Re: [opensc-devel] Help on OpenSC for Mac OS X

[Martin Paljak]

Hello,

On Jun 24, 2010, at 16:36 , Jean-Michel Pouré - GOOZE wrote:
> 1) After erasing and initializing a Feitian PKI card, I run Keychain.
> I can see the smartcard, but not unlock it using PIN code. My PIN code
> was "0000" as usual. I cannot unlock the card.
> 
> Is this normal?
Yes. 

The padlock icon (if that is what you mean by unlocking) is not supposed to 
work.  Even if for onepin profiles the padlock could be tied to the PIN code, 
there are cards that have several PIN codes. 
The concept of "unlocked keychain" and smart cards don't map well. The final 
say about the "locked" state still resides on the card, not in GUI sugar (what 
the padlock is)

If a key needs to be used, a PIN dialog is brought up. 

Will add it to the FAQ.

> 2) It seems that Tokend is limited to 1024bit key. I could generate a
> 1024bit key on card, not a 2048bit key. OpenSC segfaults:
> 
> pkcs15-init --generate-key rsa/2048 --auth-id 01 --pin 0000 
> Using reader with a card: OmniKey CardMan 3121 00 00
> Failed to generate key: Transmit failed
> 
> pkcs15-tool --dumpCard not present.
What segfaults? The error looks like a reader problem (2048b keys are over the 
short APDU size limit, if not broken into smaller APDU-s),  providing details 
about your reader and opensc-debug.log would be useful.

OpenSC.tokend supports 2048b keys (or intermediate sizes, even though they 
probably have never been tested and the rest of the ecosystem might not work 
with them)


> 3) Restart
> Is there a way to restart OpenSC and/or Tokend when it segfaults,
> without restarting Mac OS X. I have little knowledge in Mac OS X, so I
> was obliged to reboot.
It is *really* easy to make securityd crash (check your 
/Library/Logs/CrashReports folder) and after this happens, the only way to 
bring your machine back is reboot. Symptoms: can't open new applications (icons 
just bounce for a few seconds but don't open) and plugging in a reader will not 
start pcscd (opensc-tool -l will not report a reader even though one is 
attached)

Don't know a way around it other than restarting, that's the secondary "mac 
price" you have to pay.

For restarting OpenSC.tokend, simply remove the card. Tokend is run freshly 
when a card is inserted.

> 4) More generally what are the limitations of Keychain Acccess to manage
> smartcards using Tokend+OpenSC. I would like to write a tutorial. Are
> there some docs available at Apple or on the NET.
Limitations? Talking about features, which I know none, Keychain Access is just 
a simple front-end for managing keychains which also happen to be the 
abstraction for exposing smart cards in OS X. Other than possibly changing the 
PIN code and validating a functioning installation by viewing certificates, 
there's not much in it.


> 5) What are your current plans 
about SCA. I would love to see SCA based
> on OpenSC 0.12 svn out for testing with SSH and OpenSSL.
OpenSC it shall be. With dropping 10.4 support, 10.5 and 10.6 installers named 
OpenSC will remain.

As OpenSSH now includes PKCS#11 support there are other methods for acquiring 
OpenSSH that will work with OpenSC cards. Fink and MacPorts are the first that 
come in mind, even though they have not upgraded to the latest OpenSSH version. 
Pinging them with a request to update their versions might be a good idea.

Alternatively, additional software could be bundled into a "cool PKCS#11 
applications package" style of thing.

-- 
Martin Paljak
http://martin.paljak.pri.ee
+3725156495

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel