RE: [Fed-Talk] Smart Card / Reader Issues on Mac OS X 10.5
RE: [Fed-Talk] Smart Card / Reader Issues on Mac OS X 10.5
- Subject: RE: [Fed-Talk] Smart Card / Reader Issues on Mac OS X 10.5
- From: "Emery, David G Capt MIL USAF AFSOF AOC/CSD" <email@hidden>
- Date: Mon, 19 Nov 2007 14:33:41 -0600
- Thread-topic: [Fed-Talk] Smart Card / Reader Issues on Mac OS X 10.5
Shawn,
Thanks for the informative feedback below. I can confirm that your reader #1 does work...sort of. I say sort of because your unfortunate comment about PKCS#11 applications may not work correctly seems to be the case with Firefox 2.0.0.9. Installing the module causes the browser to crash on every startup unless the CAC is present. Inserting the CAC and then starting Firefox allows the browser to start but doesn't allow for use of the CAC, nor does the PKCS#11 module actually recognize the card.
Next, I got excited based on your comments regarding Identity Preferences in Keychain. I inserted my CAC and made my E-mail certificate the preferred certificate for my OWA URL. Setting this preference (or any of the certs on my CAC) leads to Keychain crashing. The only way to open Keychain after setting the preference is to remove my CAC and then delete the preference.
Any further insight would be greatly appreciated since I'm in limbo right now with neither solution working.
Dave
________________________________
From: fed-talk-bounces+david.emery=email@hidden [mailto:fed-talk-bounces+david.emery=email@hidden] On Behalf Of Shawn A. Geddis
Sent: Monday, November 12, 2007 12:32 PM
To: Fed Talk
Subject: [Fed-Talk] Smart Card / Reader Issues on Mac OS X 10.5
Just wanted to make everyone aware that Apple is aware of this and I am looking into the issues many are having with certain Smart Card Readers. Yes, It would first appear to be an issue with certain Smart Card Readers and not a combination with the Smart Cards themselves, but various user success/failure quickly proves this wrong. I am also working with the reader manufacturers on identifying the problem.
Request
If anyone is willing to send me email (to: geddis [at] apple [dot] com) directly stating the following which you can gather from the System Profiler Report, it would be greatly appreciated.
Subject: Smart Card Reader Feedback
-- Sample Info --
Working: NO
--System Info--
Model Name: MacBook Pro 15"
Model Identifier: MacBookPro1,1
Processor Name: Intel Core Duo
Processor Speed: 2.16 GHz
--Smart Card Reader Info--
Version: 5.18
Manufacturer: SCM Microsystems, Inc.
Product ID: 0xe001
Vendor ID: 0x04e6
-- Smart Card Info--
Manufacturer: Axalto
Card Type: Access 64K
Version: v1
SCM SCRX31
This has long been the reader used within DoD, largely because most were purchased quite sometime ago. Be aware that the SCR331 is NOT a specific reader name, but rather a "Family" Name. Hence, it is quite possible that folks are using versions of the reader that may possibly fail. Also note that many have the old ActivCard USBv2 reader which is simply a firmware modification of the SCM SCR331 as well.
I have the following SCM SCR331 Reader working fine on my system, but note the version (firmware), Product ID and Vendor ID of the units. Using "System Profiler" in /Applications/Utilities Folder, you can select the USB port and reader device in the list. If this particular reader is listed under any other name, the problem begins with the Firmware.
Since the attachment would be stripped, I will recreate the contents here in text for those that are working and those that are not:
Readers that ARE working:
(Only ones I had access to for immediate testing on Intel)
Reader #1
System Profiler Name: "SCRx31 USB Smart Card Reader"
Version: 5.18
Manufacturer: SCM Microsystems Inc.
Product ID: 0xe001
Vendor ID: 0x04e6
Reader #2
System Profiler Name: "SCRx31 USB Smart Card Reader"
Version: 5.25
Manufacturer: SCM Microsystems Inc.
Product ID: 0xe001
Vendor ID: 0x04e6
Reader #3
System Profiler Name: "Smart Card Reader USB"
Version: 1.01
Manufacturer: OMNIKEY AG
Product ID: 0x3021
Vendor ID: 0x076b
Reader #4
System Profiler Name: "Smart Card Reader USB"
Version: 3.02
Manufacturer: OMNIKEY AG
Product ID: 0x3021
Vendor ID: 0x076b
Readers that ARE NOT working:
(Only ones I had access to for immediate testing on Intel)
Reader #1
System Profiler Name: "SCRx31 USB Smart Card Reader"
Version: 2.03
Bus Power (mA) 500
Speed: Up to 12 Mb/sec
Manufacturer: SCM Microsystems Inc.
Product ID: 0xe001
Serial Number: <each reader is unique>
Vendor ID: 0x04e6
Reader #2
System Profiler Name: "SCRx31 USB Smart Card Reader"
Version: 4.13
Bus Power (mA) 500
Speed: Up to 12 Mb/sec
Manufacturer: SCM Microsystems Inc.
Product ID: 0xe001
Serial Number: <each reader is unique>
Vendor ID: 0x04e6
Reader #3
System profiler: "ActivCard USB Reader V2"
Version: 2.02
Bus Power (mA) 500
Speed: Up to 12 Mb/sec
Manufacturer: ActivCard
Product ID: 0xe001
Serial Number: <each reader is unique>
Vendor ID: 0x09c3
_________
Due largely to the dissemination of some incorrect user generated documentation, many have begun to confuse what is needed and what is impacting the use of Smart Cards within their particular environment and system configuration (including apps in use). Let me try to clear much of this up quickly in an email message.
_________
A. Apple Architecture
The Apple Smart Card Services are NOT impacted by the difference between Smart Card Manufacturers or by the capacity of the cards (32K v. 64K), but ARE reliant on two distinct things:
Existence of a supporting Tokend for the corresponding "Applet" on the Card.
"Tokend" modules shipped with 10.5
CAC - Supports CAC & GSC-IS compliant Smart Cards
BELPIC - Supports Belgian National ID compliant Smart Cards JPKI - Supports Japanese PKI compliant Smart Cards
** NEW FOR 10.5 **
PIV - Supports PIV compliant Smart Cards -
Existence of a recognized Smart Card Reader
$ ls -al /usr/libexec/SmartCardServices/drivers/
drwxr-xr-x 3 root wheel 102 Oct 4 00:44 CC-PC-Card.bundle
dr-xr-xr-x 3 root wheel 102 Oct 4 00:44 CCIDClassDriver.bundle
drwxr-xr-x 3 root wheel 102 Oct 4 00:44 SCR24XHndlr.bundle
drwxr-xr-x 3 root wheel 102 Oct 4 00:44 ifd-ASEIIIeUSB.bundle
drwxr-xr-x 3 root wheel 102 Oct 4 00:44 ifdok_cm4040_macos-2.0.0.bundle
This would cover
CC-PC-Card.bundle -- PC Card Readers -- CRYPTOCard P-1 CCIDClassDriver.bundle -- USB Card Readers -- "CCID Compliant"
ifd-ASEIIIeUSB.bundle -- USB Card Readers -- Athena IIIe SCR24XHndlr.bundle -- PC Card Readers -- SCM SCR24X
ifdok_cm4040_macos-2.0.0.bundle-- PC Card Readers -- OMNIKey CardMan 4040
Any smart card compliant to any of the above specs, will appear in the Keychain List after the system has identified the card and propagated the contents up thru the Keychain architecture. This is, of course, if the Smart Card Reader is supported and recognized already as well.
NO NEED TO... (Common Myths)
1) Copy Certificates from the Card to the User's Login Keychain
2) Run "pcsctool" to add the ATR value -- it is not used by Apple
3) Make the Smart Card keychain the default keychain
Selection of identities
Some have had problems in the past accessing DoD services (i.e. websites) with the use of their DoD Smart Card. There is an unsupported method to resolve this on 10.4.x and a built-in method to resolve this on 10.5.
Background on problem
The DoD Smart Cards have three identities (Certificate and corresponding Private Key):
- ID
- Email Signing
- Email Encryption
The unfortunate fact is that the ID is not used, but has all of the same Key Usage as the
Email Signing. The Email Signing is being used for basically everything. For example,
1) Login, 2) Email Signing, 3) VPN Access....
The catch-22 for users was that the ID Certificate was silently selected by OS X and delivered
for User Authentication to network services (Web sites, VPN, etc.). The remote servers did not reject things at the protocol level (i.e. SSL handshake) and hence OS X was unable to
handle the unexpected reply.
Servers/Services that did fail at the protocol level, allowed Mac OS X to properly handle and propagate the failure of User Auth up to the Application (i.e. Safari). Safari then displayed
a list of alternative Certificates that could also be used for the service being requested.
Once a selection was made, an "Identity Preference" was created in the user's keychain
ensuring that all subsequent attempts to access that service (i.e. URL) would result in the
selection and use of the proper certificate.
Method to resolve this on 10.4.x
If you are still on 10.4.x and are running into this scenario, I can provide you with an unsupported
tool to manually create the Identity Preference for this service and identity pair. I would
discourage the use of tools that modify or block access to objects on the Smart Card, since this
will undoubtedly cause you frustration with other services.
Method to resolve this on 10.5.x
Keychain Access on Mac OS X 10.5.x provides a built-in function to Create and Manage
Identity Preferences. Select (Click) the appropriate keychain containing your identity. Bring up the contextual menu
<ctrl>.
____________________________
B. PKCS#11 Architecture
Some Applications do still exist on Mac OS X that access Smart Cards via PKCS#11, but this is not the same as the Apple Smart Card Services noted above. Apple does NOT provide any integration for PKCS#11 based applications and does not guarantee any arbitration between PKCS#11 Applications and native Mac OS X Applications leveraging the built-in Keychain Services (hence the corresponding Tokend).
Requirements:
* Existence of a PKCS#11 library used by these types of applications.
* Existence of the corresponding ATR value in the corresponding bundle:
CAC - commonAccessCard.bundle
GSC-IS - GSCISPlugin.bundle
** ALL 64K DoD Cards would need to have their ATR value added to the corresponding bundle above. Some Newer 32K DoD cards would need to as well.
PKCS#11 Applications current used by some on Mac OS X:
1) Any Mozilla based applications (Mozilla, FireFox, Thunderbird, etc.)
2) Adobe Acrobat 8
There is no guarantee that PKCS#11 Applications will work on any version of the OS later than 10.3.X.
1) There is no guarantee that PKCS#11 Applications will work on Mac OS X 10.4.x ...
without contention with the built in Smart Card Services
2) There is no guarantee that PKCS#11 Applications will work on Mac OS X 10.5.x
If the Smart Card in use is not supported by a tokend, it can be accessed and utilized by PKCS#11 based applications without any conflict with Apple's Smart Card Services.
If you are using PKCS#11 access from another application other than those listed above, please let Shawn Geddis <geddis [at] apple [dot] com> know.
Thank You for your patience with this right now.
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden