FYI, Apple's SmartCardServices stuff is now out on MacForge: http://smartcardservices.macosforge.org/
Not sure if this includes tokend code, but there you go. -- Tim >-----Original Message----- >From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc- >devel-boun...@lists.opensc-project.org] On Behalf Of Henry B. Hotz >Sent: Sunday, March 22, 2009 1:37 PM >To: Martin Paljak >Cc: opensc-de...@opensc-project.org >Subject: Re: [opensc-devel] Mac Tokend PIN Rejection > > >On Mar 21, 2009, at 2:26 AM, Martin Paljak wrote: > >> On 21.03.2009, at 2:34, Henry B. Hotz wrote: >> >>>> If it is a PIV card, you probably don't use OpenSC tokend, but the >>>> CAC >>>> one? I might be wrong. Anyway, you don't need to "unlock" the >>>> keychain, you need to provide the PIN when you use a key/certificate >>>> on the card. >>> >>> >>> CAC uses the CAC Tokend. PIV uses the PIV Tokend. (Out of the box >>> anyway.) I have a PIV, not a CAC because I work for a NASA >>> contractor, not for the DOD. ;-) >> CAC and PIV tokend-s come with Mac OS X (ls -l /System/Library/ >> Security/tokend), they have nothing to do with OpenSC or the >> OpenSC.tokend. > >We're in "violent agreement". I was describing Apple's out-of-the-box >support on Leopard. > >>> I'm told the problem with the Apple Tokend is that it doesn't >>> support 2048 bit RSA keys. In any case loginWindow on Leopard can't >>> identify me based on the card. Substituting the OpenSC Tokend fixes >>> that problem, but the PIN still isn't accepted. >> OpenSC.tokend is hardcoded to 1024b RSA keys. If Apple OSX Tokend >> framework itself is capable of using 2048b keys is a question I don't >> have the answer to right now. You can easily run into problems with >> card readers as well (extended APDUs etc) > >I'm using an ActiveIdentity reader with firmware upgraded to SCM >version 5.22. It works fine with the rest of OpenSC, and I've used it >to run the PKINIT exchange with Heimdal many times. > >The OpenSC Tokend works fine with the reader and card for just reading >the cert via Keychain Access. I'm trying to fix the rest of the >functionality, since it seems to *almost* work. > >So, you're telling me that the Tokend framework itself is limited to >1024-bit keys? Where would I look to verify if that's still true? > >>> I'm willing to do some debugging, if someone will tell me what to >>> look at. Maybe where to put syslog calls in a custom build? >> >> You can run the PIV tokend in debug mode but that won't help you, as >> there is no way you can modify the PIV tokend. > > >How do I run the OpenSC tokend in "debug mode"? I just found a log >file in /tmp that seems relevant, but it doesn't seem to contain >anything that looks like a smoking gun. Should I look more >carefully? Maybe truncate it before the relevant test? >------------------------------------------------------ >The opinions expressed in this message are mine, >not those of Caltech, JPL, NASA, or the US Government. >henry.b.h...@jpl.nasa.gov, or hbh...@oxy.edu > > > >_______________________________________________ >opensc-devel mailing list >opensc-devel@lists.opensc-project.org >http://www.opensc-project.org/mailman/listinfo/opensc-devel
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
