Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
- Subject: Re: [Fed-Talk] Beta version of "keychain-pkcs11" available
- From: Ken Hornstein <email@hidden>
- Date: Wed, 26 Sep 2018 14:40:50 -0400
>This is not about users knowing or not knowing about CTK - it is about
>users knowing about keychain and having certain expectations related to
>that. The proposed name change removes those unfounded expectations.
>
>You may not call CTK *directly*, but surely Security CTK framework
>actually does call CTK on your behalf? So, it's not *that* inaccurate.
>;-)
Fair enough; I will think about a better name.
>I think you're correct here. But since OpenSCToken does not support
>older apps like MS Office, there are no advantages for me using it
>(i.e., it's no better than the native "pivtoken", maybe has better
>config options, which are irrelevant because the target apps don't use
>CTK). So, I made sure it compiles, and promptly forgot about it. ;-)
Ah, okay, it wasn't clear what the various pieces are with regards to
OpenSCToken and OpenSC.token (talk about bad naming!).
> >> I wonder if you do smartcard policy enforcement with Apple-provided
> >> "pivtoken".
> >
> > Well, it depends on what you mean.
>
>I mean functionality similar to SmartCardVerify plugin that enforces
>computer access policy. It matters because while it can be controlled
>from the Active Directory side, we wanted the ability to temporarily
>disable when authorized/needed. I don't think AD supports that.
I think this is out of scope for a PKCS#11 library.
>Could you please point me at the comments in Chrome about the changes
>required for conversion?
Sure, the one I was thinking of was in src/net/ssl/client_cert_store_mac.cc,
specifically:
// macOS provides two ways to search for identities. SecIdentitySearchCreate()
// is deprecated, as it relies on CSSM_KEYUSE_SIGN (part of the deprecated
// CDSM/CSSA implementation), but is necessary to return some certificates
// that would otherwise not be returned by SecItemCopyMatching(), which is the
// non-deprecated way. However, SecIdentitySearchCreate() will not return all
// items, particularly smart-card based identities, so it's necessary to call
// both functions.
What I ended up doing was using SecItemCopyMatching() as well, but with
a different query dictionary than they use (for various reasons). But
as far as I can tell as long as you already use the Security framework,
the key part is you need to switch from SecIdentitySearchCreate*() to
SecItemCopyMatching().
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden