hid import CtapHidDevice, list_descriptors, open_device
+from smartcard.CardConnection import CardConnection
+from smartcard.Exceptions import NoCardException
+from smartcard.System import readers
 
 from ._base import TrussedBase
 from ._utils import Fido2Certs, Uuid
@@ -34,14 +37,19 @@ class App(Enum):
 
 class TrussedDevice(TrussedBase):
     def __init__(
-        self, device: CtapHidDevice, fido2_certs: Sequence[Fido2Certs]
+        self,
+        device: Optional[CtapHidDevice],
+        fido2_certs: Sequence[Fido2Certs],
+        device_ccid: Optional[CardConnection] = None,
     ) -> None:
-        self._validate_vid_pid(device.descriptor.vid, device.descriptor.pid)
+        if device is not None:
+            self._validate_vid_pid(device.descriptor.vid, device.descriptor.pid)
+            self._path = _device_path_to_str(device.descriptor.path)
+            self._logger = logger.getChild(self._path)
 
         self.device = device
+        self.device_ccid = device_ccid
         self.fido2_certs = fido2_certs
-        self._path = _device_path_to_str(device.descriptor.path)
-        self._logger = logger.getChild(self._path)
 
         from .admin_app import AdminApp
 
@@ -53,7 +61,11 @@ def path(self) -> str:
         return self._path
 
     def close(self) -> None:
-        self.device.close()
+        if self.device is not None:
+            self.device.close()
+        if self.device_ccid is not None:
+            self.device_ccid.disconnect()
+            self.device_ccid.release()
 
     def reboot(self) -> bool:
         from .admin_app import BootMode
@@ -64,7 +76,8 @@ def uuid(self) -> Optional[Uuid]:
         return self.admin.uuid()
 
     def wink(self) -> None:
-        self.device.wink()
+        if self.device is not None:
+            self.device.wink()
 
     def _call(
         self,
@@ -73,7 +86,14 @@ def _call(
         response_len: Optional[int] = None,
         data: bytes = b"",
     ) -> bytes:
-        response = self.device.call(command, data=data)
+        if self.device_ccid is not None:
+            response = _call_ccid(self.device_ccid, command, data)
+        elif self.device is not None:
+            response = self.device.call(command, data=data)
+        else:
+            raise RuntimeError(
+                "Nitrokey device needs either a valid CCID device or a valid CTAPHID device"
+            )
         if response_len is not None and response_len != len(response):
             raise ValueError(
                 f"The response for the CTAPHID {command_name} command has an unexpected length "
@@ -91,7 +111,11 @@ def _call_app(
 
     @classmethod
     @abstractmethod
-    def from_device(cls: type[T], device: CtapHidDevice) -> T: ...
+    def from_device(
+        cls: type[T],
+        device: Optional[CtapHidDevice],
+        device_ccid: Optional[CardConnection] = None,
+    ) -> T: ...
 
     @classmethod
     def open(cls: type[T], path: str) -> Optional[T]:
@@ -104,7 +128,7 @@ def open(cls: type[T], path: str) -> Optional[T]:
             logger.warn(f"No CTAPHID device at path {path}", exc_info=sys.exc_info())
             return None
         try:
-            return cls.from_device(device)
+            return cls.from_device(device, device_ccid=None)
         except ValueError:
             logger.warn(f"No Nitrokey device at path {path}", exc_info=sys.exc_info())
             return None
@@ -120,7 +144,36 @@ def _list_vid_pid(cls: type[T], vid: int, pid: int) -> List[T]:
             for desc in list_descriptors()  # type: ignore
             if desc.vid == vid and desc.pid == pid
         ]
-        return [cls.from_device(open_device(desc.path)) for desc in descriptors]
+        return [
+            cls.from_device(open_device(desc.path), device_ccid=None)
+            for desc in descriptors
+        ]
+
+    @classmethod
+    def _list_pcsc_atr(cls: type[T], atr: List[int]) -> List[T]:
+        devices = []
+        for r in readers():
+            connection = r.createConnection()
+            try:
+                connection.connect()
+            except NoCardException:
+                continue
+            if atr == connection.getATR():
+                connection.disconnect()
+                connection.release()
+                continue
+            devices.append(cls.from_device(None, device_ccid=connection))
+
+        return devices
+
+
+def _call_ccid(
+    device: CardConnection,
+    command: int,
+    data: bytes = b"",
+    response_len: Optional[int] = None,
+) -> bytes:
+    raise NotImplementedError("TODO")
 
 
 def _device_path_to_str(path: Union[bytes, str]) -> str:

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ dependencies = [`
`31`	`31`	`# nrf52`
`32`	`32`	`"protobuf >=5.26, <7",`
`33`	`33`	`"pyserial >=3.5, <4",`
	`34`	`+ "pyscard >=2, <3"`
`34`	`35`	`]`
`35`	`36`
`36`	`37`	`[project.urls]`