Douglas, Thank you again. I used your opensc.conf and now the lock is unlocked on the Keychain. However, I still cannot view the certs.
What version of SCA are you using? I am using 0.2.0: http://www.opensc-project.org/sca/ I wonder if this version works with the latest PIVCard? Of if it needs to be updated? Attached is my log. Do you mind to take a look to see if I am doing anything wrong? Thanks again for your help! You are a PIV expert! Ken --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote:http://www.opensc-project.org/sca/ > Kenneth Carrera wrote: > > Douglas, > > > > I think I am getting a little closer. Now in my > > keychain, the lock Icon is locked. > > On my system, even after a restart, the keychain > for PIV_II shows it is unlocked, and I have not > entered a pin. > > The help on Keychains, says the edit->"Change > Setting for Keychain ..." > I am no Mac expert, so I don't know why mine is > unlocked and yours > is locked. (And I don't want to try locking it.) > > So there may be a keychain problem. But bypasing > that for now, > does pkcs15-tool or pkcs-tool show you anything now? > They > don't go throught the keychain. > > Also try > debug = 7; > the /tmp/opensc-debug.log should then show > something. > > Also uncomment the line for the error_file. > > comment out the > use_caching = true; > > Attached is a opensc.conf that works on MacOS 10.4 > > > That was a little > > different that before. Attached is my opensc.conf > > file. Would you mind to take a look at it? > > > > I really appreciate any help you provide. > > > > Ken > > --- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > > > >> > >> Kenneth Carrera wrote: > >>> Douglas, > >>> > >>> Thank you very much for the response. I really > >> appreciate it. > >>> > >>> I tried using the opensc-tool, piv-tool, and > >> pkcs15-tool. From those, I > >>> can bring up the card ATR so I know my card is > >> being recognized, but I > >>> cannot successfully run any of the other > commands. > >> Did you do anything > >>> special to your opensc.conf file? > >> What it said in the Wiki page: > >> > >> > > > http://www.opensc-project.org/opensc/wiki/UnitedStatesPIV > >> Double check the ATR too. > >> > >> But looking closer, I also commented out the > >> use_cacching = true; > >> and commented out the builtin_emulators = ... > >> line as it does not list the PIV as it should. > >> > >> See the attached diff. If this does not help, > send a > >> copy of your > >> opensc.conf. > >> > >>> > >>> Also, are you able to perform smart card login > to > >> your MAC using OpenSC? > >> > >> No, but on unix have Heimdal (and MIT > development) > >> Kerberos using PKINIT > >> to authenticate to Active Directory using > pam_krb5. > >> Apple has said they > >> would fully support PIV, so we expect that when > they > >> do we would use > >> whatever they they provide. > >> > >>> > >>> Thank you again for your help! Ken > >>> > >>> > >>> > >>> ----- Original Message ---- > >>> From: Douglas E. Engert <[EMAIL PROTECTED]> > >>> To: Kenneth Carrera <[EMAIL PROTECTED]> > >>> Cc: [EMAIL PROTECTED]; > >>> opensc-devel@lists.opensc-project.org > >>> Sent: Friday, March 2, 2007 4:27:47 PM > >>> Subject: Re: [opensc-devel] Using PIV Card to > >> Authenticate to MAC ( > >>> Problems ) > >>> > >>> Kenneth Carrera wrote: > >>> > Hello all: > >>> > > >>> > I am trying to configure my MAC to accept a > PIV > >> Card. > >>> > I have installed OpenSC (SCA for MAC) and can > >> now read > >>> > my smart card ATR. My keychain can recognize > >> when the > >>> > card is inserted. > >>> > > >>> > However, I cannot seem to access the data or > >> the > >>> > certificates on the card. I made sure to > >> configure my > >>> > Opensc.config file to work with the new PIV > >> card ( > >>> > Oberthur ). Is there anything else I can do > to > >> try to > >>> > get the card to work with MAC? Thank you in > >> advance > >>> > for any help offered! > >>> > >>> How are you trying to access the data on the > card? > >>> > >>> I am assuming the card has at least a > certificate > >> and > >>> key, either a test one from Oberthur, or issued > by > >>> whomever gave you the card. > >>> > >>> You can start by using the > >> /Library/OpenSC/opensc-tool > >>> -l and -a options is a terminal window. > >>> > >>> Then ./pkcs15-tool -c should show that you have > a > >> certificate. > >>> (It may not really be there.) > >>> > >>> ./pkcs15-tool -r 1 > >>> > >>> should read the certificate and show it in PEM > >> format. > >>> If you bring up the Keychain utility and hit the > >> "show Keychains" > >>> button in the lower left, its should show all > your > >> keychains. > >>> The PIV card would be listed as PIV_II, and the > >> main window should > >>> show you have an Auth key, and a certifcate. > (You > >> may have > >>> other certs and keys as well There can be 4. In > my > >> tests I only > >>> write out the auth cert to the card. > >>> > >>> The one other issue is if the certificate is > >> compressed. > >>> Code has been sent to the devel list to handle > >> this, but is > >>> has not been added to the distribution. I don't > >> have a card > >>> with a compressed cert, so can not test it. If > you > >> suspect > >>> that the cert is compressed, we can talk about > >> that too. > >>> Safari should be able to use this to some web > >> site, if the > >>> site trusts the CA that signed your certifcate. > >>> > >>> > >>> > > >>> > Ken > >>> > > >>> > > >>> > > >>> > > >>> > > > ____________________________________________________________________________________ > >>> > Need a quick answer? Get one in minutes from > >> people who know. > >>> > Ask your question on www.Answers.yahoo.com > >>> <http://www.answers.yahoo.com/> > >>> > > _______________________________________________ > >>> > opensc-devel mailing list > === message truncated ===> # Configuration file for OpenSC > # Example configuration file > > # NOTE: All key-value pairs must be terminated by a > semicolon. > > # Default values for any application > # These can be overrided by an application > # specific configuration block. > app default { > # Amount of debug info to print > # > # A greater value means more debug info. > # Default: 0 > # > debug = 0; > > # The file to which debug output will be written > # > # A special value of 'stdout' is recognized. > # Default: stdout > # > # debug_file = /tmp/opensc-debug.log; > # debug_file = "C:\Documents and Settings\All > Users\Documents\opensc-debug.log"; > > # The file to which errors will be written > # > # A special value of 'stderr' is recognized. > # Default: stderr > # > # error_file = /tmp/opensc-errors.log; > # error_file = "C:\Documents and Settings\All > Users\Documents\opensc-errors.log"; > > # PKCS#15 initialization / personalization > # profiles directory for pkcs15-init. > > profile_dir = /Library/OpenSC/share/opensc; > > # What reader drivers to load at start-up > # > # A special value of 'internal' will load all > # statically linked drivers. If an unknown (ie. not > # internal) driver is supplied, a separate > configuration > # configuration block has to be written for the > driver. > # Default: internal > # NOTE: if "internal" keyword is used, must be the > # last entry in reader_drivers list > # > # reader_drivers = openct, pcsc, ctapi; > > reader_driver ctapi { > # module /usr/local/towitoko/lib/libtowitoko.so { > # CT-API ports: > # 0..3 COM1..4 > # 4 Printer > # 5 Modem > # 6..7 LPT1..2 > # ports = 0; > # } > } > > # Define parameters specific to your readers. > # The following section shows definitions for PC/SC > readers, > # but the same set of variables are applicatable to > ctapi and > # openct readers, simply by using "reader_driver > ctapi" and > # "reader_driver openct", respectively. > reader_driver pcsc { > # This sets the maximum send and receive sizes. > # Some IFD handlers do not properly handle APDUs > with > # large lc or le bytes. > # > max_send_size = 256; > max_recv_size = 256; > # > # Connect to reader in exclusive mode. > # Default: false > # connect_exclusive = true; > # > # Reset the card after disconnect. > # Default: true > # connect_reset = false; > # > # Reset the card after each transaction. > # Default: false > # transcaction_reset = true; > # > # Enable pinpad if detected (PC/SC v2.0.2 Part 10) > # Default: false > # enable_pinpad = true; > } > > # options for openct support > reader_driver openct { > # virtual readers to allocate. default:5 > readers = 5; > }; > > # What card drivers to load at start-up > # > # A special value of 'internal' will load all > # statically linked drivers. If an unknown (ie. not > # internal) driver is supplied, a separate > configuration > # configuration block has to be written for the > driver. > # Default: internal > # NOTE: When "internal" keyword is used, must be > last entry > # > # card_drivers = customcos, internal; > > # Card driver configuration blocks. > > # For card drivers loaded from an external shared > library/DLL, > # you need to specify the path name of the module > # > # card_driver customcos { > # The location of the driver library > # module = > /usr/lib/opensc/drivers/card_customcos.so; > # } > > # Force using specific card driver > # > # If this option is present, OpenSC will use the > supplied > # driver with all inserted cards. > # > # Default: autodetect > # > # force_card_driver = customcos; > > # In addition to the built-in list of known cards > in the > # card driver, you can configure a new card for the > driver > # using the card_atr block. The goal is to > centralize > # everything related to a certain card to card_atr. > # > # The supported internal card driver names are > # etoken Aladdin eToken and other > Siemens CardOS cards > # flex Schlumberger > Multiflex/Cryptoflex > # cyberflex Schlumberger Cyberflex > # gpk Gemplus GPK > # miocos MioCOS 1.1 > # mcrd MICARDO 2.1 > # setcos Setec cards > # starcos STARCOS SPK 2.3 > # tcos TCOS 2.0 > # openpgp OpenPGP card > # jcop JCOP cards with BlueZ PKCS#15 > applet > # oberthur Oberthur > AuthentIC.v2/CosmopolIC.v4 > # belpic Belpic cards > # emv EMV compatible cards > > # Generic format: card_atr <hex encoded ATR > (case-sensitive!)> > > # New card entry for the flex card driver > # card_atr 3b:f0:0d:ca:fe { > # All parameters for the context are > # optional unless specified otherwise. > > # Context: global, card driver > # > # ATR mask value > # > # The mask is logically AND'd with an > # card ATR prior to comparison with the > # ATR reference value above. Using mask > # allows identifying and configuring > # multiple ATRs as the same card model. > # atrmask = "ff:ff:ff:ff:ff"; > > # Context: card driver > # > # Specify used card driver (REQUIRED). > # > # When enabled, overrides all possible > # settings from the card drivers built-in > # card configuration list. > # driver = "flex"; > > # Set card name for card drivers that allows it. > # name = "My CryptoFlex card"; > > # Card type as an integer value. > === message truncated === ____________________________________________________________________________________ Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097
opensd-debug.log
Description: 288898755-opensd-debug.log
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
