Smartcard support from third party dylib
Hi all, I'm a system admin from Italy, I'm trying to make a smartcard working for login. The vendor provided us with a precompiled dylib. I'm able to use the smartcard with firefox by adding a new security device and passing the dylib as the provider. Same thing with openvpn. I have searched how to add a custom provider to smartcardservices to make it use the dylib but I haven't found anything useful. Could you please give me some tips about this problem? The secure.log shows those messages when the card is inserted: Sep 28 12:59:12 gollum com.apple.SecurityServer[22]: Token reader SCM SCR 355 00 00 inserted into system Sep 28 12:59:14 gollum com.apple.SecurityServer[22]: token in reader SCM SCR 355 00 00 cannot be used (error 229) Thank you in advance, Lorenzo Dalrio
Lorenzo, A few points to note as to why you would be having problems....
Hi all, I'm a system admin from Italy, I'm trying to make a smartcard working for login.
Apple's built-in support for Smart Card Login requires a card be supported via Tokend and is not supported using PKCS#11.
The vendor provided us with a precompiled dylib. I'm able to use the smartcard with firefox by adding a new security device and passing the dylib as the provider.
If this is working for you, this means that this "dylib" is providing a PKCS#11 Library service and is not a Tokend -- See note above.
Same thing with openvpn. I have searched how to add a custom provider to smartcardservices to make it use the dylib but I haven't found anything useful.
What the vendor has provided you is a single solution that only works with PKCS#11 based applications (Firefox, Acrobat, etc.). If you want to use their Smart Card an software, they would need to develop and release a Tokend version for Mac OS X.
Could you please give me some tips about this problem? The secure.log shows those messages when the card is inserted:
Sep 28 12:59:12 gollum com.apple.SecurityServer[22]: Token reader SCM SCR 355 00 00 inserted into system Sep 28 12:59:14 gollum com.apple.SecurityServer[22]: token in reader SCM SCR 355 00 00 cannot be used (error 229)
First line shows that you inserted the SCM Reader... Second line indicates that one of the Tokend modules thought it could handle the applet on the card you are using and failed during the parsing of the data. What Smart Card / Applet / Profile are you attempting to use ? -Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
2010/9/28 Shawn A. Geddis <geddis@mac.com>:
Lorenzo, A few points to note as to why you would be having problems....
Hi all, I'm a system admin from Italy, I'm trying to make a smartcard working for login.
Apple's built-in support for Smart Card Login requires a card be supported via Tokend and is not supported using PKCS#11.
You can try the tokend over PKCS#11 available from [1]. See my blog "Free software Tokend above PKCS#11 (for Mac OS X)" [2]. Bye [1] http://smartcardservices.macosforge.org/trac/browser/trunk/Tokend/PKCS11 [2] http://ludovicrousseau.blogspot.com/2010/04/free-software-tokend-above-pkcs1... -- Dr. Ludovic Rousseau
2010/9/28 Ludovic Rousseau <ludovic.rousseau@gmail.com>
You can try the tokend over PKCS#11 available from [1]. See my blog "Free software Tokend above PKCS#11 (for Mac OS X)" [2].
Thank you Ludovic, I will try your code and let you know asap. ;-) Bye, Lorenzo
On Sep 28, 2010, at 11:37 PM, Lorenzo Dalrio wrote:
2010/9/28 Ludovic Rousseau <ludovic.rousseau@gmail.com>
You can try the tokend over PKCS#11 available from [1]. See my blog "Free software Tokend above PKCS#11 (for Mac OS X)" [2].
Thank you Ludovic, I will try your code and let you know asap. ;-)
Bye, Lorenzo
Lorenzo, The first reference that Ludovic pointed out [1] is a project we created to allow PKCS#11-based applications to access and use a smart card that was already managed thru an existing Tokend. We affectionately call that a "P11 Shim". The source located at the reference was the original source for 10.5.6 and higher. The resulting binary was integrated into Mac OS X 10.6 and is located on your system already [2]. Setup a security device within the Application (ie. Firefox) and point it towards the tokendPKCS11.so. Understand that this will not provide a full PKCS#11 library (you can't write data to the card). Good luck. [1] http://smartcardservices.macosforge.org/trac/browser/trunk/Tokend/PKCS11 [2] /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so -Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
Hello, 2010/9/29 Shawn A. Geddis <geddis@mac.com>:
On Sep 28, 2010, at 11:37 PM, Lorenzo Dalrio wrote:
2010/9/28 Ludovic Rousseau <ludovic.rousseau@gmail.com>
You can try the tokend over PKCS#11 available from [1]. See my blog "Free software Tokend above PKCS#11 (for Mac OS X)" [2].
Thank you Ludovic, I will try your code and let you know asap. ;-) Bye, Lorenzo
Lorenzo, The first reference that Ludovic pointed out [1] is a project we created to allow PKCS#11-based applications to access and use a smart card that was already managed thru an existing Tokend. We affectionately call that a "P11 Shim".
Shawn, no. Sorry but you are wrong here. I confirm that [1] is the tokend above PKCS#11 written by Gemalto (and not by me. I just archived the code in the repository). I searched the subversion repository of the SmartCardServices project but could not find the PKCS#11 above tokend from Apple [2]. Shawn, is it archived in the SmartCardServices project? Bye
[1] http://smartcardservices.macosforge.org/trac/browser/trunk/Tokend/PKCS11 [2] /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so
-- Dr. Ludovic Rousseau
On Sep 29, 2010, at 9:41 AM, Ludovic Rousseau wrote:
Shawn, no. Sorry but you are wrong here. I confirm that [1] is the tokend above PKCS#11 written by Gemalto (and not by me. I just archived the code in the repository).
I searched the subversion repository of the SmartCardServices project but could not find the PKCS#11 above tokend from Apple [2]. Shawn, is it archived in the SmartCardServices project?
Bye
[1] http://smartcardservices.macosforge.org/trac/browser/trunk/Tokend/PKCS11 [2] /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so
-- Dr. Ludovic Rousseau
Ludovic, You are absolutely correct. I obviously was in too much of a rush and included the wrong path to the source I was referencing. The explanation I provided was correct, just a bad URL reference. What I _should have_ referenced is the source posted here [1]. That source was then integrated into Mac OS X 10.6.0 and the compiled binary can indeed be found here [2]. Thanks for the catch here! [1] http://smartcardservices.macosforge.org/trac/browser/branches/tokend/pk11-00... [2] /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so -Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
2010/9/29 Shawn A. Geddis <geddis@mac.com>:
What I _should have_ referenced is the source posted here [1]. That source was then integrated into Mac OS X 10.6.0 and the compiled binary can indeed be found here [2].
Any chance to have the TokendPKCS11 integrated in to trunk? Maybe that will happen only with Mac OS X 10.7.0? And Apple will not comment on that :-] Bye
[1] http://smartcardservices.macosforge.org/trac/browser/branches/tokend/pk11-00... [2] /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so
-- Dr. Ludovic Rousseau
On Sep 29, 2010, at 11:18 AM, Ludovic Rousseau wrote:
2010/9/29 Shawn A. Geddis <geddis@mac.com>:
What I _should have_ referenced is the source posted here [1]. That source was then integrated into Mac OS X 10.6.0 and the compiled binary can indeed be found here [2].
Any chance to have the TokendPKCS11 integrated in to trunk? Maybe that will happen only with Mac OS X 10.7.0? And Apple will not comment on that :-]
Ludovic, The source included in [1] is the original project for Mac OS X 10.5.x. This currently still stands as a separate project and does not currently require any integration steps per se. it is the source that is compiled for inclusion in Mac OS X 10.6.x already and unless changes are made, would continue moving forward. No hidden agenda here... I'll make sure I get the source up on the site with trunk and with Apple 10.6 release source code... To be sure I provide the appropriate disclaimer... This TokendPKCS11 is known several issues that need to be addressed. This was developed and built initially for 10.5 and needs a fair amount of work to provide a usable and stable environment for end users. [1] http://smartcardservices.macosforge.org/trac/browser/branches/tokend/pk11-00... -Shawn __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer geddis@apple.com MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
2010/9/28 Shawn A. Geddis <geddis@mac.com> What Smart Card / Applet / Profile are you attempting to use ?
Shawn, Thank you for the useful info, unfortunately smartcard's world is quite new to me. Unfortunately I'm not able to provide you the informations you have requested because I dont' know too... :-( I can try to ask the vendor if you tell me that it could help. Today I will give a try at Ludovic code, I will report the results asap. Bye, Lorenzo Dalrio PS: when I wrote the first mail yesterday I was probably thinking at having some relax, the misstype party-part in the subject is quite funny. :-)
participants (3)
-
Lorenzo Dalrio
-
Ludovic Rousseau
-
Shawn A. Geddis