On 21.03.2009, at 2:34, Henry B. Hotz wrote: >> If it is a PIV card, you probably don't use OpenSC tokend, but the >> CAC >> one? I might be wrong. Anyway, you don't need to "unlock" the >> keychain, you need to provide the PIN when you use a key/certificate >> on the card. > > > CAC uses the CAC Tokend. PIV uses the PIV Tokend. (Out of the box > anyway.) I have a PIV, not a CAC because I work for a NASA > contractor, not for the DOD. ;-) CAC and PIV tokend-s come with Mac OS X (ls -l /System/Library/ Security/tokend), they have nothing to do with OpenSC or the OpenSC.tokend.
> I'm told the problem with the Apple Tokend is that it doesn't > support 2048 bit RSA keys. In any case loginWindow on Leopard can't > identify me based on the card. Substituting the OpenSC Tokend fixes > that problem, but the PIN still isn't accepted. OpenSC.tokend is hardcoded to 1024b RSA keys. If Apple OSX Tokend framework itself is capable of using 2048b keys is a question I don't have the answer to right now. You can easily run into problems with card readers as well (extended APDUs etc) > I'm willing to do some debugging, if someone will tell me what to > look at. Maybe where to put syslog calls in a custom build? You can run the PIV tokend in debug mode but that won't help you, as there is no way you can modify the PIV tokend. -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
