December 2009 - Tokend-Dev - lists.macosforge.org

TokenD issue on MacOS X 10.6
by Giuseppe Amato 02 Feb '10

02 Feb '10

Hello, since the tokend binary I'm using on 10.5 doesn't works anymore on 10.6, also on 32 bit hardware, I'm trying to rebuild tokend. I've a problem similar to that reported here [1]. The smart card keychain and all objects can be seen in KeyChain Access application, but when I try to make a signature an error is returned. actually the most detailed error I got is: CSSM_SignData returned: 8001082E Error: 0x8001082E -2147416018 CSSMERR_CSP_INVALID_ACL_ENTRY_TAG The system never asks me the PIN. To make it simpler I've modified the BELPIC tokend to became a completely software tokend, that is accepts any card the use keys and certificate located in files. The behavior is the SAME sa my tokend. So I think that is just a build problem... I'm using currnet darwinbuld from trunk, xcode 3.2 and I'm initializing darwinbuld on the build id 10B504 Anyone was successfully in building ad using a tokend on 10.6? Can you help me? links: [1] http://lists.macosforge.org/pipermail/tokend-dev/2009-September/000015.html -- Giuseppe Amato http://www.bit4id.com gam(a)bit4id.com

3 5

Cannot use tokend with loginwindow on 10.6
by Jean-Charles BERTIN 04 Dec '09

04 Dec '09

Hi! With our tokend compiled for x86_64 on 10.6, we are unabled to use it for authentication with loginwindow. The loginwindow recognize the tokend since it shows the right user and prompt us to enter then PIN code. However the loginwidow always shakes after entering it. Here is the sc_auth output used for linking the user to the certificate on the smartcard: $sc_auth hash 3A941BBD2D9CD73F6D83A5808B8250E318740EEA Test User's Axinoe CA SMIME ID CB0044788246DA3F09763A0A298325334081274F com.apple.systemdefault 988A5041EA0A9E8C62BE2EA20DB49324D3A8EB56 com.apple.kerberos.kdc CB0044788246DA3F09763A0A298325334081274F com.apple.systemdefault 988A5041EA0A9E8C62BE2EA20DB49324D3A8EB56 com.apple.kerberos.kdc $sc_auth list -u test_user 3A941BBD2D9CD73F6D83A5808B8250E318740EEA Of course the smartcard have the private key for this certificate. I trace the security logs to see what happens, maybe the credentials send by the smartcard-sniffer to the authenticate mechanism are wrong. tokendb 0x100305010 authenticate calling validate preauth using state 1@0x10032aa00 notify 0x100223560 notification created domain 0x1 event 2 seq 4294967296 schedq 0x100227b40 (1259947209.000) scheduled before 0x100215118 notify 0x100223560 notification done domain 0x1 event 2 seq 4294967296 tokendb 0x100305010 updating PIN1 state response tokendb returning isLocked=0 agentclient got setResult at port 19971; result 0 AuthEvalMech evaluate(builtin:smartcard-sniffer,privileged) with result: 0. schedq event 0x100227b40 unscheduled schedq event 0x100227b40 delivered at 1259947209.000 notify Posted notification to clients. adhoc Callback was called 6 times. agentclient got setResult at port 21507; result 0 AuthEvalMech evaluate(loginwindow:login) with result: 0. agentclient got setResult at port 23059; result 0 AuthEvalMech evaluate(builtin:reset-password,privileged) with result: 0. agentclient got setResult at port 24323; result 0 AuthEvalMech evaluate(builtin:auto-login,privileged) with result: 0. tokendb 0x100305010 updating PIN1 state response tokendb returning isLocked=0 tokenacl 0x1002282e8 loading ACLs from tokend preauth using state 1@0x10032aa00 handleobj create 0x32f9c4 for 0x10032f960 tokenacl 0x10032fa08 loading ACLs from tokend agentclient got setResult at port 24835; result 1 AuthEvalMech evaluate(builtin:authenticate,privileged) with result: 1. SSauth Authorization 0x100328b60 returning copy of context (null). Maybe there is some checks added to verify the purpose of the certificate. Here is the content of the certificate used: Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=Rhone, L=Lyon, O=Axinoe, OU=Axinoe Certification, CN=Axinoe CA SMIME/emailAddress=ca(a)axinoe.com Validity Not Before: Oct 10 08:05:41 2008 GMT Not After : Oct 10 08:05:41 2033 GMT Subject: C=FR, ST=Rhone, L=Lyon, O=Axinoe, OU=Axinoe Certification, CN=Test User/emailAddress=test(a)axinoe.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c1:e2:a5:5a:8e:62:a0:27:03:3f:bf:18:e4:c4: de:89:a9:13:92:c5:e7:14:6c:de:e1:91:f0:1c:07: 4e:e6:36:2d:ad:31:84:ca:2d:69:b9:b9:2e:17:ea: c5:b3:26:d7:33:25:4e:a5:f7:41:7e:67:2b:b2:a5: cb:49:a2:67:a5:5b:d4:2e:c1:16:a7:7f:1a:0f:43: 3d:e8:c6:9c:00:07:4a:d2:4b:0d:6b:3a:e0:d2:db: 48:9e:e0:c1:84:f7:4f:f5:58:50:70:c6:23:db:2b: 2b:35:6e:d2:ec:e9:b9:71:55:0a:cc:ac:8e:76:44: 16:99:e8:a6:6b:dd:0a:a7:53:3d:b6:c3:67:01:1b: 76:9b:bf:f2:a8:a9:b7:83:6b:f7:83:c4:18:14:a1: be:8c:58:93:ef:b9:c2:52:b2:5d:b5:dc:d8:dd:a3: e0:ee:88:77:52:89:97:f7:78:0e:fb:d1:cd:a9:83: 32:1d:32:73:5f:13:86:92:74:17:57:fd:3b:f4:b0: 0c:93:a7:c7:93:c9:c9:74:21:fa:16:5e:5b:0e:ca: 63:05:eb:f6:a6:44:fc:e3:91:07:3a:4d:f6:91:b0: 57:83:2e:89:8e:bb:d4:5f:c6:18:e0:40:1c:bc:c3: 5e:5a:bb:0f:f7:d9:d7:c0:2f:5a:0d:7d:13:7f:39: 32:8f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE, pathlen:0 Netscape Cert Type: S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: E-mail Protection Netscape Comment: OpenSSL Generated SMIME Certificate X509v3 Subject Key Identifier: 3A:94:1B:BD:2D:9C:D7:3F:6D:83:A5:80:8B:82:50:E3:18:74:0E:EA X509v3 Authority Key Identifier: keyid:87:88:33:16:B1:E5:22:BC:B1:B1:9D:74:DA:69:1A:45:57:F2:D4:4C DirName:/C=FR/ST=Rhone/L=Lyon/O=Axinoe/OU=Axinoe Certification/emailAddress=ca(a)axinoe.com/CN=Axinoe CA Root serial:01 X509v3 Subject Alternative Name: email:test@axinoe.com Signature Algorithm: sha1WithRSAEncryption c3:3c:08:4e:8b:e5:37:8c:d5:b8:bd:d5:4b:36:51:c9:8b:ad: 0a:b8:56:62:0e:34:45:4c:ee:d4:33:a8:07:56:79:7b:67:0e: 0a:8f:4a:34:7a:63:d3:8e:8d:49:b1:97:f4:e1:47:d9:de:a7: f2:0d:d2:6b:63:20:49:79:7b:c6:db:a2:9c:5e:ee:25:85:d8: fe:4c:e6:27:ef:b8:8c:8a:e3:f4:07:d3:1e:fb:fb:09:20:5c: b8:3d:6f:56:c7:c6:42:10:42:ae:fe:f5:35:c7:8b:a4:08:73: ed:85:51:86:01:9a:18:72:aa:38:ba:00:05:fb:5f:9f:4f:d2: 0a:d8:01:d8:df:49:9b:15:4f:00:5e:07:df:15:98:b2:11:f5: 04:6c:ba:a7:cb:dd:ef:7f:3f:fd:45:58:1b:93:fb:20:84:c1: 07:df:62:38:42:50:89:7d:0a:c4:77:8e:af:38:82:0d:e8:b3: cc:ac:b4:d7:16:b6:0f:a4:23:dd:fb:5f:6a:16:a9:d7:16:b9: 3e:e5:ef:67:c3:8e:43:7e:b3:95:34:50:c0:3c:b2:ab:e6:5c: 5f:e1:db:13:55:15:1b:1c:72:f7:56:4a:8c:e8:d3:8f:00:62: 4a:18:7e:e8:63:08:4a:b0:02:4c:b6:60:55:ba:67:ca:41:3c: 2d:fe:28:6b -- Jean-Charles BERTIN Axinoe - Software Engineer Tel.: (+33) (0)1.80.82.59.23 Fax : (+33) (0)1.80.82.59.29 Skype: jcbertin Web: <http://www.axinoe.com/> Certificate Authority: <https://ca.axinoe.com/axinoe-root.crt>

1 0

BETA Tokend available: CAC-NG (Leopard Mac OS X 10.5.6+)
by Shawn A. Geddis 02 Dec '09

02 Dec '09

SmartCardServices - "CAC-NG" Tokend The SmartCardServices Project Team is pleased to provide access to the*BETA* for CAC Next Generation (a.k.a. CAC-NG) Tokend support for Mac OS X 10.5 "Leopard". Support for Snow Leopard is forth coming, but you can proceed to test with your Mac OS X 10.5.6+ machines with this installation. Background CAC-NG Smart Cards The following is an excerpt taken directly from the "DoD Implementation Guide for CAC Next Generation (NG), v2.5, November 2006". The DoD CAC Environment The PIV transitional, as defined in SP 800-73, is added to the existing CAC v2 card as an additional data model in conjunction with other evolutions such as the purse and access control. This CAC with PIV is called the CAC Next Generation (NG). The CAC NG is the first and most significant step towards the PIV end point solution. The PIV solution is implemented on the DoD CAC NG, but is largely separate and distinct from the DoD multi-application CAC. It will evolve at its own pace but in the same environment. The purpose and function of the CAC NG is much broader than the focused interoperability function of the PIV. In 1999, Congress directed the Secretary of Defense to implement smart card technology within the DoD with the objective of increasing efficiency, security, and readiness. The result has been the creation of the CAC. The baseline functionality of the CAC is to (1) provide for logical access to computer systems, (2) provide personnel identification, (3) enable physical access to buildings, and (4) PKI for signing, encryption, and non-repudiation. The CAC is the standard identification card for active duty military personnel, Selected Reservists, DoD civilian employees, and eligible contractor personnel. The CAC NG is a multi-application smart card. It serves as a token for PK identity, email, and encryption certificates. Additionally, it contains a linear barcode, two-dimensional barcode, magnetic stripe, color digital photograph, and printed text. Installer http://smartcardservices.macosforge.org/trac/wiki/installers Installation Smart Card Tokend Installation CAC-NG /System/Library/Security/tokend/CACNG.tokend __________________________________________________ Shawn Geddis geddis(a)mac.com Security Consulting Engineer MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________

2 3