Certificates from token through Tokend in built-in VPN client on Mavericks
Hello! I'm using Gemalto Tokend to access the certificates on the token. On Mac OS X 10.8 the certificates on the token are accessible via Keychain Access, Mail utilities and built-in VPN client, but after updating to 10.9 I've got an issue that certificates on the token are not listed in built-in VPN client (when selecting authentication parameters) though they are visible in Keychain Access utility. Is it a problem with Tokend used or Apple has just cut out tokend support from VPN client? Is there any workaround for the issue? Best regards, Eugene Mironenko
Hello, I am facing the very same issue. But I don't have the solution. I wonder if anyone can help. Thanks, Bernardo Höhl Rio de Janeiro - Brazil =================== On 12.03.2014, at 6:29 AM, Мироненко Евгений <mironenko@rutoken.ru> wrote:
Hello!
I'm using Gemalto Tokend to access the certificates on the token. On Mac OS X 10.8 the certificates on the token are accessible via Keychain Access, Mail utilities and built-in VPN client, but after updating to 10.9 I've got an issue that certificates on the token are not listed in built-in VPN client (when selecting authentication parameters) though they are visible in Keychain Access utility.
Is it a problem with Tokend used or Apple has just cut out tokend support from VPN client? Is there any workaround for the issue?
Best regards, Eugene Mironenko_______________________________________________ Tokend-Dev mailing list Tokend-Dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/tokend-dev
On Mar 12, 2014, at 5:29 AM, Мироненко Евгений <mironenko@rutoken.ru> wrote: - Shawn_____________________________________________________________________
Hello!
I'm using Gemalto Tokend to access the certificates on the token. On Mac OS X 10.8 the certificates on the token are accessible via Keychain Access, Mail utilities and built-in VPN client, but after updating to 10.9 I've got an issue that certificates on the token are not listed in built-in VPN client (when selecting authentication parameters) though they are visible in Keychain Access utility.
Is it a problem with Tokend used or Apple has just cut out tokend support from VPN client? Is there any workaround for the issue?
Best regards, Eugene Mironenko
Eugene, Nothing has changed architecturally from the Apple side on Tokend or on the ability of any Apple services (ie. VPN) to utilize the Keychain APIs which is how they get access to Smart Cards supported with a Tokend. Have you updated the Tokend for 10.9 using the updated installers posted ? There was a security CVE addressed and implemented in the new updates as well. Please capture logs before and during the transactions and submit with a ticket, so we can look into it. We may uncover something from there. -Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Enterprise Security Consulting Engineer, Apple geddis@apple.com Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org]
Hello Shawn, Thanks for answering. I suspect that somehow the operating system (security.h) is failing to validate the certficates inside the token. I see a similar behavior when I insert a token that has an expired certificate. I am an objective C programmer, but I lack knowledge on this. Can you please guide me on how I can log this? Thanks, Bernardo =========================== On 12.03.2014, at 12:39 PM, Shawn Geddis <geddis@me.com> wrote:
Please capture logs before and during the transactions and submit with a ticket, so we can look into it.
Shawn, It looks like Gemalto Tokend is not distributed with the installers provided. Moreover there is no sign of activity in tokend repository since ludic.roussseau mitigated CVE-2013-1867 referred. Are there any actions done by installer except simply putting tokends to /System/Library/Security/tokend/? Isn't there any registration procedure the tokend I use may not have performed? I've been building Gemalto Tokend from source (http://smartcardservices.macosforge.org/trac/browser/trunk/Tokend/PKCS11) and the latest version available is used. Best regards, Eugene Mironenko 12.03.2014, в 19:39, Shawn Geddis <geddis@me.com> написал(а):
On Mar 12, 2014, at 5:29 AM, Мироненко Евгений <mironenko@rutoken.ru> wrote: - Shawn_____________________________________________________________________
Hello!
I'm using Gemalto Tokend to access the certificates on the token. On Mac OS X 10.8 the certificates on the token are accessible via Keychain Access, Mail utilities and built-in VPN client, but after updating to 10.9 I've got an issue that certificates on the token are not listed in built-in VPN client (when selecting authentication parameters) though they are visible in Keychain Access utility.
Is it a problem with Tokend used or Apple has just cut out tokend support from VPN client? Is there any workaround for the issue?
Best regards, Eugene Mironenko
Eugene,
Nothing has changed architecturally from the Apple side on Tokend or on the ability of any Apple services (ie. VPN) to utilize the Keychain APIs which is how they get access to Smart Cards supported with a Tokend. Have you updated the Tokend for 10.9 using the updated installers posted ? There was a security CVE addressed and implemented in the new updates as well.
Please capture logs before and during the transactions and submit with a ticket, so we can look into it. We may uncover something from there.
-Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Enterprise Security Consulting Engineer, Apple geddis@apple.com
Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org]
Shawn, The point is none of the applications using the Keychain APIs reject certificates stored on the token or handle them improperly except for VPN client. The first thing I'd like to know, does anybody have positive experience with using certificates stored on token in built-in VPN client on MacOSX 10.9. If does, what tokend is used? Has anybody tried using PKCS11.tokend? Moreover, I wonder why PKCS11.tokend is cut out of tokend installers. By the way, rather long ago I've reported the issue with Apple Bug Reporter (ticket 15654874), it is still open and marked as a duplicate. Best regards, Eugene Mironenko 12.03.2014, в 19:39, Shawn Geddis <geddis@me.com> написал(а):
On Mar 12, 2014, at 5:29 AM, Мироненко Евгений <mironenko@rutoken.ru> wrote: - Shawn_____________________________________________________________________
Hello!
I'm using Gemalto Tokend to access the certificates on the token. On Mac OS X 10.8 the certificates on the token are accessible via Keychain Access, Mail utilities and built-in VPN client, but after updating to 10.9 I've got an issue that certificates on the token are not listed in built-in VPN client (when selecting authentication parameters) though they are visible in Keychain Access utility.
Is it a problem with Tokend used or Apple has just cut out tokend support from VPN client? Is there any workaround for the issue?
Best regards, Eugene Mironenko
Eugene,
Nothing has changed architecturally from the Apple side on Tokend or on the ability of any Apple services (ie. VPN) to utilize the Keychain APIs which is how they get access to Smart Cards supported with a Tokend. Have you updated the Tokend for 10.9 using the updated installers posted ? There was a security CVE addressed and implemented in the new updates as well.
Please capture logs before and during the transactions and submit with a ticket, so we can look into it. We may uncover something from there.
-Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Enterprise Security Consulting Engineer, Apple geddis@apple.com
Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org]
Shawn, Finally I've captured logs from PKCS11. tokend: see the file attached. I'd like to note, that there is no log activity during the selection of certificate in VPN client. Activity logged corresponds to viewing the certificates in the keychain and signing e-mail. Best regards, Eugene Mironenko 12.03.2014, в 19:39, Shawn Geddis <geddis@me.com> написал(а):
On Mar 12, 2014, at 5:29 AM, Мироненко Евгений <mironenko@rutoken.ru> wrote: - Shawn_____________________________________________________________________
Hello!
I'm using Gemalto Tokend to access the certificates on the token. On Mac OS X 10.8 the certificates on the token are accessible via Keychain Access, Mail utilities and built-in VPN client, but after updating to 10.9 I've got an issue that certificates on the token are not listed in built-in VPN client (when selecting authentication parameters) though they are visible in Keychain Access utility.
Is it a problem with Tokend used or Apple has just cut out tokend support from VPN client? Is there any workaround for the issue?
Best regards, Eugene Mironenko
Eugene,
Nothing has changed architecturally from the Apple side on Tokend or on the ability of any Apple services (ie. VPN) to utilize the Keychain APIs which is how they get access to Smart Cards supported with a Tokend. Have you updated the Tokend for 10.9 using the updated installers posted ? There was a security CVE addressed and implemented in the new updates as well.
Please capture logs before and during the transactions and submit with a ticket, so we can look into it. We may uncover something from there.
-Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Enterprise Security Consulting Engineer, Apple geddis@apple.com
Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org]
Eugene, Internal verification that it looks like there was regression on the VPN side of things. Not a problem with any of the Smart Card Services components or your Tokend / PKC11 components. I’ll create a ticket in our system to reflect the status of the RADAR in Apple’s system. -Shawn On Mar 14, 2014, at 5:14 AM, Мироненко Евгений <mironenko@rutoken.ru> wrote:
Shawn,
Finally I've captured logs from PKCS11. tokend: see the file attached. I'd like to note, that there is no log activity during the selection of certificate in VPN client. Activity logged corresponds to viewing the certificates in the keychain and signing e-mail.
<Gemalto.TokenD.log> Best regards, Eugene Mironenko
12.03.2014, в 19:39, Shawn Geddis <geddis@me.com> написал(а):
On Mar 12, 2014, at 5:29 AM, Мироненко Евгений <mironenko@rutoken.ru> wrote: - Shawn_____________________________________________________________________
Hello!
I'm using Gemalto Tokend to access the certificates on the token. On Mac OS X 10.8 the certificates on the token are accessible via Keychain Access, Mail utilities and built-in VPN client, but after updating to 10.9 I've got an issue that certificates on the token are not listed in built-in VPN client (when selecting authentication parameters) though they are visible in Keychain Access utility.
Is it a problem with Tokend used or Apple has just cut out tokend support from VPN client? Is there any workaround for the issue?
Best regards, Eugene Mironenko
Eugene,
Nothing has changed architecturally from the Apple side on Tokend or on the ability of any Apple services (ie. VPN) to utilize the Keychain APIs which is how they get access to Smart Cards supported with a Tokend. Have you updated the Tokend for 10.9 using the updated installers posted ? There was a security CVE addressed and implemented in the new updates as well.
Please capture logs before and during the transactions and submit with a ticket, so we can look into it. We may uncover something from there.
-Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Enterprise Security Consulting Engineer, Apple geddis@apple.com
Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org]
participants (3)
-
Bernardo Höhl
-
Shawn Geddis
-
Мироненко Евгений