So just out of curiosity, does the certificate that is on the NEO show when you access KeyChain? The problem may be that the token is not being recognized in
the first place and until that is resolved it won’t be seen in Apple Mail. When I have seen the issue with a regular smart cards I have either just reseated the device and or changed the port.
Frazier
From: fed-talk-bounces+evans_frazier=email@hidden [mailto:fed-talk-bounces+evans_frazier=email@hidden]
On Behalf Of Disiena, Ridley (MSFC-IS60)[EAST]
Sent: Monday, October 19, 2015 3:35 PM
To: Blumenthal, Uri - 0553 - MITLL <email@hidden>; email@hidden
Subject: [External] Re: [Fed-Talk] Help tracing access to keys/certificates?
As far as I understand, the NEO does have a PIV applet, but it is not validated by NIST for that use. However having a PIV applet in its firmware should make it
PIV technology compatible. I'm sure you understand that, but I thought that distinction was worth mentioning.
I've done some testing but have only had luck with the NEO PIV applet with OpenSC, although I have not tried with Pkard. The NEO PIV applet does not get recognized
by the Mac OS Forge PIV.tokend, but I have not looked into why that might be.
As for tracing Mail, that is a good question. Since there are no manual configuration for certificate selection within Apple Mail, from what I understand it queries
for possible certificates and that request kicks off checks for identity preferences in Keychain Access first, then if no identity preferences found, it looks for exact matching 822 names in certificates in available keychains [that match the account email
name in Mail]. The fact that the certificate is on a hard token should still be abstracted at that point, it is just a dynamic keychain that it is looking at, or rather the cached db representation of said dynamic keychain.
There is some debugging that can be turned on for smartcards, info via "man SmartCardServices", however that might not help if the issue is above that layer:
It is possible to turn on logging for smart cards. Logging is turned on
by setting global preference:
sudo defaults write /Library/Preferences/com.apple.security.smartcard
After a smart card reader is connected (or after reboot) all operations
including contents of sent and received APDU messages are then logged
into system log. Logging uses facility com.apple.security.smartcard.log
so it is possible to set up filtering of these logs into custom targets
(see asl.conf(5)) Note that logging setting is one-shot; it must be
turned on by the command above to start logging again with a new reader.
This is to avoid security risk that logging is turned on indefinitely.
Someone else might have suggestions for debugging Mail's process of selecting a certificate.
I have a problem with Apple Mail, and it looks like this is the only place I can hope to get some help.
Mac OS X Yosemite 10.10.5, PKard for Mac 1.6.3, current Oberthur CAC, current Yubikey NEO token.
I’m putting our local certificates on NEO, to be used as CAC for email protection (S/MIME).
Problem: while Apple Mail appears to work OK with CAC, it worked with NEO token for a day, and then stopped signing emails, claiming that it gets an error in finding
a suitable certificate to sign the outgoing piece of email.
PKard.tokend appears to be doing the right thing, as far as I can tell from the logs (which
are not extensive).
What I seem to need in order to track this problem down, is the ability to debug or trace Apple Mail and its attempt to fetch a certificate and/or perform a key-protected
operation.
Would anybody know and share with me how to do it?
|