Henrik,

Your email messages are all referencing the support of hardware (NFC readers and the hardware of the smartcard recognition of the electronics of the smart card), but not the Applet on the card.  Support for communicating correctly with the Applet loaded onto a card is done by a corresponding TokenD.  You do not select the card to use a particular Tokend, but rather you must have installed a TokenD that supports the Applet loaded on the card.  There are many Applet specifications out there, so you need to know what your card is using and install the appropriate TokenD.  Whether you access the card with a generic CCID USB-based smart card reader or a USB-NFC based reader is not the problem you are facing.

Once your particular smart card type is supported by an installed Tokend, then ALL services access and use the card as a dynamic keychain - via keychain services.  No application or service needs to know it is a smart card and simply uses the standard keychain / Sec… APIs available on OS X.  So yes, once you have a supporting Tokend, you could use sc_auth to assign a card to an account for login, but realize that is not the normal method for Smart Card Login on OS X.  You are much better off  using the standard of PKINT which leverages both PKI and your Microsoft AD’s KDC.  

So, before any of us can help you further, we need to know and understand what Card Type (applet loaded on the card) you are using or want to use on your system.


- Shawn
_______________________________________________________________________
Shawn Geddis     
Security and Certifications Engineer, Apple           (geddis@apple.com)
SCAP-On-Apple Project/Dev Lead:              (SCAP-On-Apple.MacOSForge.Org)
SmartCardServices Project/Dev Lead:       (SmartCardServices.MacOSForge.Org)
_______________________________________________________________________

On Jan 24, 2015, at 4:53 AM, Henrik Brautaset Aronsen <henrik@synth.no> wrote:

Yoann Gini wrote:
Le 20 janv. 2015 à 20:51, Henrik Brautaset Aronsen <henrik@synth.no> a écrit :
The stock OSX version of pcsctest finds the reader just fine:

    $ /usr/bin/pcsctest

    Testing SCardEstablishContext    : Command successful.
    Testing SCardGetStatusChange
    Please insert a working reader   : Command successful.
    Testing SCardListReaders         : Command successful.
    Reader 01: ACS ACR122U

If the built in pc/sc detect the reader, it’s a good start. It means it’s working on the reader side.

Now you need to look at your cards. Which NFC chipset do you use? And with which TockenD module?

The reader says:

$ /usr/bin/pcsctest
...
Reader 01: ACS ACR122U
Waiting for card insertion        : Command successful.
Testing SCardConnect            : Command successful.
Testing SCardStatus              : Command successful.
Current Reader Name              : ACS ACR122U
Current Reader State             : 0x54
Current Reader Protocol          : 0x0
Current Reader ATR Size          : 20 (0x14)
Current Reader ATR Value         : 3B xx xx xx

The chipset is is a 13.56MHz ISO14443A & NFC Type 2 compliant NTAG216 RFID chipset.   I haven't selected any TokenD module, mostly because I don't know how to.  Any feedback on this is greatly appreciated.

Don’t forget that SmartCards aren’t just storage cards, you have a microprocessor and a small system on it to store yours keys and handle the secure communication.

I realize this.  But according to http://support.apple.com/kb/TA24244 it seems that I can get away with storing a key on the NFC that is accessible with "sc_auth hash".  Does that sound reasonable?

Cheers,
Henrik
_______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users