Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
- Subject: Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
- From: Uri Blumenthal <email@hidden>
- Date: Sat, 22 Sep 2018 23:48:26 -0400
My problems with this code are:
It is misleadingly named “keychain-pkcs11”, while keychain interface is exactly
what’s missing (and what’s not provided by anything else CTK-based);
It is unclear what purpose this library serves:
PKCS#11 library opensc-pkcs11.dylib from the OpenSC (also open source) package
already does everything that this package can (signing documents with CAC and
PIV, using SSH with smartcard, using OpenSSL-based apps with smartcard, etc.
etc.), plus a lot more (like, decrypting - almost a complete PKCS#11
implementation, with C_KeyWrap support coming);
What OpenSC does not do (CTK-based “shim” for CDSA-based apps) - this library
doesn’t do either.
It is unclear whether it makes sense architecturally to implement PKCS#11 on
top of CTK - layer-wise, shouldn’t it be the other way around? E.g., OpenSC
implements PKCS#11 and CDSA on top of PCSC, which seems a cleaner approach to
layering.
The current capability gap as I see it is:
Current OpenSC.tokend provides the necessary functionality, but it uses
deprecated CDSA - so it’s end of life is visible, maybe near (judging by the
fact that Apple removed support for libstdc++ from Xcode-10).
Current pivtoken and OpenSCToken (one Apple-provided, the other one is open
source - but both are CTK-based) do not make the token accessible via CDSA, so
they are useless for apps like MS Office and Google Chrome.
IMHO what's needed is a “bridge” between CTK provided by MacOS and CDSA that
most of the non-Apple apps (MS Office, Google Chrome, Adobe CC,to name the more
prominent ones) are still based on.
P.S. I’ve opened an issue re. compiling under Xcode-10 on High Sierra on your
GitHub page.
—
Regards,
Uri
> On Aug 4, 2018, at 00:50, Ken Hornstein <email@hidden> wrote:
>
> Greetings all,
>
> I'm please to make available a bit of code I've been working on called
> "keychain-pkcs11". The purpose of this code is to provide a PKCS#11
> library that interfaces directly with the Apple-supplied Security
> framework. This lets you use the Apple native Smartcard support in High
> Sierra with applications that support PKCS#11. I've successfully used this
> with my DoD CAC to sign documents with Adobe Reader and get Kerberos tickets
> using pkinit with MIT Kerberos.
>
> My goal with this is to stick with the Apple-supported modern APIs so
> that this library will be easier to support long-term; currently it does
> not make any calls to any deprecated or non-public APIs.
>
> It's not perfect, just yet, but I think it's ready to have a few more
> people look at it. I am not providing a binary release just yet (but
> I do plan to do that eventually), I would rather have people who are
> comfortable with compiling their own software to test it out first. You
> can access it here:
>
> https://github.com/kenh/keychain-pkcs11
>
> Build instructions and some basic documentation are available there.
> Any feedback is welcome.
>
> --Ken
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden