On Mar 21, 2009, at 2:26 AM, Martin Paljak wrote: > On 21.03.2009, at 2:34, Henry B. Hotz wrote: > >>> If it is a PIV card, you probably don't use OpenSC tokend, but the >>> CAC >>> one? I might be wrong. Anyway, you don't need to "unlock" the >>> keychain, you need to provide the PIN when you use a key/certificate >>> on the card. >> >> >> CAC uses the CAC Tokend. PIV uses the PIV Tokend. (Out of the box >> anyway.) I have a PIV, not a CAC because I work for a NASA >> contractor, not for the DOD. ;-) > CAC and PIV tokend-s come with Mac OS X (ls -l /System/Library/ > Security/tokend), they have nothing to do with OpenSC or the > OpenSC.tokend.
We're in "violent agreement". I was describing Apple's out-of-the-box support on Leopard. >> I'm told the problem with the Apple Tokend is that it doesn't >> support 2048 bit RSA keys. In any case loginWindow on Leopard can't >> identify me based on the card. Substituting the OpenSC Tokend fixes >> that problem, but the PIN still isn't accepted. > OpenSC.tokend is hardcoded to 1024b RSA keys. If Apple OSX Tokend > framework itself is capable of using 2048b keys is a question I don't > have the answer to right now. You can easily run into problems with > card readers as well (extended APDUs etc) I'm using an ActiveIdentity reader with firmware upgraded to SCM version 5.22. It works fine with the rest of OpenSC, and I've used it to run the PKINIT exchange with Heimdal many times. The OpenSC Tokend works fine with the reader and card for just reading the cert via Keychain Access. I'm trying to fix the rest of the functionality, since it seems to *almost* work. So, you're telling me that the Tokend framework itself is limited to 1024-bit keys? Where would I look to verify if that's still true? >> I'm willing to do some debugging, if someone will tell me what to >> look at. Maybe where to put syslog calls in a custom build? > > You can run the PIV tokend in debug mode but that won't help you, as > there is no way you can modify the PIV tokend. How do I run the OpenSC tokend in "debug mode"? I just found a log file in /tmp that seems relevant, but it doesn't seem to contain anything that looks like a smoking gun. Should I look more carefully? Maybe truncate it before the relevant test? ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. henry.b.h...@jpl.nasa.gov, or hbh...@oxy.edu _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
