[Tokend-Dev] Fwd: [SmartcardServices-Users] Differences between & fixes for the BelPic, Beid, CAC Tokend's

Maccampus maccampus at gmail.com
Wed Mar 30 14:06:41 PDT 2016


I have OS X 10.10, i updated from 10.9. 
I have knowledge about .pkg files, i can use software to see the contents & read the pre & post flight scripts. I say this because i want you to know i clean up mess manually when i deinstall a malfunctioning software or software that installs things outside /applications/. I also have hidden files visual on occasions to help me do such cleaning. This said i will continue.

on 10.9, when i still had my old ID card i installed the software from the Belgian Government but replaced the Beid.tokend by the belpic.tokend so decided to use the tokend from Apple/MacOSForge instead the one from the Belgian Government. I also did not install the drivers for my Cardreader Hardware which are part of the installer from Belgian Government but installed the latest drivers from Zetes.be / ACS.com for the ACR-38 reader. This worked fine. I updated to OS X 10.10 & it kept working fine, i might have needed to reinstall the Belpic.tokend & the driver. This also means the only thing i installed from the Belgian government was the add-on for Mozilla, i used the mozilla add ons website for this, so i actually only opened the installer package from the government to have a look about what it installed but i didn’t installed it … sofar …

I was ordered to get a new ID card as mine was about to expire. The new ID card wasn’t a version 2 card anymore but a version 3, the changes was mainly the encryption. Suddenly the Belpic tokend while still seeing my Card & accepting my passcode  would not anymore function. I contacted the FedICT helpdesk. They came to the conclusion that the Belpic tokend did not support version 3 & future version 4 encryption. The Belpic tokend was an old product of this in collaboration with Apple. I needed to use their new version the Beid tokend, Beid tokend is just a renamed Belpic tokend further developed by them without collaboration from Apple or now days MacOSForge.

While the Belpic tokend was no longer developed by the Fedict, it was still further developed by the MacOSForge. This means it was updated to work with new OS X versions. The Beid Tokend from FedICt was further developed by fedict without Apple or MacOSforge, it was the Belpic tokend as it was for Snow Leopard, before it went from Apple to MacOSForge, it was upgraded to understand the newer 3th & 4th version of encryption & might also be upgraded to support newer OS X versions, but without collaboration from MacOSForge or Apple. This means the changes to Belpic & Beid are not identical, the differences are nor only the support for the newer encryption.

The Fedict also let me know their collaboration with Apple / MacOSForge ended because Apple was to slow when they proposed a patch to the tokend code & the tokend wasn’t updated soon enough for it to be useful to it’s users.

So i removed the Belpic tokend & installed the Beid tokend & this resulted in the behavior as i explained in my original post to the mailing list. I needed to insert a ID card & connect the reader before booting the Mac or right after, if i did not i have a 1/10-1/20 chance if i connect the reader & insert the card it would be recognized by the Tokend & thus Keychain & Safari. The Ha	adware & driver worked fine as my ID card does work in Java & Firefox at such times it did not in Safari.

The FedICT said it was because of the Hardware driver anyway after i told them i used the driver from ACS instead of theirs (ACS is the producer of the Hardware). At this point i started switching between drivers under their guidance but i kept cleaning up the installed driver before installing another one.

In the at that time current software of Fedict, their driver was actually a patch to remove the ACR-38 support from Apple’s own driver & installation of an older version gf the ACS driver. The installer also contained ancient versions of the ACR-38 driver from ACS but these wasn’t installed on OS X 10.10 but where there for earlier OS X versions. I made sure i had a backup of Apple’s own driver so i could fix their patching of it. The software of Fedict updated swell & i tested newer Beid tokens & ACR-38 drivers. The driver from ACS updated swell so i also tested newer versions of their driver. I also tested driverless only using the original driver from Apple making sure it was not a patched by Fedict version.
(the newer edict installers don’t patch the Apple driver anymore, i also made sure before every OS X update i had the unpatched Apple driver installed & made a new backup of that after each OS X Update)

Anyhow, with use of either driver, Apple’s own, ACS or Fedict i keep having the issue’s. But the driver is each time working fine as Java & Firefox has no problem with the ID card. Also when i switch from the Beid to the Belpic tokend & use another ID Card which still is Enrryption 2 all works fine, also Safari.

You might be correct about the big changes between OS X 10.9, 10.10 & 10.11 on the PCSC framework but i doubt this would be a cause of trouble. I for a while suspect but cannot find any configuration files created by the tokend when it is being used, maybe there even are no such files. 

Could it be when the system (OS X) uses the tokend, whether the Belpic or the Beid one (Beid being actually the Belpic tokend as well, but another fork & renamed & thus using the same configuration files if any) it creates any files in /library/, /user/library, /usr/… or /private/var/… ? I haven’t found such files sofar however.

I hope to upgrade to OS X 10.11 soon, maybe the behavior will disagree then, or not. In any case i think the tokend should benefit from being a team effort by FedICT & MacOSForge, even if FedICTdoesn’t work in group but upgrades/patches their fork ‘Beid) & MacOSForge fetches the source at github & merges the changes they approve in their tokend (Belpic)

> Begin doorgestuurd bericht:
> Van: Giuseppe Amato <gam at bit4id.com>
> Onderwerp: Antw.: [Tokend-Dev] [SmartcardServices-Users] Differences between & fixes for the BelPic, Beid, CAC Tokend's
> Datum: 30 maart 2016 11:17:42 CEST
> Aan: "tokend-dev at lists.macosforge.org" <tokend-dev at lists.macosforge.org>
> Kopie: Maccampus <maccampus at gmail.com>
> Hello,
> It may be a configuration problem in your OSX, not a  tokend problem.
> You forgot to tell us the OSX version and if you did some upgrade for example to 10.9 to 10.10 or 10.10 to 10.11.
> I suggest you to make test on a clean OSX installation, such as an installation made on an external USB or Firewire drive.
> In OSX 10.10 and 10.11 Apple made big changes on PCSC framework, so you may have problems in upgrading from older versions or using incompatible setup PKG files making some configuration mess.
> Regards,
>  Giuseppe
> On 30/03/2016 0.36, Maccampus wrote:
>> I don’t know about OpenSC.tokend, but i’ll give it a look & test. I doubt it will work tough because the Belgian Identity Cards Encryption.
>> If it works, why wouldn’t MacOSforge’s Belpic.tokend, only Beid.tokend seems to be able to decrypt my identity information but has the explained trouble.
>> Apple used to create the Belpic.tokend in collaboration with the Belgian Federal ICT (edict) & Fedict included encryption version 1 & 2 in this version.
>> The collaboration has stopped however, MacOSforge still update’s the Belpic.tokend for new OS X versions but does not change it further, Fedict has renamed the Belpic.tokend to Beid.tokend & has added encryption version 3 & 4 to it, however their new builds are buggy & seems to have earlier explained symptoms on my Mac.
>> So i think in my case the Beid.tokend is the only one that will actually work with the encrypted data on my/the new issued Belgian Identity Cards (3th version of the Encryption) (For my earlier but now replaced ID card i used the Belpic.tokend from Apple/MacOSForge, this ID card had the 2nd version of encryption).
>> I think, but i am not a developer, with the earlier linked source code/Development kit on Github the Belpic.tokend could be updated to work on the newer Belgian ID cards by the developers at MacOSForge.
>> As mentioned earlier i read a post on this Lists that explained with CAC cards and CAC.tokend it was possible to login on OS X by inserting the CAC card & logout, go back to login screen or bring up a screensaver when the card is pulled out until it’s inserted again. I would like to have this possible swell for the Belgian ID card. How is this functionality implanted ? Is this included in the tokend ?
> -- 
> Giuseppe Amato
> http://www.bit4id.com <http://www.bit4id.com/>
> gam at bit4id.com <mailto:gam at bit4id.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/tokend-dev/attachments/20160330/07569b0c/attachment.html>

More information about the Tokend-Dev mailing list