|
As far as I understand, the NEO does have a PIV applet, but it is not validated by NIST for that use. However having a PIV applet in its firmware should make it PIV technology compatible. I'm sure you understand that, but I thought that distinction was worth
mentioning.
I've done some testing but have only had luck with the NEO PIV applet with OpenSC, although I have not tried with Pkard. The NEO PIV applet does not get recognized by the Mac OS Forge PIV.tokend, but I have not looked into why that might be.
As for tracing Mail, that is a good question. Since there are no manual configuration for certificate selection within Apple Mail, from what I understand it queries for possible certificates and that request kicks off checks for identity preferences in Keychain
Access first, then if no identity preferences found, it looks for exact matching 822 names in certificates in available keychains [that match the account email name in Mail]. The fact that the certificate is on a hard token should still be abstracted at that
point, it is just a dynamic keychain that it is looking at, or rather the cached db representation of said dynamic keychain.
There is some debugging that can be turned on for smartcards, info via "man SmartCardServices", however that might not help if the issue is above that layer:
SMART CARD APDU LOGGING
It is possible to turn on logging for smart cards. Logging is turned on
by setting global preference:
sudo defaults write /Library/Preferences/com.apple.security.smartcard
Logging -bool yes
After a smart card reader is connected (or after reboot) all operations
including contents of sent and received APDU messages are then logged
into system log. Logging uses facility com.apple.security.smartcard.log
so it is possible to set up filtering of these logs into custom targets
(see asl.conf(5)) Note that logging setting is one-shot; it must be
turned on by the command above to start logging again with a new reader.
This is to avoid security risk that logging is turned on indefinitely.
Someone else might have suggestions for debugging Mail's process of selecting a certificate.
-Ridley
I have a problem with Apple Mail, and it looks like this is the only place I can hope to get some help.
Mac OS X Yosemite 10.10.5, PKard for Mac 1.6.3, current Oberthur CAC, current Yubikey NEO token.
I’m putting our local certificates on NEO, to be used as CAC for email protection (S/MIME).
Problem: while Apple Mail appears to work OK with CAC, it worked with NEO token for a day, and then stopped signing emails, claiming that it gets an error in finding a suitable certificate to sign the outgoing
piece of email.
PKard.tokend appears to be doing the right thing, as far as I can tell from the logs (which are not extensive).
What I seem to need in order to track this problem down, is the ability to debug or trace Apple Mail and its attempt to fetch a certificate and/or perform a key-protected operation.
Would anybody know and share with me how to do it?
Thanks!
|