Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>
- Date: Tue, 8 Oct 2019 17:07:48 +0000
- Thread-topic: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Allen,
Could you please clarify for me:
1. When you say "OpenSC sort of worked", do you mean OpenSC.tokend (I suspect
you did, otherwise there's no way the certs would've shown up in Keychain
Access)?
1a. Even though the certs were visible in Keychain Access, Outlook did not see
them? Or saw them but refused to use them?
2. Why do you disable pivtoken via "defaults" instead of
sudo security smartcards token -d com.apple.pivtoken
Is it because your example disables (as you said earlier) the *entire* CTK
framework (I wouldn't think it possible)?
3. Did you try opensc-pkcs11.so (OpenSC PKCS#11 library) with Firefox? Or only
keychain-pkcs11?
P.S. On my Mojave 10.14.6, I did *not* enable legacy smartcard - and all the
smartcard-related software seems to work: PKCS#11 access via opensc-pkcs11.so,
CDSA via OpenSC.tokend, and pivtoken for CTK-capable apps. All seems to work
fine together - with the exception that I don't use Apple Mail (so, no locked
computer for me, ever).
On 10/8/19, 11:45 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
I 100% do not recommend doing this but:
To enable TokenD:
sudo defaults write /Library/Preferences/com.apple.security.smartcard
Legacy -bool true
To disable CTK:
sudo defaults write /Library/Preferences/com.apple.security.smartcard
DisabledTokens -array com.apple.CryptoTokenKit.pivtoken
In testing OpenSC sort of worked, I could see certs in Keychain Access, but
Outlook didn't recognize them. Again, I don’t recommend this at all. I really
wish Apple had completely killed off TokenD in 10.15 instead of disabling it.
Hopefully they pull the plug in the 10.15 spring update instead of waiting for
10.16.
The only core app that does not work with CTK is Firefox and I have a
ticket that others should dupe if they want to see it happen sooner,
https://bugzilla.mozilla.org/show_bug.cgi?id=1497522. For now keychain-pkcs11
has worked great with Firefox (Thanks Ken!) and you can even load it via a
configuration profile.
Allen
On 10/8/19, 11:29 AM, "Blumenthal, Uri - 0553 - MITLL" <email@hidden>
wrote:
Allen,
Thank you - it's very interesting.
Could you explain
(a) how does one *completely* disable CTK?
(b) once CTK is disabled - were you able to run the currently-released
OpenSC.tokend?
Thanks again!
On 10/8/19, 11:17 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
Outlook supports CTK currently in Microsoft's Insider Slow/Fast
channels. If no other issues pop up before next week, I expect it to be in
16.30.
TokenD is disabled by default in macOS 10.15. It can be re-enabled
but in my testing I found that both OpenSC and ActivClient are broken unless
you completely disable CTK.
Allen
On 10/8/19, 10:41 AM, "Fed-talk on behalf of Blumenthal, Uri - 0553
- MITLL via Fed-talk" <fed-talk-bounces+allen.m.golbig=email@hidden
on behalf of email@hidden> wrote:
In my experience, OpenSC already supports Firefox and Acrobat
perfectly, and is available both as a source repo and as a binary package. In
my opinion, this is the best currently available option for smartcards (and not
just CAC or PIV tokens!) on Catalina - especially because there's a large
community behind it that provides pretty decent support. That works for all the
apps with PKCS#11 capabilities, and for a large number of tokens.
Apple-native apps (Safari and Apple Mail) were migrated to CTK,
so they can access the tokens (CAC and PIV only) via "pivtoken" (standard with
High Sierra, Mojave, and Catalina).
The real problem is with those apps that still rely on CDSA
API, rather than on the new CTK - such as MS Office (AFAIK). Unfortunately,
neither OpenSC (that provides a PKCS#11 library), nor your keychain-pkcs11
(that provides a PKCS#11 library) can help with this issue. And OpenSC.tokend
that addressed it up until Mojave, won't work on Catalina.
On 10/8/19, 10:18 AM, "Fed-talk on behalf of Ken Hornstein via
Fed-talk" <fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
Everyone,
It is my understanding that MacOS X Catalina has finally
killed off support
for third-party token daemons ("tokend") which make smart
cards available
via the older Keychain APIs.
I tested out my keychain-pkcs11 plugin, and it worked fine
on Catalina
with Firefox (for web browsing) and Adobe Acrobat (for
document
signing). Now obviously I am biased because I wrote
keychain-pkcs11,
but as far as I know currently it is the only option for
CAC/smartcard
support for those two applications on Catalina. If there
are other
options to make these applications work on Catalina I would
love to hear
about them. And if anyone has problems with
keychain-pkcs11 I would
be interested in hearing about them.
--Ken
_______________________________________________
Do not post admin requests to the list. They will be
ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden