[SmartcardServices-Users] Cannot use my Yubikey Neo

Tue Mar 3 13:40:40 PST 2015

>>The pcsctest command succeeds in printing my cards ATR and can connect
>>to my yubikey.

Likewise.

>> 
>> I then deinstalled opensc using homebrew and updated the system to
>>10.9.5
>> 
>> I then installed SmartCard Services from
>>http://smartcardservices.macosforge.org and from it the PIV.tokend only.
>>But even after a reboot I got the same error message and my yubikey is
>>not visible in the Keychain.

I removed PIV.tokend manually.

>> 
>> So it is not really just plug it in and it works. I also checked the
>>.plist file mentioned before and it seems that the yubikey is already
>>whitelisted there.
>
>Combining the above with what Uri said, it sounds like you ought to
>
>1) Install 10.9.x
>2) Install SmartCard Services

I used http://smartcardservices.macosforge.org/trac/wiki/installers

>3) Move the PIV.tokend out of the way.
>4) Install OpenSC

I used Ridley’s pointer:
https://github.com/OpenSC/OpenSC.tokend

This process gets NEO recognized if previous step (4) is done, but (a) it
cannot unlock the NEO (it prompts for the PIN and accepts it, but nothing
happens as a result), and (b) it loses the ability to unlock CAC as CAC
now gets served by the same OpenSC.tokend.

>5) Reboot.

Are you sure it is needed? I get my NEO recognized just by installing
OpenSC.tokend (I tried the one that comes with the binary OpenSC-0.14.dmg
distribution, and recompiling it from scratch using sources from github),
but it is not unlock-able in Keychain.

It still works with CLI tools. Any help

$ pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): SCM SCR 3310 00 00
  token label        : PIV_II (PIV Card Holder pin)
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token
initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : xxxxxxxxxxxxxxx
Slot 2 (0x5): Yubico Yubikey NEO OTP+U2F+CCID 01 00
  token label        : PIV_II (PIV Card Holder pin)
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token
initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : xxxxxxxxxxxxxxxx

$ pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so --slot-index 2
--pin xxxxxx -m ECDSA-SHA1 --sign -i ~/test-hash.bin -o ~/test-sign.bin
Using slot with index 2 (0x5)
Using signature algorithm ECDSA-SHA1
$

Trying to use Keychain, I’m getting a bunch of these (about 16 per second,
about every 4 minutes) in the log:

3/3/15 4:24:34.283 PM launchservicesd[102]: Application App:"Keychain
Access" asn:0x0-80080 pid:41790 refs=7 @ 0x7ffcb8718750 tried to be
brought forward, but isn't in fPermittedFrontApps ( (
"LSApplication:0x0-0x81081 pid=41894 "SecurityAgent"")), so denying. :
LASSession.cp #1481 SetFrontApplication() q=LSSession 100006/0x186a6 queue
3/3/15 4:24:34.284 PM WindowServer[154]: [cps/setfront] Failed setting the
front application to Keychain Access, psn 0x0-0x80080,
securitySessionID=0x186a6, err=-13066
3/3/15 4:24:34.289 PM secd[683]:  SecErrorGetOSStatus unknown error
domain: com.apple.security.sos.error for error: The operation couldn’t be
completed. (com.apple.security.sos.error error 2 - Public Key not
available - failed to register before call)
3/3/15 4:24:34.289 PM secd[683]:  securityd_xpc_dictionary_handler
Keychain Access[41790] DeviceInCircle The operation couldn’t be completed.
(com.apple.security.sos.error error 2 - Public Key not available - failed
to register before call)
……… 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20150303/0ebeeb34/attachment-0001.p7s>