[SmartcardServices-Users] Issue with CAC on Snow Leopard
Paul Nelson
nelson at thursby.com
Tue Nov 23 08:27:39 PST 2010
On Nov 23, 2010, at 9:15 AM, Charles Victory wrote:
> Hello,
>
> I have a SCR3310 device and am using a GEMALTO ACCESS 64KV2 CAC. I have downloaded and installed CAC-NG (BETA v0.95)/Snow Leopard from http://smartcardservices.macosforge.org/trac/wiki/installers‘. I can now see my CAC certificates on the CAC Keychain where I could not before this step. That is great, however the 4 certificates I have are all showing that they have invalid issuers. When I show the certificate after evaluating it, it shows that the DoD Interoperability Root Ca 1 and DoD Root Ca 2 cannot be used due to unrecognized critical extensions. This shows up when I go to use Outlook 2011 for Mac and it will not allow me to digitally sign or encrypt my e-mail. I don’t think it is a CAC issue because when I use the CAC on my old XP PC using Outlook 2003, I am able to digitally sign and encrypt my e-mail there.
>
> Can someone provide some insight as to what my issue may be??
>
This is most likely due to a certificate extension being flagged as Critical, but not being understood by the Apple Security framework. It could be that your certificates have a name constraints extension flagged as critical.
I don't think Apple recognizes the name constraints, and must report that the certificate is invalid due to the critical flag.
I have reported the name constraints problem as bug with the title "Apple PKI trust policy does not handle name constraints (RFC RFC5280)"
Here is the bug report text:
> This problem presents a denial of service security issue.
>
> Implementations of RFC RFC5280 "Internet X.509 Public Key Infrastructure
> Certificate and Certificate Revocation List (CRL) Profile" must support name constraints per section 4.2
>
> This section states:
>
> "At a minimum, applications conforming to this profile MUST recognize the following extensions: key usage (Section 4.2.1.3), certificate policies (Section 4.2.1.4), subject alternative name (Section 4.2.1.6), basic constraints (Section 4.2.1.9), name constraints (Section 4.2.1.10), policy constraints (Section 4.2.1.11), extended key usage (Section 4.2.1.12), and inhibit anyPolicy (Section 4.2.1.14)."
>
> Read more: http://www.faqs.org/rfcs/rfc5280.html#ixzz0dMPhg7t9
>
> Most new CA certificates issued by the U.S. Federal Government contain name constraints.
>
> For example NASA PIV cards include such certificates. The Macintosh cannot validate such certificate chains because the name constraint is marked as critical.
>
> Refer to http://www.idmanagement.gov/fpkia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20101123/55488b5c/attachment.html>
More information about the SmartcardServices-Users
mailing list