Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keychain and Smart card


On Jan 11, 2006, at 5:06 PM, Ben Zhu wrote:

Can you give me a little more info about the tokend?

1. Because a private never leave a smart card, how it maps a private key
and a cert
on the smart card into a keychain? At CSSM level or SecKeychain Services
level?
What function calls can accomplish this?

2. How the tokend communicate with other modules? I mean "others" don't
include the smart card modules.

3. in my case, the real private key is stored on the server. Any signing
operation needs be done on the server.
A dummy key is used as a handle with the user's certificate and stored
in a keychain.

The SecKeychain APIs are built on top of the CSSM APIs. The CSSM APIs end up calling into securityd via RPCs to perform the actual crypto operations. securityd selects the appropriate CSP/DL module and enforces whatever ACL restrictions are present on the keys. In the case where the key is on a smartcard, the appropriate tokend module's callback function will be invoked to perform the operation.

There are a number of callback functions that a tokend module must provide. securityd will call your tokend's provided callbacks to read the contents of the card, sign or encrypt data, change the card's PIN, and so on. You don't have to actually perform an operation with the card, of course... you're free to tell the world "this card contains a private key named 'foo'", and when securityd calls you to sign data with that private key, you can actually go off and have the data signed on a server (while pretending the card performed the operation), then hand the signed data back to the caller.

I hope whenever this private key is called out for the Safari Client SSL
authentication purpose,
some signing function of the tokend or my tokend is called. Is this
possible?

Yes, if you can require the user to insert a smartcard which is managed by your tokend module. As I suggested above, when your module is asked to perform cryptographic operations, you can handle in whatever way you like, such as communicating with a server to do the actual work.

You won't be able to simply store a dummy key in a normal file-based keychain, because then any cryptographic operations for that key will be handled by the Apple CSP/DL.

To forestall the inevitable question: unfortunately no, I don't have documentation for writing a tokend module. You may want to contact Developer Technical Support for further info. However, you can look at the Tokend project in Darwin for working examples of tokend modules for the BELPIC (Belgian ID) and CAC (US DoD Common Access Card) smartcards.

-ken




Thanks,
Ben






-----Original Message-----
From: Ken McLeod [mailto:email@hidden]
Sent: Tuesday, January 10, 2006 4:05 PM
To: Ben Zhu
Cc: email@hidden
Subject: Re: Keychain and Smart card


On Jan 10, 2006, at 3:00 PM, Ben Zhu wrote:

Can someone tell me if a smart card can be used for Safari Client SSL
authentication?

Yes. You need to have a supported smartcard, though (or else write a
tokend module for one). A tokend module communicates with the smartcard
and makes it appear to be just another keychain. If your smartcard can
be read successfully, it should automatically show up as a keychain in
Keychain Access.


If yes, how Safari uses the private key to sign? What role a keychain
is in this picture?

Safari ends up calling CFNetwork and SecureTransport to open the TLS/
SSL connection. The private key and its certificate must reside in a
keychain (or tokend-enabled smartcard), and the corresponding identity
must be able to be found by calling SecIdentitySearchCreate (). The
signing operation is just a standard CSSM call; if the private key is on
a smartcard, that is interpreted by a function in the tokend module,
which communicates with the card.

Also, you probably want to be running 10.4.4, which was released today.
It has several fixes for issues with smartcards and SSL client
certificate authentication (none of which appear to be documented in the
KB article. : )

-ken




Thanks,
Ben

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/thecloud% 40apple.com

This email sent to email@hidden






_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden
References: 
 >RE: Keychain and Smart card (From: "Ben Zhu" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.