Kenneth Carrera wrote:
Douglas,
I think I am getting a little closer. Now in my
keychain, the lock Icon is locked.
On my system, even after a restart, the keychain
for PIV_II shows it is unlocked, and I have not entered a pin.
The help on Keychains, says the edit->"Change Setting for Keychain ..."
I am no Mac expert, so I don't know why mine is unlocked and yours
is locked. (And I don't want to try locking it.)
So there may be a keychain problem. But bypasing that for now,
does pkcs15-tool or pkcs-tool show you anything now? They
don't go throught the keychain.
Also try
debug = 7;
the /tmp/opensc-debug.log should then show something.
Also uncomment the line for the error_file.
comment out the
use_caching = true;
Attached is a opensc.conf that works on MacOS 10.4
That was a little
different that before. Attached is my opensc.conf
file. Would you mind to take a look at it?
I really appreciate any help you provide.
Ken
--- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote:
Kenneth Carrera wrote:
Douglas,
Thank you very much for the response. I really
appreciate it.
I tried using the opensc-tool, piv-tool, and
pkcs15-tool. From those, I
can bring up the card ATR so I know my card is
being recognized, but I
cannot successfully run any of the other commands.
Did you do anything
special to your opensc.conf file?
What it said in the Wiki page:
http://www.opensc-project.org/opensc/wiki/UnitedStatesPIV
Double check the ATR too.
But looking closer, I also commented out the
use_cacching = true;
and commented out the builtin_emulators = ...
line as it does not list the PIV as it should.
See the attached diff. If this does not help, send a
copy of your
opensc.conf.
Also, are you able to perform smart card login to
your MAC using OpenSC?
No, but on unix have Heimdal (and MIT development)
Kerberos using PKINIT
to authenticate to Active Directory using pam_krb5.
Apple has said they
would fully support PIV, so we expect that when they
do we would use
whatever they they provide.
Thank you again for your help! Ken
----- Original Message ----
From: Douglas E. Engert <[EMAIL PROTECTED]>
To: Kenneth Carrera <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED];
opensc-devel@lists.opensc-project.org
Sent: Friday, March 2, 2007 4:27:47 PM
Subject: Re: [opensc-devel] Using PIV Card to
Authenticate to MAC (
Problems )
Kenneth Carrera wrote:
> Hello all:
>
> I am trying to configure my MAC to accept a PIV
Card.
> I have installed OpenSC (SCA for MAC) and can
now read
> my smart card ATR. My keychain can recognize
when the
> card is inserted.
>
> However, I cannot seem to access the data or
the
> certificates on the card. I made sure to
configure my
> Opensc.config file to work with the new PIV
card (
> Oberthur ). Is there anything else I can do to
try to
> get the card to work with MAC? Thank you in
advance
> for any help offered!
How are you trying to access the data on the card?
I am assuming the card has at least a certificate
and
key, either a test one from Oberthur, or issued by
whomever gave you the card.
You can start by using the
/Library/OpenSC/opensc-tool
-l and -a options is a terminal window.
Then ./pkcs15-tool -c should show that you have a
certificate.
(It may not really be there.)
./pkcs15-tool -r 1
should read the certificate and show it in PEM
format.
If you bring up the Keychain utility and hit the
"show Keychains"
button in the lower left, its should show all your
keychains.
The PIV card would be listed as PIV_II, and the
main window should
show you have an Auth key, and a certifcate. (You
may have
other certs and keys as well There can be 4. In my
tests I only
write out the auth cert to the card.
The one other issue is if the certificate is
compressed.
Code has been sent to the devel list to handle
this, but is
has not been added to the distribution. I don't
have a card
with a compressed cert, so can not test it. If you
suspect
that the cert is compressed, we can talk about
that too.
Safari should be able to use this to some web
site, if the
site trusts the CA that signed your certifcate.
>
> Ken
>
>
>
>
____________________________________________________________________________________
> Need a quick answer? Get one in minutes from
people who know.
> Ask your question on www.Answers.yahoo.com
<http://www.answers.yahoo.com/>
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
>
http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
------------------------------------------------------------------------
Expecting? Get great news right away with email
Auto-Check.
<http://us.rd.yahoo.com/evt=49982/*http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html>
Try the Yahoo! Mail Beta.
<http://us.rd.yahoo.com/evt=49982/*http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html>
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- opensc.conf.orig 2006-09-13 10:56:26.000000000
-0500
+++ opensc.conf 2006-09-13 11:28:51.000000000 -0500
@@ -68,8 +68,8 @@
# Some IFD handlers do not properly handle APDUs
with
# large lc or le bytes.
#
- max_send_size = 252;
- max_recv_size = 252;
+ max_send_size = 256;
+ max_recv_size = 256;
#
# Connect to reader in exclusive mode.
# Default: false
@@ -222,6 +222,23 @@
# pkcs15emu = "PIV-II";
# }
+ card_atr
3b:db:96:00:81:b1:fe:45:1f:03:80:f9:a0:00:00:03:08:00:00:10:00:18
{
+ # Oberthur complient cards 5/10/2006
+ # only show first cert on card
+ flags = 20;
+ name = "PIV-II";
+ driver = "piv";
+ }
+
+ card_atr
3B:7D:96:00:00:80:31:80:65:B0:83:11:11:AC:83:00:90:00
{
+ # GemSafe 800-73-1 does not protect the cert
with the pin
+ # only show first cert on card
+ flags = 20;
+ name = "PIV-II";
+ driver = "piv";
+ }
+
+
# Estonian ID card and Micardo driver currently
play together with T=0 only.
# In theory only the 'cold' ATR should be
specified, as T=0 will be the preferred
# protocol once you boot it up with T=0, but be
paranoid.
@@ -257,7 +274,7 @@
# applications.
# Default: false
#
- use_caching = true;
+ ##use_caching = true;
# Enable pkcs15 emulation.
# Default: yes
# enable_pkcs15_emulation = no;
@@ -269,7 +286,7 @@
# Default: yes
# enable_builtin_emulation = yes;
# list of the builtin pkcs15 emulators to test
- builtin_emulators = esteid, openpgp, tcos,
starcert, infocamere, postecert, actalis,
atrust-acosi, gemsafe, tccardos;
+ #builtin_emulators = esteid, openpgp, tcos,
starcert, infocamere, postecert, actalis,
atrust-acosi, gemsafe, tccardos;
# additional settings per driver
#
@@ -281,6 +298,8 @@
# The location of the driver library
# module =
/usr/lib/opensc/drivers/p15emu_custom.so;
# }
+ emulate PIV-II {
+ }
}
}
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265
____________________________________________________________________________________
Any questions? Get answers on any topic at
www.Answers.yahoo.com. Try it now.
____________________________________________________________________________________
Be a PS3 game guru.
Get your game face on with the latest PS3 news and
previews at Yahoo! Games.
http://videogames.yahoo.com/platform?platform=120121
____________________________________________________________________________________
Now that's room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
# Configuration file for OpenSC
# Example configuration file
# NOTE: All key-value pairs must be terminated by a semicolon.
# Default values for any application
# These can be overrided by an application
# specific configuration block.
app default {
# Amount of debug info to print
#
# A greater value means more debug info.
# Default: 0
#
debug = 0;
# The file to which debug output will be written
#
# A special value of 'stdout' is recognized.
# Default: stdout
#
# debug_file = /tmp/opensc-debug.log;
# debug_file = "C:\Documents and Settings\All
Users\Documents\opensc-debug.log";
# The file to which errors will be written
#
# A special value of 'stderr' is recognized.
# Default: stderr
#
# error_file = /tmp/opensc-errors.log;
# error_file = "C:\Documents and Settings\All
Users\Documents\opensc-errors.log";
# PKCS#15 initialization / personalization
# profiles directory for pkcs15-init.
profile_dir = /Library/OpenSC/share/opensc;
# What reader drivers to load at start-up
#
# A special value of 'internal' will load all
# statically linked drivers. If an unknown (ie. not
# internal) driver is supplied, a separate configuration
# configuration block has to be written for the driver.
# Default: internal
# NOTE: if "internal" keyword is used, must be the
# last entry in reader_drivers list
#
# reader_drivers = openct, pcsc, ctapi;
reader_driver ctapi {
# module /usr/local/towitoko/lib/libtowitoko.so {
# CT-API ports:
# 0..3 COM1..4
# 4 Printer
# 5 Modem
# 6..7 LPT1..2
# ports = 0;
# }
}
# Define parameters specific to your readers.
# The following section shows definitions for PC/SC readers,
# but the same set of variables are applicatable to ctapi and
# openct readers, simply by using "reader_driver ctapi" and
# "reader_driver openct", respectively.
reader_driver pcsc {
# This sets the maximum send and receive sizes.
# Some IFD handlers do not properly handle APDUs with
# large lc or le bytes.
#
max_send_size = 256;
max_recv_size = 256;
#
# Connect to reader in exclusive mode.
# Default: false
# connect_exclusive = true;
#
# Reset the card after disconnect.
# Default: true
# connect_reset = false;
#
# Reset the card after each transaction.
# Default: false
# transcaction_reset = true;
#
# Enable pinpad if detected (PC/SC v2.0.2 Part 10)
# Default: false
# enable_pinpad = true;
}
# options for openct support
reader_driver openct {
# virtual readers to allocate. default:5
readers = 5;
};
# What card drivers to load at start-up
#
# A special value of 'internal' will load all
# statically linked drivers. If an unknown (ie. not
# internal) driver is supplied, a separate configuration
# configuration block has to be written for the driver.
# Default: internal
# NOTE: When "internal" keyword is used, must be last entry
#
# card_drivers = customcos, internal;
# Card driver configuration blocks.
# For card drivers loaded from an external shared library/DLL,
# you need to specify the path name of the module
#
# card_driver customcos {
# The location of the driver library
# module = /usr/lib/opensc/drivers/card_customcos.so;
# }
# Force using specific card driver
#
# If this option is present, OpenSC will use the supplied
# driver with all inserted cards.
#
# Default: autodetect
#
# force_card_driver = customcos;
# In addition to the built-in list of known cards in the
# card driver, you can configure a new card for the driver
# using the card_atr block. The goal is to centralize
# everything related to a certain card to card_atr.
#
# The supported internal card driver names are
# etoken Aladdin eToken and other Siemens CardOS cards
# flex Schlumberger Multiflex/Cryptoflex
# cyberflex Schlumberger Cyberflex
# gpk Gemplus GPK
# miocos MioCOS 1.1
# mcrd MICARDO 2.1
# setcos Setec cards
# starcos STARCOS SPK 2.3
# tcos TCOS 2.0
# openpgp OpenPGP card
# jcop JCOP cards with BlueZ PKCS#15 applet
# oberthur Oberthur AuthentIC.v2/CosmopolIC.v4
# belpic Belpic cards
# emv EMV compatible cards
# Generic format: card_atr <hex encoded ATR (case-sensitive!)>
# New card entry for the flex card driver
# card_atr 3b:f0:0d:ca:fe {
# All parameters for the context are
# optional unless specified otherwise.
# Context: global, card driver
#
# ATR mask value
#
# The mask is logically AND'd with an
# card ATR prior to comparison with the
# ATR reference value above. Using mask
# allows identifying and configuring
# multiple ATRs as the same card model.
# atrmask = "ff:ff:ff:ff:ff";
# Context: card driver
#
# Specify used card driver (REQUIRED).
#
# When enabled, overrides all possible
# settings from the card drivers built-in
# card configuration list.
# driver = "flex";
# Set card name for card drivers that allows it.
# name = "My CryptoFlex card";
# Card type as an integer value.
#
# Depending on card driver, this allows
# tuning the behaviour of the card driver
# for your card.
# type = "2002";
# Card flags as an hex value.
# Multiple values are OR'd together.
#
# Depending on card driver, this allows
# fine-tuning the capabilities in
# the card driver for your card.
#
# Optionally, some known parameters
# can be specified as strings:
#
# keygen - On-board key generation capability
# rng - On-board random number source
#
# flags = "keygen", "rng", "0x80000000";
#
# Context: PKCS#15 emulation layer
#
# When using PKCS#15 emulation, force
# the emulation driver for specific cards.
#
# Required for external drivers, but can
# be used with built-in drivers, too.
# pkcs15emu = "custom";
#
# Context: reader driver
#
# Force protocol selection for specific cards.
# Known parameters: t0, t1, raw
# force_protocol = "t0";
# }
# PIV cards need an entry similar to this one:
# card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 {
# name = "PIV-II";
# driver = "piv";
# pkcs15emu = "PIV-II";
# }
card_atr
3b:db:96:00:81:b1:fe:45:1f:03:80:f9:a0:00:00:03:08:00:00:10:00:18 {
# Oberthur complient cards 5/10/2006
# only show first cert on card
flags = 20;
name = "PIV-II";
driver = "piv";
}
card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:11:AC:83:00:90:00 {
# GemSafe 800-73-1 does not protect the cert with the pin
# only show first cert on card
flags = 20;
name = "PIV-II";
driver = "piv";
}
# Estonian ID card and Micardo driver currently play together with T=0
only.
# In theory only the 'cold' ATR should be specified, as T=0 will be the
preferred
# protocol once you boot it up with T=0, but be paranoid.
card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 {
force_protocol = t0;
}
card_atr
3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
force_protocol = t0;
}
# D-Trust cards are also based on micardo and need T=0 for some reason
card_atr
3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 {
force_protocol = t0;
}
card_atr
3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23
{
force_protocol = t0;
}
card_atr
3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6
{
force_protocol = t0;
}
# Below are the framework specific configuration blocks.
# PKCS #15
framework pkcs15 {
# Whether to use the cache files in the user's
# home directory.
#
# At the moment you have to 'teach' the card
# to the system by running command: pkcs15-tool -L
#
# WARNING: Caching shouldn't be used in setuid root
# applications.
# Default: false
#
##use_caching = true;
# Enable pkcs15 emulation.
# Default: yes
# enable_pkcs15_emulation = no;
# Prefer pkcs15 emulation code before
# the normal pkcs15 processing.
# Default: no
# try_emulation_first = yes;
# Enable builtin emulators.
# Default: yes
# enable_builtin_emulation = yes;
# list of the builtin pkcs15 emulators to test
#builtin_emulators = esteid, openpgp, tcos, starcert,
infocamere, postecert, actalis, atrust-acosi, gemsafe, tccardos;
# additional settings per driver
#
# For pkcs15 emulators loaded from an external shared
library/DLL,
# you need to specify the path name of the module and customize
# the card_atr example above correctly.
#
# emulate custom {
# The location of the driver library
# module = /usr/lib/opensc/drivers/p15emu_custom.so;
# }
emulate PIV-II {
}
}
}
# Parameters for the OpenSC PKCS11 module
app opensc-pkcs11 {
pkcs11 {
# Maxmimum number of slots per smart card.
# If the card has fewer keys than defined here,
# the remaining number of slots will be empty.
#
# Note that there is currently a compile time
# maximum on the overall number of slots
# the pkcs11 module is able to handle.
num_slots = 4;
# Normally, the pkcs11 module will create
# the full number of slots defined above by
# num_slots. If there are fewer pins/keys on
# the card, the remaining keys will be empty
# (and you will be able to create new objects
# within them).
#
# Set this option to true to hide these empty
# slots.
hide_empty_tokens = yes;
# By default, the OpenSC PKCS#11 module will
# try to lock this card once you have authenticated
# to the card via C_Login. This is done so that no
# other user can connect to the card and perform
# crypto operations (which may be possible because
# you have already authenticated with the card).
#
# However, this also means that no other application
# that _you_ run can use the card until your application
# has done a C_Logout or C_Finalize. In the case of
# Netscape or Mozilla, this does not happen until
# you exit the browser.
# Default: false
# lock_login = true;
# Normally, the pkcs11 module will not cache PINs
# presented via C_Login. However, some cards
# may not work properly with OpenSC; for instance
# when you have two keys on your card that get
# stored in two different directories.
#
# In this case, you can turn on PIN caching by setting
# cache_pins = true
#
# Default: false
# cache_pins = true;
# Set this value to false if you want to enfore on-card
# keypair generation
#
# Default: true
# soft_keygen_allowed = false;
}
}
app tokend {
# Score for OpenSC.tokend
framework tokend {
score = 10;
}
}
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
