<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px;"><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><div><div class="BodyFragment"><font size="2"><span style="font-size:10pt;"><div class="PlainText">I assume this is all on some MacOS. </div></span></font></div></div></div></blockquote></span><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">I don’t know, probably not.</div><div style="font-family: Calibri, sans-serif;"><br></div><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><div><div class="BodyFragment"><font size="2"><span style="font-size:10pt;"><div class="PlainText">Which version are you using? </div></span></font></div></div></div></blockquote></span><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">I’m using Mavericks 10.9.5. Can’t move to Yosemite yet due so certain incompatibilities and code signing issues it sports.</div><div style="font-family: Calibri, sans-serif;"><br></div><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><div><div class="BodyFragment"><font size="2"><span style="font-size:10pt;"><div class="PlainText">IIUC support for Yubikey was officially added in Yosemite. I didn’t mention it because I thought Thomas was using Yosemite, but I see it’s Maverics. Oops.</div></span></font></div></div></div></blockquote></span><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">:-)</div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">As I said, tools such as “piv-tool” do find the card and can talk to it. But Keychain doesn’t/cannot, nor can Apple Mail…</div><div style="font-family: Calibri, sans-serif;"><br></div><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><div><div class="BodyFragment"><font size="2"><span style="font-size:10pt;"><div class="PlainText"><span style="font-size: 10pt;">Prior to that you need to manually add the Yubikey to the whitelist for the smart card stuff to work. It appears the relevant plist hasn’t changed in a long time. Here’s the patch file I got for, I think, Snow Leopard.</span></div></span></font></div></div></div></blockquote></span><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;">It looks like my copy of that Info.plist whitelists all the Yubikey configurations:</div><div style="font-family: Calibri, sans-serif;"><br></div><div><font face="Courier">…..</font></div><div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><key>ifdVendorID</key></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><array></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x1050</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x1050</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x1050</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x1050</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x08E6</string></font></div></div><div><font face="Courier">……</font></div><div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><key>ifdProductID</key></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><array></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x0116</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x0115</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x0112</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x0111</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>0x2202</string></font></div></div><div><font face="Courier">……</font></div><div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><key>ifdFriendlyName</key></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><array></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>Yubico Yubikey NEO OTP+U2F+CCID</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>Yubico Yubikey NEO U2F+CCID</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>Yubico Yubikey NEO CCID</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>Yubico Yubikey NEO OTP+CCID</string></font></div><div><font face="Courier"><span class="Apple-tab-span" style="white-space:pre"> </span><string>Gemplus Gem e-Seal Pro</string></font></div></div><div><font face="Courier">……</font></div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;"><br></div><div style="font-family: Calibri, sans-serif;"><br></div><span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif;"><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><div><div class="BodyFragment"><font size="2"><span style="font-size:10pt;"><div class="PlainText"><span style="font-size: 10pt;">On Feb 26, 2015, at 12:45 PM, Blumenthal, Uri - 0558 - MITLL <</span><a href="mailto:uri@ll.mit.edu" style="font-size: 10pt;">uri@ll.mit.edu</a><span style="font-size: 10pt;">> wrote:</span></div></span></font></div><div class="BodyFragment"><font size="2"><span style="font-size:10pt;"><div class="PlainText"><br>
> I can add that I seem to have a fully-configured Yubikey NEO card with<br>
> both OpenPGP and PIV applets loaded and provisioned - and Keychain refuses<br>
> to detect/recognize it.<br>
> <br>
> Here’s some output from OpenSC tools (I’d be happy to provide more if<br>
> needed, of course):<br>
> <br>
> $ piv-tool -vn<br>
> Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00<br>
> Connecting to card in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00...<br>
> Using card driver PIV-II for multiple cards.<br>
> Card name: PIV-II card<br>
> $ pkcs15-tool --list-certificates<br>
> Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID 00 00<br>
> X.509 Certificate [Certificate for Digital Signature]<br>
> Object Flags : [0x0]<br>
> Authority : no<br>
> Path :<br>
> ID : 02<br>
> Encoded serial : 02 02 06C9<br>
> X.509 Certificate [Certificate for Key Management]<br>
> Object Flags : [0x0]<br>
> Authority : no<br>
> Path :<br>
> ID : 03<br>
> Encoded serial : 02 02 06C8<br>
> $<br>
> <br>
> <br>
> Firefox was able to see the NEO, and the certs on it.<br>
> <br>
> P.S. My setup works fine with CAC.<br>
> -- <br>
> Regards,<br>
> Uri Blumenthal Voice: (781) 981-1638<br>
> <br>
> <br>
> <br>
> On 2/26/15, 14:43 , "Henry B (Hank) Hotz, CISSP" <<a href="mailto:hotz@2ndquadrant.com">hotz@2ndquadrant.com</a>><br>
> wrote:<br>
> <br>
>> Hmmm. I was hoping someone else would take this one. My experiments<br>
>> didn’t go about it the “official way” like yours, and it was an older<br>
>> version of the applet to boot.<br>
>> <br>
>> Before I say “real” debugging is needed, can you try 1) reading it on a<br>
>> Debian Linux system, and 2) maybe loading the key/cert with the piv-tool<br>
>> from opensc?<br>
>> <br>
>> If you need to go farther, there are tools for dumping the USB messages,<br>
>> and it would probably be more productive if you went back to Yubico for<br>
>> support. The guy who wrote the PIV applet for them is Klas Lindfors, I<br>
>> believe. (I can give you his direct email and an introduction if needed.)<br>
>> Please keep me, or this list posted on how you get this resolved.<br>
>> <br>
>> On Feb 17, 2015, at 12:41 PM, Thomas Westfeld <<a href="mailto:westfeld@mac.com">westfeld@mac.com</a>> wrote:<br>
>> <br>
>>>> On Feb 1, 2015, at 1:50 PM, Thomas Westfeld <<a href="mailto:westfeld@mac.com">westfeld@mac.com</a>> wrote:<br>
>>>> <br>
>>>>> Hello everyone,<br>
>>>>> <br>
>>>>> I am proud owner of a new Yubikey NEO firmare 3.3.0, with CCID mode<br>
>>>>> enabled.<br>
>>>>> <br>
>>>>> I am having problems getting it to work, e.g. showing the<br>
>>>>> certificates of the yubikey in my keychain. I have installed the<br>
>>>>> latest Smartcard services for Mac OS 10.9. on my MacBookAir with PIV<br>
>>>>> tokend installed. I am currently running 10.9.5. on it.<br>
>>>>> <br>
>>>>> First of all, wenn I attach the yubikey, my console shows the<br>
>>>>> following:<br>
>>>>> <br>
>>>>> 01.02.15 22:44:08,127 UserEventAgent[11]: assertion failed: 13F34:<br>
>>>>> com.apple.telemetry + 16493 [AE0C3032-1747-317E-9871-E26B5B6B0120]:<br>
>>>>> 0xffffffffe00002ed<br>
>>>>> 01.02.15 22:44:08,803 com.apple.SecurityServer[15]: Token reader<br>
>>>>> Yubico Yubikey NEO OTP+CCID 00 00 inserted into system<br>
>>>>> 01.02.15 22:44:09,207 com.apple.SecurityServer[15]: token in reader<br>
>>>>> Yubico Yubikey NEO OTP+CCID 00 00 cannot be used (error 229)<br>
>>>>> <br>
>>>>> That does not sound too well. I then restarted the pcscd with the<br>
>>>>> —debug and —apdu flag and reattached the yubikey. this is the lengthy<br>
>>>>> output shown at the end of the post.<br>
>>>>> <br>
>>>>> Now my noob question: what can I do next? It does not seem to work or<br>
>>>>> am I missing something here?<br>
>>>> <br>
>>>> Without spending some time with 800-73, I can’t interpret the detailed<br>
>>>> dump. <br>
>>>> <br>
>>>> Let me ask you this: Have you actually gone through the<br>
>>>> initialization/provisioning steps to create a PIV container on the<br>
>>>> Yubikey? I assume it still comes blank from the factory, so there would<br>
>>>> not be any “token" in the “reader" for the software to connect with<br>
>>>> until you create one. They have some free utilities for the purpose,<br>
>>>> and there should have been a cheat-sheet in the box telling you how to<br>
>>>> do it.<br>
>>>> <br>
>>>> --<br>
>>>> Henry B. (Hank) Hotz, CISSP <a href="http://www.2ndQuadrant.com/">http://www.2ndQuadrant.com/</a><br>
>>>> PostgreSQL Development, 24x7 Support, Training & Services<br>
>>>> <br>
>>> <br>
>>> Am 09.02.2015 um 03:15 schrieb Henry B (Hank) Hotz, CISSP<br>
>>> <<a href="mailto:hotz@2ndquadrant.com">hotz@2ndquadrant.com</a>>:<br>
>>> <br>
>>> First of all, thanks for your reply. It took me some time to have a<br>
>>> look in more detail. First I used the yubikey NEO manager to activate<br>
>>> the PIV applet on the NEO. I then took the following steps:<br>
>>> <br>
>>> 1. generate private key and selt-signed certificate using openssl:<br>
>>> # openssl req -x509 -node -newkey rsa:2048 -keyout key.pem -out<br>
>>> cert.pem -days 365<br>
>>> <br>
>>> 2. convert key and cert into p12 file<br>
>>> # openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem<br>
>>> <br>
>>> 3. use homebrew to install yubikey-piv-tool and opensc<br>
>>> <br>
>>> 4. use the yubikey-piv-tool to load the private key and the cert into<br>
>>> the NEO<br>
>>> # yubico-piv-tool -s 9c -i cert.p12 -K PKCS12 -p 123 -a set-chuid -a<br>
>>> import-key -a import-cert<br>
>>> Successfully set new CHUID.<br>
>>> Successfully imported a new private key.<br>
>>> Successfully imported a new certificate.<br>
>>> <br>
>>> This at first sounds promising, however I get the very same error<br>
>>> messages and the yubikey PIV module does not appear in Keychain.<br>
>>> <br>
>>> Am I missing anything ?<br>
>>> Thanks in advance.<br>
>> <br>
>> --<br>
>> Henry B. (Hank) Hotz, CISSP <a href="http://www.2ndQuadrant.com/">http://www.2ndQuadrant.com/</a><br>
>> PostgreSQL Development, 24x7 Support, Training & Services<br>
>> <br>
>> _______________________________________________<br>
>> SmartcardServices-Users mailing list<br>
>> <a href="mailto:SmartcardServices-Users@lists.macosforge.org">SmartcardServices-Users@lists.macosforge.org</a><br>
>> <a href="https://lists.macosforge.org/mailman/listinfo/smartcardservices-users">
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users</a><br>
> _______________________________________________<br>
> SmartcardServices-Users mailing list<br>
> <a href="mailto:SmartcardServices-Users@lists.macosforge.org">SmartcardServices-Users@lists.macosforge.org</a><br>
> <a href="https://lists.macosforge.org/mailman/listinfo/smartcardservices-users">
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users</a><br><br>
--<br>
Henry B. (Hank) Hotz, CISSP <a href="http://www.2ndQuadrant.com/">http://www.2ndQuadrant.com/</a><br>
PostgreSQL Development, 24x7 Support, Training & Services<br><br></div></span></font></div></div></div></blockquote></span></body></html>