Ken,
Can you give me a little more info about the tokend?
1. Because a private never leave a smart card, how it maps a private key
and a cert
on the smart card into a keychain? At CSSM level or SecKeychain Services
level?
What function calls can accomplish this?
2. How the tokend communicate with other modules? I mean "others" don't
include the smart card modules.
3. in my case, the real private key is stored on the server. Any signing
operation needs be done on the server.
A dummy key is used as a handle with the user's certificate and stored
in a keychain.
I hope whenever this private key is called out for the Safari Client SSL
authentication purpose,
some signing function of the tokend or my tokend is called. Is this
possible?
Thanks,
Ben
-----Original Message-----
From: Ken McLeod [mailto:email@hidden]
Sent: Tuesday, January 10, 2006 4:05 PM
To: Ben Zhu
Cc: email@hidden
Subject: Re: Keychain and Smart card
On Jan 10, 2006, at 3:00 PM, Ben Zhu wrote:
> Can someone tell me if a smart card can be used for Safari Client SSL
> authentication?
Yes. You need to have a supported smartcard, though (or else write a
tokend module for one). A tokend module communicates with the smartcard
and makes it appear to be just another keychain. If your smartcard can
be read successfully, it should automatically show up as a keychain in
Keychain Access.
> If yes, how Safari uses the private key to sign? What role a keychain
> is in this picture?
Safari ends up calling CFNetwork and SecureTransport to open the TLS/
SSL connection. The private key and its certificate must reside in a
keychain (or tokend-enabled smartcard), and the corresponding identity
must be able to be found by calling SecIdentitySearchCreate (). The
signing operation is just a standard CSSM call; if the private key is on
a smartcard, that is interpreted by a function in the tokend module,
which communicates with the card.
Also, you probably want to be running 10.4.4, which was released today.
It has several fixes for issues with smartcards and SSL client
certificate authentication (none of which appear to be documented in the
KB article. : )
-ken
>
>
> Thanks,
> Ben
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Apple-cdsa mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden
