[SmartcardServices-Dev] making Oberthur ID One 128 v5.5 Dual work

Nao Itoi nao.itoi at centrify.com
Fri Sep 2 11:24:24 PDT 2011 

Hello,

I am Nao Itoi from Centrify.
Thank you very much for the great work on smart card.

We at Centrify have found that we can support CACNG profile on Oberthur ID One 128 v5.5 Dual card by doing the following, on Mac OS 10.6 and 10.7.  (You can do it on 10.5, too, but it's more work.)

1. Make PIV.tokend the "preferred" module for Oberthur 128.  Before this fix, CAC or CACNG module took the card, and failed.  We modified PIV.tokend source code for this.
2. Compile pcscd from the latest SmartCardServices-55000 from opensource.apple.com (or I think latest from MacOSForge would be fine, too).  Previous build had this bug(http://smartcardservices.macosforge.org/trac/changeset/28 ), which caused a problem for this card.
3. Cache PIN for up to 60 seconds.  Without this change, screen saver would try to launch a PIN prompt, and would freeze because it cannot pop up a window.

If you would be interested in our diffs for 1 and 3, and consider submitting them to SmartCardServices SVN repository, we will be happy to post the diffs in this list.

Implementation details:

1. Make PIV.tokend the "preferred" module for Oberthur 128.  In probe(), we detect the Oberthur 128 card by examining the Answer To Reset.  If found, probe() returns the score of 350, which makes the PIV module win over CAC or CACNG module.

2. pcscd shipped with Mac 10.6.8 or older have a bug relating to the card communication protocol (see http://smartcardservices.macosforge.org/trac/changeset/28).  pcscd selects T=1 protocol to communicate with this card.  However, the card seems to work only with T=0 protocol.  After this fix, T=0 is selected, and it works fine.

3. After PIN is entered in verifyPIN(), it is cached for a certain period of time.  If PIV.tokend needs to send the PIN again (this happens often because one of the keys on PIV has "PIN-always" policy), it will use the cached PIN instead of launching a PIN prompt.  The time period is configurable: (1) cache for N seconds (by default, N = 60), (2) cache indefinitely, or (3) do not cache.

Questions:

 *   Configuration
    *   Currently, configuration is done in Centrify configuration file.  This is not desirable for a public tokend.  We can make it configurable somewhere vendor neutral, or can get rid of the configuration.  Could you advise?
 *   Logging
    *   As we were not able to figure out how to get messages from secdebug(), we write logs to syslog.  If you prefer to use secdebug(), we can do that.
 *   Generally speaking, if you have suggestions on improvement, we are eager to hear about them, and we will be happy to incorporate them.

With best regards,

Nao @ Centrify Mac Team

More information about the SmartcardServices-Dev mailing list