[SmartcardServices-Users] sc_auth "CSSMERR_DL_MISSING_VALUE" error

[fakesexnoises]

Hi,

I'll respond in kind, point by point.

On 12 Jun 2010, at 03:24, Shawn A. Geddis wrote:

> It would appear that there are some key Smart Card Services concepts that you are not familiar with on Mac OS X.

More than a few, to be honest.  I'm coming at this as a complete layman, albeit one with a strong interest in implementing security on an OS X-based computer.

> Allow me to first list some key points and then try to reference your issues in the message you sent.

<snip>

Useful info here, thank you.

> Now, allow me to respond to our individual points:
> 
>> Running OS X 10.6.3, with OpenSC 0.12.0 from here:
>> http://www.opensc-project.org/opensc/wiki/MacInstaller
> 
> Why ?  This is not necessary, unless you are using card types that only OpenSC provided support for.

My ultimate aim was to source and provide a cost-effective, single-use (I believe that's the term) Smart Card for a family member who has memory problems, is new to OS X and uses a laptop for business out-with the home.  The cheapest OS X-compatible middleware/Smart Card/reader solution I could find was roughly £100 (Charismathic's Plug 'n' Crypt) - hence I elected to go for the OpenSC/Feitian PKI/CCID-compatible mini-SIM reader solution, at only £30.

> 
>> Using a PKCS11 Engine supplied by one of the OpenSC devs.
> 
> Then all of these questions should be asked on the OpenSC mailing list.

As this was an error in sc_auth, a native OS X component, I wasn't sure it was their problem.  As you indicated, I'm not exactly au fait with the subject at hand.

> 
>> Smart Card: Feitian PKI mini-SIM from gooze.eu
> 
> What applet/profile has been loaded on the SIM ?

Feitian do not offer middleware for OS X.  The card was initialized with OpenSC using PKCS#15, and keys generated with PKCS#11.

> 
>> Smart Card Reader: SCM SCR3320
> 
> OK. Supported by the CCID Class Driver included in Mac OS X 10.5.6 and higher.
> 
>> Following the instructions here:
>> 
>> http://www.gooze.eu/howto/smartcard-quickstarter-guide
>> 
>> I've transferred a 2048-bit RSA private key and associate certificate to my new Smart Card.  
> 
> The value of smart cards is the ability to generate the Private Keys ON the card and that they are never allowed to be removed.

I tend to agree with the opinion that, whilst that is a strong benefit, it is somewhat flawed in that, should the token be lost/damaged, the Private Key cannot be retrieved - if it was used to encrypt email (which I believe can be a function of a Private Key on a Smart Card) the associated encrypted email would be irretrievable also.  So, I elected to generate the key locally in software and transfer it over using PKCS#15.

> 
>> I've modifed the /etc/authorization file.
> 
> Why would you need to do any modification to the /etc/authorization file ?

I was led to believe it was necessary to activate Smart Card login on OS X 10.4+.  Apple provide a comprehensive document on this matter with step-by-step instructions.

> 
> 
>> Now I'm trying to run the sc_auth script to associate a user account to my Smart Card, and receiving the following error:
>> 
>> security: SecKeychainSearchCopyNext: CSSMERR_DL_MISSING_VALUE
> 
> This indicates an error in retrieving expected information from the card by the Tokend in use.  Since you are using OpenSC, their Tokend would be failing to access the card objects properly.

Aha.  Ok.

> 
> 
>> I found the following thread at the Apple mailing lists:
>> 
>> http://lists.apple.com/archives/fed-talk/2010/Feb/msg00058.html
>> 
>> He's having an identical issue, ie. "the card shows up in the Keychain, but none of the certificates show up and the Keychain for it can't even be unlocked."
> 
> If a Dynamic Keychain is added to the list (representing the Smart Card) and there are either no objects displayed or not all objects are displayed with respect to its contents, it means the Tokend is failing.  Either the wrong Tokend is picking up and handling your device or the appropriate Tokend is not properly coded to handle the objects on your device.

Aha. Ok.  Then, as you say, the problem lies with OpenSC's Tokend.  As it so happens, yesterday I re-attempted the sc_auth procedure, and this time it worked.  Keychain Access also began correctly reporting the Private Key and Certificate.  I can think of no changes I made that would have produced this new result.  I was hands-off while I waited for responses from Mailing Lists that would inform my next step.

> 
>> He was advised to install CAC-NG Tokend (BETA v0.95) for Mac OS X 10.6.  Does this advice apply in my case also?
> 
> He was properly advised to install the CAC-NG, because the CAC-NG is the Smart Card Type (Applet/Profile) that was on the card he is using.  That would indicate that he was part of US DoD.  Since you could not be personally provisioning / issuing a CAC-NG card yourself (restricted to US DoD), then you do not have a CAC-NG card and would not need this particular Tokend.

I've now satisfied myself that the four Tokend's provided with OS X are all proprietary, governmental standards unavailable for use by the general public.  When I sent my OP, I knew that CAC was a US Federal standard, but I was unsure whether or not the CAC-NG installer might include additional software that might improve my situation.

> 
> If you want to use Native Mac OS X Services, you need to first determine the Applet/Profile on your device and acquire the appropriate Tokend which supports it.
> 
> If you want/need to use OpenSC for the use of your Card Type, then you would need to talk with the OpenSC

You've helped clarify a few things for me.  I'm beginning to understand that affordable, single-use solutions of the type I'm looking for are few and far-between.  Smart Cards are not, on the whole, expected to be used by domestic consumers such as myself.

Thanks for the comprehensive reply.  You've been a great help.

Kind regards,

S.

PS: I'll take myself off this mailing list now, and concentrate on communicating with the OpenSC folks now. Ta.