Actually, I checked - and must apologize for misleading you. There are FOUR slots for certificates in the PIV applet, and the FIFTH one is for the 3DES management key. On a different system that also runs Mavericks 10.9.5 but doesn't have all the corporate crap installed, OpenSC.tokend seemed to work OK with CAC but did not recognize NEO at all. Whatever scarce logs I managed to get, I will post here later. -- Regards, Uri Blumenthal Voice: (781) 981-1638 Cyber Systems and Technology Fax: (781) 981-0186 MIT Lincoln Laboratory Cell: (339) 223-5363 244 Wood Street, Lexington, MA 02420-9185 Web: http://www.ll.mit.edu/CST/ MIT LL Root CA: <https://www.ll.mit.edu/labcertificateauthority.html> ------Original Message------ From: Thomas Westfeld To: Blumenthal, Uri Cc: hotz@2ndquadrant.com Cc: rdisiena@gmail.com Cc: SmartCardServices-Users Subject: Re: [SmartcardServices-Users] Cannot use my Yubikey Neo Sent: Mar 5, 2015 16:41 Well that does not sound too promising. Funny that Yubico is advertizing using the Yubikey NEO to store certs on it to be used via the Mac OS X keychain. I also do not understand, why the SmartCardServices PIV.tokend does recognize the yubikey, although it claims to be PIV compliant. Thank you for the explanation of the different slots. Am 05.03.2015 um 22:26 schrieb Blumenthal, Uri - 0558 - MITLL <uri@ll.mit.edu>:

1. I would not call it "works". What you got is having the card *recognized* - one/first step on a potentially long road.

2. No, there are *three* lots for PK keys. The fourth one is for 3DES authentication/management key.

3. "yubico-piv-tool --help" (I think - maybe it was on NEO PIV web page) tells what these slots are: one for Digital Signature cert, one for Key Management cert (i.e. encryption), one for PIV Authentication (I think it is Identity cert), and one for card management (3DES). I haven't seen any docs, but Yubico web page on NEO PIV lists those.

In summary, OpenSC.tokend is busted, and attempts to recompile it did not produce a usable program. Anybody who understands it cares to pitch in?

-- Regards, Uri Blumenthal Voice: (781) 981-1638 Cyber Systems and Technology Fax: (781) 981-0186 MIT Lincoln Laboratory Cell: (339) 223-5363 244 Wood Street, Lexington, MA 02420-9185

Web: http://www.ll.mit.edu/CST/ MIT LL Root CA: <https://www.ll.mit.edu/labcertificateauthority.html> ------Original Message------ From: Thomas Westfeld To: Blumenthal, Uri Cc: Henry B (Hank) Hotz, CISSP Cc: Ridley DiSiena Cc: SmartCardServices-Users Subject: Re: [SmartcardServices-Users] Cannot use my Yubikey Neo Sent: Mar 5, 2015 16:01

Hello again,

finally I got it to work. It just does not work to iinstall OpenSC via homebrew because the corresponding tokend is missing. When installing from the github repo https://github.com/OpenSC/OpenSC/releases it works. I can now insert the yubikey and it appears in my keychain.

However I also have a similar problem concerning the unlocking of the keychain on the yubikey. It asks me for the keychain password of the yubikey and I enter the PIN, however Mail reports an error in using this certificate on the yubikey.

When checking which tokend takes care of the yubikey it is the OpenSC one, so that sounds reasonable.

I managed to import certificates and keys into the yubikey using the yubico-piv-tool.

BTW is there a documentation or hint, which slot to use for which purpose and what the implications are? Am I right that the yubikey has 4 slots for for cert/key pairs?

Am 05.03.2015 um 16:28 schrieb Blumenthal, Uri - 0558 - MITLL <uri@ll.mit.edu>:

...

On 3/3/15, 15:31 , "Henry B (Hank) Hotz, CISSP" <hotz@2ndquadrant.com> wrote:

...

...

...

Do I need to remove anything in order for it to run correctly?

Shouldn't need to remove anything. There is some sort of dark art to which tokend is used when there are multiple tokend(s) for the same card type.

Need to make sure you use the tools that go with the tokend that’s actually attached and running. Plug the card in and do a ps -ef | fgrep tokend to see.

I’ve tried several things, unfortunately including attempt to recompile/reinstall pcsc-lite-1.8.13, which messed everything up enormously.

I’ve restored the original Apple /usr/sbin/pcscd and /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle, but despite all that it does not start any tokend.

Prior to this pcsc-lite fiasco, OpenSC.tokend would start/run (if present) when a smart card was inserted, and it would recognize/display the card and the certs that were on it - but it would not unlock it (prompts for a PIN, accepts the PIN, and then nothing changes - and the card stays locked; no error message or such).