Re: [Tokend-Dev] Building Tokend on Leopard?
On Mar 16, 2009, at 5:29 PM, Shawn A. Geddis wrote:
On Mar 16, 2009, at 8:23 PM, Henry B. Hotz wrote:
That sounds like standard policy, which is fine.
Am I wrong to believe that the posted source for this project is newer and more Snow-Leopard-like than the 9G55 version of Tokend? If it is, then I'm still interested.
The Source for ALL of the sub-components of this project "SmartCardServices" are all exact copies of the source which was compiled and shipped in Mac OS X 10.5.6. We will make note of this on the wiki pages as we move forward with this project.
So this project's Tokend is identical to Tokend-35209?
The issue you seem to be trying to resolve is related to the 1024/2048 key size issue with the shipped PIV tokend. I am getting that source and binary out here as soon as I can and will post a note then as well.
Well, I'm told that's the problem. I can't say I know that's the issue independently. I just know that the 10.5.6 Tokend can't identify the user for loginwindow. OpenSC Tokend and ActiveIdentity Tokend can do that, but they can't unlock the card with a PIN. If I got past this hump, I'd ask about Apple's support for MIT Kerberos' pre-auth plugin interface and PKINIT, but that would be severely off-topic. ;-) ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
On Mar 16, 2009, at 9:02 PM, Henry B. Hotz wrote:
The Source for ALL of the sub-components of this project "SmartCardServices" are all exact copies of the source which was compiled and shipped in Mac OS X 10.5.6. We will make note of this on the wiki pages as we move forward with this project.
So this project's Tokend is identical to Tokend-35209?
The issue you seem to be trying to resolve is related to the 1024/2048 key size issue with the shipped PIV tokend. I am getting that source and binary out here as soon as I can and will post a note then as well.
Well, I'm told that's the problem. I can't say I know that's the issue independently. I just know that the 10.5.6 Tokend can't identify the user for loginwindow.
Yes, that is the problem preventing the login...
OpenSC Tokend and ActiveIdentity Tokend can do that, but they can't unlock the card with a PIN.
Why can't they unlock the card ? __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
On Mar 16, 2009, at 6:22 PM, Shawn A. Geddis wrote:
OpenSC Tokend and ActiveIdentity Tokend can do that, but they can't unlock the card with a PIN.
Why can't they unlock the card ?
If I knew that I might try to fix it (in OpenSC anyway). ;-) That raises the question of how you could find out what the problem is. Can you usefully attach a debugger to a tokend? ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
On Mar 17, 2009, at 12:10 PM, Henry B. Hotz wrote:
On Mar 16, 2009, at 6:22 PM, Shawn A. Geddis wrote:
OpenSC Tokend and ActiveIdentity Tokend can do that, but they can't unlock the card with a PIN.
Why can't they unlock the card ?
If I knew that I might try to fix it (in OpenSC anyway). ;-)
That raises the question of how you could find out what the problem is. Can you usefully attach a debugger to a tokend?
The best method for debugging communication with a card is to set the debugging level in the reader driver. For example, if your reader is being handled by the CCID Class Driver (ifd-ccid.bundle) then you can modify: File: /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/ Info.plist Key: ifdLogLevel Original Value: 0x0001 Debug Value: 0x0007 Reader and Token insertions/removal are logged to: /var/log/secure.log Information between Host & Reader (Card Activity): /var/log/system.log <!-- Possible values for ifdLogLevel 1: CRITICAL important error messages 2: INFO informative messages like what reader was detected 4: COMM a dump of all the bytes exchanged between the host and the reader 8: PERIODIC periodic info when pcscd test if a card is present (every 1/10 of a second) The final value is a OR of these values Default value: 3 (CRITICAL + INFO) __________________________________________________ Shawn Geddis geddis@mac.com Security Consulting Engineer MacOSForge Project Lead: Smart Card Services Web: http://smartcardservices.macosforge.org/ Lists: http://lists.macosforge.org/mailman/listinfo __________________________________________________
2009/3/23 Shawn A. Geddis <geddis@apple.com>:
On Mar 17, 2009, at 12:10 PM, Henry B. Hotz wrote:
On Mar 16, 2009, at 6:22 PM, Shawn A. Geddis wrote:
OpenSC Tokend and ActiveIdentity Tokend can do that, but they can't unlock the card with a PIN.
Why can't they unlock the card ?
If I knew that I might try to fix it (in OpenSC anyway). ;-)
That raises the question of how you could find out what the problem is. Can you usefully attach a debugger to a tokend?
The best method for debugging communication with a card is to set the debugging level in the reader driver.
I would propose to use pcscd APDU debug facility instead. First kill pcscd then start is using "pcscd --foreground --apdu" Using the CCID driver debug will work but you will also have CCID headers and CCID frames you don't want to see. Debugging a PC/SC application should be added to a FAQ page on the SmartCardServices wiki. Bye -- Dr. Ludovic Rousseau
participants (3)
-
Henry B. Hotz
-
Ludovic Rousseau
-
Shawn A. Geddis