[Tokend-Dev] Cannot use tokend with loginwindow on 10.6

Jean-Charles BERTIN jc.bertin at axinoe.com
Fri Dec 4 13:13:21 PST 2009


Hi!

With our tokend compiled for x86_64 on 10.6, we are unabled to use it
for authentication with loginwindow. The loginwindow recognize the
tokend since it shows the right user and prompt us to enter then PIN
code. However the loginwidow always shakes after entering it.


        Here is the sc_auth output used for linking the user to the
        certificate on the smartcard:
        
        
$sc_auth hash
3A941BBD2D9CD73F6D83A5808B8250E318740EEA Test User's Axinoe CA SMIME ID
CB0044788246DA3F09763A0A298325334081274F com.apple.systemdefault
988A5041EA0A9E8C62BE2EA20DB49324D3A8EB56 com.apple.kerberos.kdc
CB0044788246DA3F09763A0A298325334081274F com.apple.systemdefault
988A5041EA0A9E8C62BE2EA20DB49324D3A8EB56 com.apple.kerberos.kdc
$sc_auth list -u test_user
3A941BBD2D9CD73F6D83A5808B8250E318740EEA

Of course the smartcard have the private key for this certificate.


I trace the security logs to see what happens, maybe the credentials
send by the smartcard-sniffer to the authenticate mechanism are wrong.


tokendb 0x100305010 authenticate calling validate
preauth using state 1 at 0x10032aa00
notify 0x100223560 notification created domain 0x1 event 2 seq 4294967296
schedq 0x100227b40 (1259947209.000) scheduled before 0x100215118
notify 0x100223560 notification done domain 0x1 event 2 seq 4294967296
tokendb 0x100305010 updating PIN1 state response
tokendb returning isLocked=0
agentclient got setResult at port 19971; result 0
AuthEvalMech evaluate(builtin:smartcard-sniffer,privileged) with result: 0.
schedq event 0x100227b40 unscheduled
schedq event 0x100227b40 delivered at 1259947209.000
notify Posted notification to clients.
adhoc Callback was called 6 times.
agentclient got setResult at port 21507; result 0
AuthEvalMech evaluate(loginwindow:login) with result: 0.
agentclient got setResult at port 23059; result 0
AuthEvalMech evaluate(builtin:reset-password,privileged) with result: 0.
agentclient got setResult at port 24323; result 0
AuthEvalMech evaluate(builtin:auto-login,privileged) with result: 0.
tokendb 0x100305010 updating PIN1 state response
tokendb returning isLocked=0
tokenacl 0x1002282e8 loading ACLs from tokend
preauth using state 1 at 0x10032aa00
handleobj create 0x32f9c4 for 0x10032f960
tokenacl 0x10032fa08 loading ACLs from tokend
agentclient got setResult at port 24835; result 1
AuthEvalMech evaluate(builtin:authenticate,privileged) with result: 1.
SSauth Authorization 0x100328b60 returning copy of context (null).

Maybe there is some checks added to verify the purpose of the
certificate. Here is the content of the certificate used:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=Rhone, L=Lyon, O=Axinoe, OU=Axinoe Certification, CN=Axinoe CA SMIME/emailAddress=ca at axinoe.com
        Validity
            Not Before: Oct 10 08:05:41 2008 GMT
            Not After : Oct 10 08:05:41 2033 GMT
        Subject: C=FR, ST=Rhone, L=Lyon, O=Axinoe, OU=Axinoe Certification, CN=Test User/emailAddress=test at axinoe.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c1:e2:a5:5a:8e:62:a0:27:03:3f:bf:18:e4:c4:
                    de:89:a9:13:92:c5:e7:14:6c:de:e1:91:f0:1c:07:
                    4e:e6:36:2d:ad:31:84:ca:2d:69:b9:b9:2e:17:ea:
                    c5:b3:26:d7:33:25:4e:a5:f7:41:7e:67:2b:b2:a5:
                    cb:49:a2:67:a5:5b:d4:2e:c1:16:a7:7f:1a:0f:43:
                    3d:e8:c6:9c:00:07:4a:d2:4b:0d:6b:3a:e0:d2:db:
                    48:9e:e0:c1:84:f7:4f:f5:58:50:70:c6:23:db:2b:
                    2b:35:6e:d2:ec:e9:b9:71:55:0a:cc:ac:8e:76:44:
                    16:99:e8:a6:6b:dd:0a:a7:53:3d:b6:c3:67:01:1b:
                    76:9b:bf:f2:a8:a9:b7:83:6b:f7:83:c4:18:14:a1:
                    be:8c:58:93:ef:b9:c2:52:b2:5d:b5:dc:d8:dd:a3:
                    e0:ee:88:77:52:89:97:f7:78:0e:fb:d1:cd:a9:83:
                    32:1d:32:73:5f:13:86:92:74:17:57:fd:3b:f4:b0:
                    0c:93:a7:c7:93:c9:c9:74:21:fa:16:5e:5b:0e:ca:
                    63:05:eb:f6:a6:44:fc:e3:91:07:3a:4d:f6:91:b0:
                    57:83:2e:89:8e:bb:d4:5f:c6:18:e0:40:1c:bc:c3:
                    5e:5a:bb:0f:f7:d9:d7:c0:2f:5a:0d:7d:13:7f:39:
                    32:8f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE, pathlen:0
            Netscape Cert Type: 
                S/MIME
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                E-mail Protection
            Netscape Comment: 
                OpenSSL Generated SMIME Certificate
            X509v3 Subject Key Identifier: 
                3A:94:1B:BD:2D:9C:D7:3F:6D:83:A5:80:8B:82:50:E3:18:74:0E:EA
            X509v3 Authority Key Identifier: 
                keyid:87:88:33:16:B1:E5:22:BC:B1:B1:9D:74:DA:69:1A:45:57:F2:D4:4C
                DirName:/C=FR/ST=Rhone/L=Lyon/O=Axinoe/OU=Axinoe Certification/emailAddress=ca at axinoe.com/CN=Axinoe CA Root
                serial:01

            X509v3 Subject Alternative Name: 
                email:test at axinoe.com
    Signature Algorithm: sha1WithRSAEncryption
        c3:3c:08:4e:8b:e5:37:8c:d5:b8:bd:d5:4b:36:51:c9:8b:ad:
        0a:b8:56:62:0e:34:45:4c:ee:d4:33:a8:07:56:79:7b:67:0e:
        0a:8f:4a:34:7a:63:d3:8e:8d:49:b1:97:f4:e1:47:d9:de:a7:
        f2:0d:d2:6b:63:20:49:79:7b:c6:db:a2:9c:5e:ee:25:85:d8:
        fe:4c:e6:27:ef:b8:8c:8a:e3:f4:07:d3:1e:fb:fb:09:20:5c:
        b8:3d:6f:56:c7:c6:42:10:42:ae:fe:f5:35:c7:8b:a4:08:73:
        ed:85:51:86:01:9a:18:72:aa:38:ba:00:05:fb:5f:9f:4f:d2:
        0a:d8:01:d8:df:49:9b:15:4f:00:5e:07:df:15:98:b2:11:f5:
        04:6c:ba:a7:cb:dd:ef:7f:3f:fd:45:58:1b:93:fb:20:84:c1:
        07:df:62:38:42:50:89:7d:0a:c4:77:8e:af:38:82:0d:e8:b3:
        cc:ac:b4:d7:16:b6:0f:a4:23:dd:fb:5f:6a:16:a9:d7:16:b9:
        3e:e5:ef:67:c3:8e:43:7e:b3:95:34:50:c0:3c:b2:ab:e6:5c:
        5f:e1:db:13:55:15:1b:1c:72:f7:56:4a:8c:e8:d3:8f:00:62:
        4a:18:7e:e8:63:08:4a:b0:02:4c:b6:60:55:ba:67:ca:41:3c:
        2d:fe:28:6b


-- 
Jean-Charles BERTIN
Axinoe - Software Engineer
Tel.: (+33) (0)1.80.82.59.23
Fax : (+33) (0)1.80.82.59.29
Skype: jcbertin
Web: <http://www.axinoe.com/>
Certificate Authority: <https://ca.axinoe.com/axinoe-root.crt>



More information about the Tokend-Dev mailing list