[Tokend-Dev] [SmartcardServices-Dev] Signed Installer posted for OS X El Capitan v10.11

Thomas Harning Jr. harningt at gmail.com
Fri Oct 2 10:02:13 PDT 2015 

On Thu, Oct 1, 2015 at 3:25 PM Shawn Geddis <geddis at icloud.com> wrote:

> On Oct 1, 2015, at 11:44 AM, Thomas Harning Jr. <harningt at gmail.com>
> wrote:
>
>
> Thanks. Is there any documentation available that shows where the new
> tokend installations should go?
>
> Does this installation location happen to work for older OSX versions, or
> is the location only scanned by OSX 10.11? If this location is only for
> newer versions of OSX, this complicates things for users that install an
> application on 10.10 or earlier and come to OSX 10.11 to discover their
> TokenD was obliterated.
>
> Smart card development for OSX seems to be a particularly dark art. By
> chance are there any samples of TokenD modules written using Apple's new
> blessed token API - the asynchronous nature of the new API seems to be in
> conflict with TokenD API specifications.
>
>
> Thomas,
>
> • The Installer Download Page, the Installer and the man page for
> SmartCardServices notes the new tokend installation path for OS X El
> Capitan v10.11.
>
• The Path [/Library/Security/tokend/ ] is new for OS X El Capitan v10.11
> and higher and is not supported on older versions of OS X v10.x.
> • Location of Tokend bundles does not affect use by Applications, since
> this is completely abstracted away.
>
• There currently is no code samples or reference implementations for
> CryptoTokenKit Clients from Apple nor yet from the project here.
> • TokenD API specifications ? There never was any API specification to
> Apple’s knowledge.  What reference are you making ?
>
The specification that each of the TokenD modules implement. I referenced
an API that exists but does not appear to be documented (at least publicly).

I brought these up as I am on a team maintaining a product with a TokenD
module for our smart card support and have run into stumbling blocks with
supporting the new operating systems with no reliable channel on changes
aside from poking and prodding behavior as best as I can when new beta
releases come out.

See man page for SmartCardServices….
>
Thanks for this - I'll keep an eye on man-page changes.

>
> $ man SmartCardServices
>
> SMARTCARDSERVICES(7) BSD Miscellaneous Information Manual
> SMARTCARDSERVICES(7)
>
> NAME
>      SmartCardServices -- overview of smart card support
>
> DESCRIPTION
>      SmartCardServices is a set of components which add native support for
>      smart cards to OS X.
>
>      Supported smart cards appear as separate keychains.  A Tokend module
> for
>      each smart card you wish to use must be installed in
>      /Library/Security/tokend
>
> USB SMART CARD READER DRIVERS
>      OS X has built-in support for USB CCID class-compliant smart card
> read-
>      ers.  For other readers, install the reader driver in
>      /usr/local/libexec/SmartCardServices/drivers.  Each driver is a
> bundle.
>      The bundle contains an XML file Info.plist which contains the device's
>      USB vendor ID and product ID.  For detailed description of the plist
> for-
>      mat and how to write a reader driver, see
>      http://pcsclite.alioth.debian.org/api/group__IFDHandler.html
>
> SMART CARD APDU LOGGING
>      It is possible to turn on logging for smart cards.  Logging is turned
> on
>      by setting the global preference:
>
>      sudo defaults write /Library/Preferences/com.apple.security.smartcard
>      Logging -bool yes
>
>      After a smart card reader is connected (or after reboot) all
> operations
>      including contents of sent and received APDU messages are then logged
>      into the system log.  Logging uses the facility
> com.apple.security.smart-
>      card.log so it is possible to set up filtering of these logs into
> custom
>      targets (see asl.conf(5))
>
>      To avoid security risks that could occur if logging is turned on
> indefi-
>      nitely, the logging setting is one-shot - it must be turned on by the
>      command above to start logging again with a new reader.  This includes
>      unplugging and replugging the same reader.
>
> SEE ALSO
>      sc_auth(8), defaults(1), asl.conf(5), ssh-keychain(8)
>
> Mac OS X                        August 5, 2014                        Mac
> OS X
>
>
>
> - Shawn
> _____________________________________________________________________
> Shawn Geddis            geddis@{Mac | Me | iCloud}.com
> Security and Certifications Engineer, Apple
> geddis at apple.com
>
>
> Smart Card Services  Project/Dev Lead:
>
> Project Wiki:           [SmartCardServices.MacOSFforge.Org]
> Mailing Lists:          [Lists.MacOSForge.Org/mailman/listinfo
> <http://lists.macosforge.org/mailman/listinfo>]
> SCS Contact:            [scs-cotact at macosforge.org]
> SCS Admin:            [scs-admin at macosforge.org]
> _____________________________________________________________________
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/tokend-dev/attachments/20151002/8b395293/attachment.html>

More information about the Tokend-Dev mailing list