[SmartcardServices-Users] sc_auth "CSSMERR_DL_MISSING_VALUE" error

Shawn A. Geddis geddis at mac.com
Fri Jun 11 19:24:55 PDT 2010

It would appear that there are some key Smart Card Services concepts that you are not familiar with on Mac OS X.  Allow me to first list some key points and then try to reference your issues in the message you sent.

Smart Card Services on Mac OS X:
• 140+ CCID Smart Card Readers are supported by the CCID Class Driver
	- Driver located at:	/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle
	- Reader Matrix:		http://pcsclite.alioth.debian.org/section.html
• Tokend Module
	- Native SmartCardServices requires corresponding Tokend for each Card Type (applet/profile) in use
	- Tokend also handles publishing the objects from the card to Keychain Access
	- Non-Tokend abstractions do not integrate with Keychain Access or native Security APIs
• A PKCS#11 Library  is not provided on Mac OS X -- any installation would potentially conflict with Tokend
	- Mac OS X 10.5.6 and higher provides a "PKCS#11 Shim" on top of Tokend for use of issued cards
	- Location of PKCS#11 Shim:  /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so
• CAC-NG Tokend is specifically for the US DoD CAC-NG profile cards (CAC / PIV)
	- Each Tokend will only work with cards of that type (applet/profile)
	- This tokend would not support any Non-CAC-NG card

Now, allow me to respond to our individual points:

> Running OS X 10.6.3, with OpenSC 0.12.0 from here:

> http://www.opensc-project.org/opensc/wiki/MacInstaller

Why ?  This is not necessary, unless you are using card types that only OpenSC provided support for.

> Using a PKCS11 Engine supplied by one of the OpenSC devs.

Then all of these questions should be asked on the OpenSC mailing list.

> Smart Card: Feitian PKI mini-SIM from gooze.eu

What applet/profile has been loaded on the SIM ?

> Smart Card Reader: SCM SCR3320

OK. Supported by the CCID Class Driver included in Mac OS X 10.5.6 and higher.

> Following the instructions here:


> http://www.gooze.eu/howto/smartcard-quickstarter-guide


> I've transferred a 2048-bit RSA private key and associate certificate to my new Smart Card.  

The value of smart cards is the ability to generate the Private Keys ON the card and that they are never allowed to be removed.  

> I've modifed the /etc/authorization file.

Why would you need to do any modification to the /etc/authorization file ?

> Now I'm trying to run the sc_auth script to associate a user account to my Smart Card, and receiving the following error:


> security: SecKeychainSearchCopyNext: CSSMERR_DL_MISSING_VALUE

This indicates an error in retrieving expected information from the card by the Tokend in use.  Since you are using OpenSC, their Tokend would be failing to access the card objects properly.

> I found the following thread at the Apple mailing lists:


> http://lists.apple.com/archives/fed-talk/2010/Feb/msg00058.html


> He's having an identical issue, ie. "the card shows up in the Keychain, but none of the certificates show up and the Keychain for it can't even be unlocked."

If a Dynamic Keychain is added to the list (representing the Smart Card) and there are either no objects displayed or not all objects are displayed with respect to its contents, it means the Tokend is failing.  Either the wrong Tokend is picking up and handling your device or the appropriate Tokend is not properly coded to handle the objects on your device.

> He was advised to install CAC-NG Tokend (BETA v0.95) for Mac OS X 10.6.  Does this advice apply in my case also?

He was properly advised to install the CAC-NG, because the CAC-NG is the Smart Card Type (Applet/Profile) that was on the card he is using.  That would indicate that he was part of US DoD.  Since you could not be personally provisioning / issuing a CAC-NG card yourself (restricted to US DoD), then you do not have a CAC-NG card and would not need this particular Tokend.

If you want to use Native Mac OS X Services, you need to first determine the Applet/Profile on your device and acquire the appropriate Tokend which supports it.

If you want/need to use OpenSC for the use of your Card Type, then you would need to talk with the OpenSC folks.

Shawn Geddis				  			   geddis at mac.com
Security Consulting Engineer				   geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100611/4e680ffb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100611/4e680ffb/attachment.bin>

More information about the SmartcardServices-Users mailing list