SmartCard Shell3 3.18.72 CLI - HSM Card Detection Issue

This document provides a comprehensive technical analysis of the SmartCard Shell3 3.18.72 CLI card detection issue, where the CLI cannot detect the SmartCard HSM card despite the card being present and accessible via PC/SC and GUI interfaces.

Table of Contents

• 1. Problem Statement
• 2. System Environment
  • 2.1. Hardware Configuration
  • 2.2. Operating System
  • 2.3. Key Components
• 3. Evidence
  • 3.1. Card is Present and Accessible
  • 3.2. GUI Can Access and Edit Card Objects
  • 3.3. CLI Cannot Detect the Card
• 4. Root Cause Analysis
  • 4.1. Different Main Classes
  • 4.2. Different Initialization Sequences
  • 4.3. OpenCard Framework Configuration
• 5. Technical Details
  • 5.1. Card Access Methods
  • 5.2. Error Analysis
• 6. Attempted Solutions
• 7. Working Solutions
  • 7.1. Hybrid Approach (Recommended)
  • 7.2. Pure GUI Approach
• 8. Impact on Card Operations
• 9. Conclusion
• 10. Summary

Problem Statement

The SmartCard Shell3 3.18.72 CLI cannot detect the SmartCard HSM card, even though the card is present and accessible via PC/SC and GUI.

This issue prevents the CLI from performing any card operations, including authentication, object inspection, and key management, while the GUI works perfectly with the same card and scripts.

System Environment

Hardware Configuration

• SmartCard HSM: Identiv uTrust 3512 SAM slot Token
• Interface: CCID Interface (55512033274236)
• Status: Card inserted, Shared Mode
• Manufacturer: CardContact (www.cardcontact.de)
• Token Label: LABEL-1

Operating System

• OS: Linux 5.14.0-570.26.1.el9_6.x86_64
• Distribution: Red Hat Enterprise Linux 9 (RHEL 9)
• User: [REDACTED]
• Working Directory: /home/user/tmp/test-05

Key Components

• PC/SC Daemon: pcscd V 1.6.2 (Running)
• PC/SC Library: /usr/lib64/libpcsclite.so
• SmartCard Shell3: Version 3.18.72 at /home/user/CardContact/scsh/scsh-3.18.72/
• SmartCard HSM PKCS#11 Library: Version 2.12 at /home/user/bin/sc-hsm-embedded-2.12/
• Java: OpenJDK with SmartCard support

Evidence

1. Card is Present and Accessible

PC/SC can detect the card:

$ pcsc_scan Reader 0: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55512033274236) 00 00 Card state: Card inserted, Shared Mode ATR: 3B DE 96 FF 81 91 FE 1F C3 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 92

PKCS#11 library can access the card:

$ pkcs11-tool --module /home/user/bin/sc-hsm-embedded-2.12/lib/libsc-hsm-pkcs11.so --list-token-slots Available slots: Slot 0 (0x1): Identiv uTrust 3512 SAM slot Token [CCID Interface] (55512033274) token label : LABEL-1 token manufacturer : CardContact (www.cardcontact.de) token model : SmartCard-HSM

2. GUI Can Access and Edit Card Objects

GUI successfully connects and performs all operations:

$ ./scsh3gui # GUI successfully connects to card, authenticates, and can: # - View all stored objects (keys, certificates, data) # - Generate new keys # - Import/export certificates # - Modify card contents # - Perform all card operations normally

3. CLI Cannot Detect the Card

Error when trying to access card via CLI:

$ echo 'var card = new Card(); print(card.isCardPresent());' | java -Dsun.security.smartcardio.t1GetResponse=false -Dorg.bouncycastle.asn1.allow_unsafe_integer=true -Djava.library.path=./lib -classpath 'lib/*' de.cardcontact.scdp.engine.CommandProcessor

GPError: Card (CARD_CONNECT_FAILED/0) - "No card in reader or mute card."

Root Cause Analysis

1. Different Main Classes

CLI Startup:

java -Dsun.security.smartcardio.t1GetResponse=false -Dorg.bouncycastle.asn1.allow_unsafe_integer=true -Djava.library.path=./lib -classpath 'lib/*' de.cardcontact.scdp.engine.CommandProcessor

GUI Startup:

java -Dsun.security.smartcardio.t1GetResponse=false -Dorg.bouncycastle.asn1.allow_unsafe_integer=true -Djava.library.path=./lib -classpath 'lib/*' de.cardcontact.scdp.scsh3.GUIShell

Key Difference: CommandProcessor vs GUIShell

2. Different Initialization Sequences

GUI Initialization:

1. Changes working directory: cd $(dirname $0)
2. Loads opencard.properties configuration
3. Initializes SmartCardIO factory: de.cardcontact.opencard.terminal.smartcardio.SmartCardIOFactory
4. Sets up card service factories

CLI Initialization:

1. No working directory change
2. May not load opencard.properties
3. May not initialize card services properly
4. Different card access method

3. OpenCard Framework Configuration

GUI uses opencard.properties:

OpenCard.terminals = de.cardcontact.opencard.terminal.smartcardio.SmartCardIOFactory OpenCard.services = de.cardcontact.opencard.factory.SmartCardHSMCardServiceFactory

CLI may not load this configuration properly.

Technical Details

Card Access Methods

1. PC/SC (Working): Direct PC/SC library access
2. PKCS#11 (Working): SmartCard HSM PKCS#11 library
3. SmartCard Shell3 GUI (Working): OpenCard Framework with SmartCardIO
4. SmartCard Shell3 CLI (Broken): OpenCard Framework with different initialization

Error Analysis

Error: "No card in reader or mute card"

Possible Causes:

1. Card Service Not Initialized: CLI doesn't load the proper card service factory
2. Terminal Factory Not Configured: CLI doesn't use SmartCardIO factory
3. Working Directory Issue: CLI doesn't change to proper directory
4. Class Loading Issue: CLI can't load required card access classes

Attempted Solutions

1. Set PCSC Library Path

java -Dsun.security.smartcardio.library=/usr/lib64/libpcsclite.so ...

Result: ❌ Still fails

2. Set OpenCard Properties

java -DOpenCard.terminals="de.cardcontact.opencard.terminal.smartcardio.SmartCardIOFactory" ...

Result: ❌ Still fails

3. Kill Competing Processes

pkill -f "ssh-pkcs11-help"

Result: ❌ Still fails

4. Use GUI Working Directory

cd $(dirname $0) && java ...

Result: ❌ Class loading fails

Working Solutions

1. Hybrid Approach (Recommended)

Use GUI for card access, CLI for scripting:

# Terminal 1: Start GUI and authenticate ./scsh3gui # Select token, load keymanager, enter PIN # Keep GUI running # Terminal 2: Run CLI script echo 'load("test_card_script.js")' | java -Dsun.security.smartcardio.t1GetResponse=false -Dorg.bouncycastle.asn1.allow_unsafe_integer=true -Djava.library.path=./lib -classpath 'lib/*' de.cardcontact.scdp.engine.CommandProcessor

2. Pure GUI Approach

Use GUI directly for all operations:

./scsh3gui # Select token, load keymanager, enter PIN # Navigate to card objects # Right-click → Perform card operations

Impact on Card Operations

Since CLI cannot detect the card, it cannot:

• Create card connections
• Authenticate to the HSM
• Perform any card operations
• Access existing objects on the card

Any card operations via CLI are impossible until the card detection issue is resolved.

Conclusion

The CLI cannot detect the card because:

1. Different Main Class: CommandProcessor vs GUIShell
2. Different Initialization: CLI doesn't load proper card services
3. Different Configuration: CLI may not use opencard.properties
4. Different Working Directory: CLI doesn't change directory like GUI

The fundamental issue is that the CLI's card access initialization is broken or incomplete compared to the GUI.

Solution: Use the hybrid approach where GUI provides card access context for CLI scripting, or use GUI directly for all operations.

Summary

• Hardware: Identiv uTrust 3512 SmartCard HSM with CCID interface
• OS: RHEL 9 with PC/SC infrastructure
• Tools: SmartCard Shell3 3.18.72 + PKCS#11 library 2.12
• Status: GUI working, CLI broken for card detection
• Issue: CLI cannot detect card due to different initialization
• Solution: Use hybrid approach (GUI + CLI) or GUI only

Categories: CLI, GUI, Java, Nitrokey HSM 2, RHEL, RHEL9, Smart Card Shell 3, SmartCard-HSM, SmartCard-HSM 4K USB-Token