Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- From: "Golbig, Allen M. \(GRC-V000\)\[Peerless Technologies Corp.\] via Fed-talk" <email@hidden>
- Date: Tue, 8 Oct 2019 15:37:47 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nasa.gov; dmarc=pass action=none header.from=nasa.gov; dkim=pass header.d=nasa.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x6Ntp1b8ekXB/w61Hj5YKo0Qx1+sjZiKrx6o98tl4Ew=; b=ZyClR0K+6VhIlPhp7I91IOadKH9q7k9Nmr5y0sq7PZLuegy0AuYTpnQAXBB+LnnFw+Kv/VkvUXdz3JHBUERauXZuv0B3GUJfPpITyAqsnBu2SxZYN6xcqLqZBfUUBbAiTP5bT+adBelQ1eeh6Ywiig1L/0lTo8HWVLAyTCxyrw3Lm+D5dcDlle9+M8iYVQA+aH5aRZltxiJ2/VUhjy3x6DqxAIkb2n0lOQSAxZsQJAp8OFikMmfL3AB2wpAXyjDd+XV9QTDYJbcFU5dN6elPg3xD+x6MB7KgVVEkRcy3LW1ShrjMUsQytZx6HZkOL6TXy8SWML+7flHhg0/VLrMjhQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AgPpTYwaayhhoPMFlnf7SGUqfEr2lzwFCG3BdfswWmMoyfMVJBcJkFAuuICOLFBlFD5nZBXppYIWg2RyY7xPrLGhZhCim032l6/vlJuuYYILtPb9WyuEMCpLRxmtzPlPXO4sMkYlnbIkXvPnkPFHk9cM7OweWSWPRBp6hRCxJyjsg8IQLn3cPvgC2ARiuWv9CSNL2a4LHJTMOQvMVHUpz51Q2THHLwNBgA+d8fACh4INkH7mWL1TftY1FKiDiNFxB6ykG1pCB9I2EIp5RFbtR7RIOvH3CYJuJ8b+/GYRwO87P3ScvpEClFfT9AJvmkuL4vT8XsCyMn/8MC0ySMgMag==
- Dkim-filter: OpenDKIM Filter v2.11.0 ndjsvnpf102.ndc.nasa.gov 35898400DEB7
- Thread-topic: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
I 100% do not recommend doing this but:
To enable TokenD:
sudo defaults write /Library/Preferences/com.apple.security.smartcard Legacy
-bool true
To disable CTK:
sudo defaults write /Library/Preferences/com.apple.security.smartcard
DisabledTokens -array com.apple.CryptoTokenKit.pivtoken
In testing OpenSC sort of worked, I could see certs in Keychain Access, but
Outlook didn't recognize them. Again, I don’t recommend this at all. I really
wish Apple had completely killed off TokenD in 10.15 instead of disabling it.
Hopefully they pull the plug in the 10.15 spring update instead of waiting for
10.16.
The only core app that does not work with CTK is Firefox and I have a ticket
that others should dupe if they want to see it happen sooner,
https://bugzilla.mozilla.org/show_bug.cgi?id=1497522. For now keychain-pkcs11
has worked great with Firefox (Thanks Ken!) and you can even load it via a
configuration profile.
Allen
On 10/8/19, 11:29 AM, "Blumenthal, Uri - 0553 - MITLL" <email@hidden> wrote:
Allen,
Thank you - it's very interesting.
Could you explain
(a) how does one *completely* disable CTK?
(b) once CTK is disabled - were you able to run the currently-released
OpenSC.tokend?
Thanks again!
On 10/8/19, 11:17 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
Outlook supports CTK currently in Microsoft's Insider Slow/Fast
channels. If no other issues pop up before next week, I expect it to be in
16.30.
TokenD is disabled by default in macOS 10.15. It can be re-enabled but
in my testing I found that both OpenSC and ActivClient are broken unless you
completely disable CTK.
Allen
On 10/8/19, 10:41 AM, "Fed-talk on behalf of Blumenthal, Uri - 0553 -
MITLL via Fed-talk" <fed-talk-bounces+allen.m.golbig=email@hidden
on behalf of email@hidden> wrote:
In my experience, OpenSC already supports Firefox and Acrobat
perfectly, and is available both as a source repo and as a binary package. In
my opinion, this is the best currently available option for smartcards (and not
just CAC or PIV tokens!) on Catalina - especially because there's a large
community behind it that provides pretty decent support. That works for all the
apps with PKCS#11 capabilities, and for a large number of tokens.
Apple-native apps (Safari and Apple Mail) were migrated to CTK, so
they can access the tokens (CAC and PIV only) via "pivtoken" (standard with
High Sierra, Mojave, and Catalina).
The real problem is with those apps that still rely on CDSA API,
rather than on the new CTK - such as MS Office (AFAIK). Unfortunately, neither
OpenSC (that provides a PKCS#11 library), nor your keychain-pkcs11 (that
provides a PKCS#11 library) can help with this issue. And OpenSC.tokend that
addressed it up until Mojave, won't work on Catalina.
On 10/8/19, 10:18 AM, "Fed-talk on behalf of Ken Hornstein via
Fed-talk" <fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
Everyone,
It is my understanding that MacOS X Catalina has finally killed
off support
for third-party token daemons ("tokend") which make smart cards
available
via the older Keychain APIs.
I tested out my keychain-pkcs11 plugin, and it worked fine on
Catalina
with Firefox (for web browsing) and Adobe Acrobat (for document
signing). Now obviously I am biased because I wrote
keychain-pkcs11,
but as far as I know currently it is the only option for
CAC/smartcard
support for those two applications on Catalina. If there are
other
options to make these applications work on Catalina I would
love to hear
about them. And if anyone has problems with keychain-pkcs11 I
would
be interested in hearing about them.
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden