• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
[Fed-Talk] Two different PIV certificates on CAC?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fed-Talk] Two different PIV certificates on CAC?

  • Subject: [Fed-Talk] Two different PIV certificates on CAC?
  • From: Ken Hornstein <email@hidden>
  • Date: Mon, 10 Sep 2018 23:14:24 -0400
This isn't technically a question about the Mac/OSX, but I know there are
a lot of smart people on here and I figured it wouldn't hurt to ask.

I've been developing a PKCS#11 interface to the Security framework (see
previous email on this topic, it's been coming along well), and I've
been using CACKey as a reference as to what a "working" PKCS#11 module
should do (since it's open source and seems to work with everything I
tried it with).

The big difference between my keychain-pkcs11 module and CACKey is
CACKey communicates directly with a smartcard, whereas keychain-pkcs11
uses the Security framework and lets the High Sierra supplied drivers
do the hard work of communicating with the card.  Both CACKey and
the Security framework return 3 certificates from the CAC; 1 PIV
certificate, 1 email certificate, and 1 decryption certificate.  Fine,
everyone knows this.  But after some weird results I realized that there
are in fact _2_ PIV certificates on the CAC; CACKey returns one, and the
Security framework returns the other.

Now, specifically ... CACKey shows for my PIV certificate a certificate
signed by DOD ID CA-41, with a serial number of 1875831.  The Apple
Security framework shows a PIV certificate also signed by DOD ID CA-41,
but with a serial number of 1875854 (the email certificate and the
decryption certificate are the same between PKCS#11 implementations).

These certificates have a lot of similarities; they have the same validity
dates, and the same subject name and issuer.  They have different public
and associated private keys (that's how I first noticed).  They also have
different key usage; the CACKey certificate shows key usage of Digital
Signature and Non Repudiation, whereas the Security key just has a key
usage of Digital Signature.  There is also an additional policy OID
on the Security key, 2.16.840.1.101.3.2.1.3.13, which seems to be the
Federal PKI "common-auth" policy, and the extended key usage for the
Security key also contains "Microsoft Smartcardlogin".  I checked with
some co-workers, and their CACs also have these two PIV certificates.

So, I guess my question is ... what's up with that?  How come two
different PIV certificates are on the CAC?  Anyone know what the deal
is?  Obviously they both "work" since they're properly signed, but this
was new information for me.

--Ken
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] Two different PIV certificates on CAC?
      • From: "Miller, Timothy J." <email@hidden>
  • Next by Date: Re: [Fed-Talk] Two different PIV certificates on CAC?
  • Next by thread: Re: [Fed-Talk] Two different PIV certificates on CAC?
  • Index(es):
    • Date
    • Thread