Gemalto smarcard USB token not working in browsers

I’m trying to make Gemalto dotnet USB smart card token work.

https://www.creaplus.si/images/Gemalto/USB_Shell_Token__transparent_and_black.jpg

I’ve followed this post
https://forums.opensuse.org/showthread.php/522418-OpenSUSE-Tumbleweed-smartcard-issue
this guide:
https://kamarada.github.io/en/2019/06/28/using-smart-cards-on-opensuse-linux/

I added security_chipcard repo, installed tools and the pcsced.service is started

I can see the card in pcsc_scan

pcsc_scan 
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto USB Shell Token V2 (AB5751A5) 00 00
 
Mon Aug 24 21:46:37 2020
 Reader 0: Gemalto USB Shell Token V2 (AB5751A5) 00 00
  Event number: 0
  Card state: Card inserted, 
  ATR: 3B 7F 96 00 00 80 31 80 65 B0 85 03 00 EF 12 0F FE 82 90 00

ATR: 3B 7F 96 00 00 80 31 80 65 B0 85 03 00 EF 12 0F FE 82 90 00
+ TS = 3B --> Direct Convention
+ T0 = 7F, Y(1): 0111, K: 15 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 80 31 80 65 B0 85 03 00 EF 12 0F FE 82 90 00
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: 80
        - Application selection: by full DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card with MF
    Tag: 6, len: 5 (pre-issuing data)
      Data: B0 85 03 00 EF
    Tag: 1, len: 2 (country code, ISO 3166-1)
      Country code: 0F FE
    Tag: 8, len: 2 (status indicator)
      SW: 9000

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 7F 96 00 00 80 31 80 65 B0 85 03 00 EF 12 0F FE 82 90 00
3B 7F .. 00 00 80 31 80 65 B0 .. .. .. .. 12 0F FE 82 90 00
        IDPrime MD 8840, 3840, 3810, 840 and 830 Cards T=0
3B 7F 96 00 00 80 31 80 65 B0 85 03 00 EF 12 0F FE 82 90 00
        Gemalto IDPrime MD 840 (PKI)
        http://www.gemalto.com/Products/IDPrime_MD/index.html

I added root CAs for the certs I have on device in Firefox and loaded library=/usr/lib64/pkcs11/opensc-pkcs11.so

I also tried adding security device to Chromium
https://kamarada.github.io/en/2019/09/26/setting-up-smart-card-authentication-on-google-chrome-chromium/

But when I try logging in websites (gov or bank) I don’t get pin prompt.

The library you’re loading in Firefox implies the driver for this specific model is provided by the open-source OpenSC project. Since the card is being identified and you didn’t mention a third-party driver installation, that’s probably right, but just to make sure it’s not a false positive, let’s see if OpenSC recognizes the card:


opensc-tool -l
pkcs11-tool -l
pkcs11-tool -O

You shouldn’t need to add additional repos on Leap 15.2.

Next steps:


# this is needed in case certificates are installed
update-ca-certificates

Authorization is done via polkit, this will authorize anyone using the computer:


echo 'org.debian.pcsc-lite.access_pcscyes:yes:yes' | sudo tee -a /etc/polkit-default-privs.local
echo 'org.debian.pcsc-lite.access_cardyes:yes:yes' | sudo tee -a /etc/polkit-default-privs.local
set_polkit_default_privs

Appreciate the answer. Seems pkcs11 does not recognize the card.

zypper info pkcs11-helper
Repository     : Main Repository
Version        : 1.25.1-lp152.2.5

opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Gemalto USB Shell Token V2 (AB5751A5) 00 00

pkcs11-tool -L
Available slots:
Slot 0 (0x0): Gemalto USB Shell Token V2 (AB5751A5) 00 00
  (empty)

pkcs11-tool -O
No slot with a token was found.

There is a card with certs in token. Which driver do I need? The card is gemalto dot net (on Windows it installs from Windows update on Win7 and above)

I’d start looking at the manufacturer and seller websites. You may not find a package for Leap 15.2, but any x86_64 .rpm shall do.

Also, in this case you’ll use the library provided with the driver by the vendor, for instance /usr/lib64/libeTPkcs11.so.

I got it to work with Safenet driver from:
https://support.globalsign.com/ssl/ssl-certificates-installation/safenet-drivers#Linux%20RPM

and Firefox module instructions from here:
https://silo.tips/download/safenet-authentication-client-linux-administrator-s-guide-version-81-revision-a

The security module to load in Firefox is:
/usr/lib64/libeTPkcs11.so

awerlang, thank you for your help.