1. According to the log and my testing, the cosmetic "show locked icon" code is never called on 10.5.6. The lock icon has no practical meaning (except for authenticating the first PIN once when clicked). So it remains "locked" for now. 2. What happens with login is something I don't know and have never tested. I've never made a "tick" somewhere to use my token for OS X login, but I know that if my token is inserted when I reboot the machine, apparently my password is sent to the card until I remove my card. If you know how the apple login thing works, please share your knowledge here or on the SCA wiki (which apparently talks about 10.4 only)
If you want to debug OpenSC, set debug to 9 in /Library/OpenSC/etc/ opensc.conf and uncomment log and error file locations and send the resulting files to the list. -1303 is "SC_ERROR_BUFFER_TOO_SMALL" which is probably because OpenSC.tokend has only knowledge of 1024b keys. AFAIK none of the official Tokend implementations (according to the latest published source code from Apple) use 2048 keys. I can look into this. On 23.03.2009, at 6:20, Henry B. Hotz wrote: > > On Mar 22, 2009, at 11:36 AM, Henry B. Hotz wrote: > >> >> On Mar 21, 2009, at 2:26 AM, Martin Paljak wrote: >> >>> On 21.03.2009, at 2:34, Henry B. Hotz wrote: >>> >>> >>>> I'm willing to do some debugging, if someone will tell me what to >>>> look at. Maybe where to put syslog calls in a custom build? >>> >>> You can run the PIV tokend in debug mode but that won't help you, as >>> there is no way you can modify the PIV tokend. >> >> >> How do I run the OpenSC tokend in "debug mode"? I just found a log >> file in /tmp that seems relevant, but it doesn't seem to contain >> anything that looks like a smoking gun. Should I look more >> carefully? Maybe truncate it before the relevant test? > > Been looking at /tmp/opensc-tokend.log some. > > When I just try to unlock the card from the keychain icon in the > menu bar it shows this: > > In OpenSCToken::getAcl() > In OpenSCKeyRecord::getOwner() > In OpenSCKeyRecord::getAcl, tag is: (null) > DB read for a reference key object is always OK > auth_id for PIN: 01, pinNum = 1 > retuning 2 ACL entries > In OpenSCKeyHandle:: OpenSCKeyHandle() > In OpenSCToken::getAcl() > > ...which gives no errors, but doesn't change any of the lock icons. > When I try to use it to log in it shows this: > > In OpenSCToken::getAcl() > In OpenSCToken::verifyPIN(1) > In OpenSCToken::_verifyPIN(), PIN num is: 1 > sc_pkcs15_get_objects(pin_id=01): 2 > In OpenSCToken::verify returned -1304 for pin 1 > In OpenSCToken::getAcl() > In OpenSCToken::getAcl() > In OpenSCToken::verifyPIN(1) > In OpenSCToken::_verifyPIN(), PIN num is: 1 > sc_pkcs15_get_objects(pin_id=01): 2 > In OpenSCToken::verify returned 0 for pin 1 > About to call BEGIN() > In OpenSCKeyRecord::getOwner() > In OpenSCKeyRecord::getAcl, tag is: (null) > DB read for a reference key object is always OK > auth_id for PIN: 01, pinNum = 1 > retuning 2 ACL entries > In OpenSCKeyHandle:: OpenSCKeyHandle() > In OpenSCKeyRecord::getOwner() > In OpenSCKeyRecord::getAcl, tag is: (null) > retuning 2 ACL entries > In OpenSCToken::getAcl() > In OpenSCKeyHandle::generateSignature() > type == CSSM_ALGCLASS_SIGNATURE > algorithm == CSSM_ALGID_RSA > Using SHA1, length is 20 > PKCS#1 padding > sc_pkcs15_compute_signature(): rv = -1303 > In OpenSCToken::getAcl() > > ...which is different. Login fails and it shakes the dialog box. > The debug security log info is: > > Mar 22 20:40:25 laphotz com.apple.SecurityServer[24]: token inserted > into reader SCM SCR 331 00 00 > Mar 22 20:40:25 laphotz com.apple.SecurityServer[24]: reader SCM SCR > 331 00 00 inserted token > "PIV_II" (PIV_IId08210d84144ed90a11315a1685835e67286a2a1808289d7ed) > subservice 4 using driver com.apple.tokend.opensc > Mar 22 20:40:26 laphotz SecurityAgent[62517]: Showing Login Window > Mar 22 20:40:30 laphotz SecurityAgent[62517]: User info context > values set for hotz > Mar 22 20:40:30 laphotz com.apple.SecurityServer[24]: securityd > ignoring SIGPIPE received > Mar 22 20:40:30 laphotz authorizationhost[62516]: failed to sign > data (-2147416054) > Mar 22 20:40:32 laphotz com.apple.SecurityServer[24]: reader SCM SCR > 331 00 00 removed token > "PIV_II" (PIV_IId08210d84144ed90a11315a1685835e67286a2a1808289d7ed) > subservice 4 > > ------------------------------------------------------ > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > henry.b.h...@jpl.nasa.gov, or hbh...@oxy.edu > > > -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
