[SmartcardServices-Users] ECA Hardware Token - Certs not showing up in Keychain

Bob Colbert colbert at detk.net
Fri Jun 4 09:37:39 PDT 2010


I did see that Support Matrix and I saw “supported” so I thought I was ok, but your post sort of explains it, I think.  But for example, if I were to ask the ECA authority if I can purchase a different USB token to put my certificate on, how would I know that it would be supported such that I can not only access the card, but also see the certs on it?  “Supported” in the matrix doesn’t necessarily apply complete functionality and obviously the key part of seeing the certs on the device.

Does submitting tickets help speed up the fixes?  Apparently it is different login credentials to submit tickets than to join the mailing list?

And I guess the obvious question is what is the timeframe of the fix?  1 month, 3 months, 6 months+?  I would not have any idea where to start to modify the source code.  I do some coding, though not in C and certainly not in this discipline.

Would a cross-post to Fed-Talk help determine if others with ECA certs on a USB token can help steer me in the correct direction to find a suitable substitute if the timeframe for fixing is several months?

Thanks for the quick response.

On 6/4/10 11:51 AM, "Shawn A. Geddis" <geddis at mac.com> wrote:

On Jun 4, 2010, at 9:28 AM, Bob Colbert wrote:
I just received an ECA Hardware Assurance certificate.  It is a ActivIdentity USB Token as shown here - http://www.actividentity.com/products/authenticationdevices/USBTokens/ <http://www.actividentity.com/products/authenticationdevices/USBTokens/>  .  I have the one without the one-time password display.  Of course set up of the device and placing the certificates on it was done with ActivClient on Windows at the ECA facility.


You will notice on the Smart Card Reader Section (Smart Card CCID) [1] that the Smart Card Reader Matrix  [2] notes it is a *supported device* - with respect to the CCID Class Driver.  Keep in mind though, that the device is part of the equation and the profile / applet on the device is another.  The current CAC.Tokend also *incorrectly* picks up some ActivIdentity Tokens because the older probing of the applet/profile and gather of potential objects within that tokend is not refined enough.  ActivIdentity (formerly ActivCard) was the author of the original CAC.  The CAC.Tokend we make available here/by Apple needs to be updated to properly handle changes in the profiles since the tokend was originally developed.

So you have two option available to you right now.  Either wait for changes we will make to correct / address this issue (which is what I would suggest) or you/others can grab the CAC.Tokend source code and make changes yourself for your systems (not exactly an ideal situation for most unless you want to get your hands dirty).

When I plug the device into the Mac (running Snow Leopard 10.6.3), the device shows up in the Keychain as a CAC-xxx entry.  I double-click the lock and it prompts me for the PIN.  I think it is unlocking because a windows pops up titled “Common Access Card” with two tabs for Identification and Benefits, none of which are populated because this isnt a CAC card.  However, no certificates are displayed.  I am selecting the “All Items” category in Keychain (and My Certificates/Certifcates category too) and still nothing is showing up.

The uiplugin (CACViewerPlugin) is attempting to display content that is not all there.  It is working under the premise that it thinks it is a CAC and fails to display the PIN protected contents of the card.  This too is on the plate to address with the above noted issue.

As always, we encourage folks to submit tickets on any issues they face with respect to the use of Smart Cards.  We really need to get a fair amount of content up on the wiki here that will help folks like yourself with these kinds of questions/issues.

Hope this helped.


[1] http://smartcardservices.macosforge.org/trac/wiki/smartcardccid
[2] http://pcsclite.alioth.debian.org/section.html
Shawn Geddis      geddis at mac.com
Security Consulting Engineer    geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo

Bob Colbert
DE Technologies
118 Sleepy Hollow Drive
Suite 1
Middletown, DE 19709
302-285-0357 Fax
colbert at detk.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100604/fc85f8ca/attachment-0001.html>

More information about the SmartcardServices-Users mailing list