On Oct 1, 2015, at 11:44 AM, Thomas Harning Jr. <harningt@gmail.com> wrote:

Thanks. Is there any documentation available that shows where the new tokend installations should go?

Does this installation location happen to work for older OSX versions, or is the location only scanned by OSX 10.11? If this location is only for newer versions of OSX, this complicates things for users that install an application on 10.10 or earlier and come to OSX 10.11 to discover their TokenD was obliterated.

Smart card development for OSX seems to be a particularly dark art. By chance are there any samples of TokenD modules written using Apple's new blessed token API - the asynchronous nature of the new API seems to be in conflict with TokenD API specifications.

Thomas,

• The Installer Download Page, the Installer and the man page for SmartCardServices notes the new tokend installation path for OS X El Capitan v10.11.
• The Path [/Library/Security/tokend/ ] is new for OS X El Capitan v10.11 and higher and is not supported on older versions of OS X v10.x.
• Location of Tokend bundles does not affect use by Applications, since this is completely abstracted away.
• There currently is no code samples or reference implementations for CryptoTokenKit Clients from Apple nor yet from the project here.
• TokenD API specifications ? There never was any API specification to Apple’s knowledge.  What reference are you making ?


See man page for SmartCardServices….

$ man SmartCardServices

SMARTCARDSERVICES(7) BSD Miscellaneous Information Manual SMARTCARDSERVICES(7)

NAME
     SmartCardServices -- overview of smart card support

DESCRIPTION
     SmartCardServices is a set of components which add native support for
     smart cards to OS X.

     Supported smart cards appear as separate keychains.  A Tokend module for
     each smart card you wish to use must be installed in
     /Library/Security/tokend

USB SMART CARD READER DRIVERS
     OS X has built-in support for USB CCID class-compliant smart card read-
     ers.  For other readers, install the reader driver in
     /usr/local/libexec/SmartCardServices/drivers.  Each driver is a bundle.
     The bundle contains an XML file Info.plist which contains the device's
     USB vendor ID and product ID.  For detailed description of the plist for-
     mat and how to write a reader driver, see
     http://pcsclite.alioth.debian.org/api/group__IFDHandler.html

SMART CARD APDU LOGGING
     It is possible to turn on logging for smart cards.  Logging is turned on
     by setting the global preference:

     sudo defaults write /Library/Preferences/com.apple.security.smartcard
     Logging -bool yes

     After a smart card reader is connected (or after reboot) all operations
     including contents of sent and received APDU messages are then logged
     into the system log.  Logging uses the facility com.apple.security.smart-
     card.log so it is possible to set up filtering of these logs into custom
     targets (see asl.conf(5))

     To avoid security risks that could occur if logging is turned on indefi-
     nitely, the logging setting is one-shot - it must be turned on by the
     command above to start logging again with a new reader.  This includes
     unplugging and replugging the same reader.

SEE ALSO
     sc_auth(8), defaults(1), asl.conf(5), ssh-keychain(8)

Mac OS X                        August 5, 2014                        Mac OS X



- Shawn
_____________________________________________________________________
Shawn Geddis            geddis@{Mac | Me | iCloud}.com
Security and Certifications Engineer, Apple                geddis@apple.com

Smart Card Services  Project/Dev Lead:                                                                                 
Project Wiki:           [SmartCardServices.MacOSFforge.Org]
Mailing Lists:          [Lists.MacOSForge.Org/mailman/listinfo]
SCS Contact:            [scs-cotact@macosforge.org]
SCS Admin:            [scs-admin@macosforge.org]
_____________________________________________________________________