Re: [Fed-Talk] MacOS X Catalina & CAC support
Re: [Fed-Talk] MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] MacOS X Catalina & CAC support
- From: Ken Hornstein via Fed-talk <email@hidden>
- Date: Tue, 08 Oct 2019 13:11:37 -0400
>The core applications that still require tokenD(looking at you Outlook
>specifically and Firefox) know they have to update to the newer
>frameworks that have been there since 10.10 days.
In defense of the poor, beleaguered application developer ... Apple
hasn't made this easy.
There is essentially ZERO useful documentation for the Security framework.
You can download the source code to most of the Security framework and
that gets you part of the way, and the headers go into some details as
to what those functions expect. But here are the undocumented things you'll
run into:
- You will hear that you need to support CryptoTokenKit. So, naturally, you
will start looking at CryptoTokenKit documentation (there is a small bit
of that). But it turns out that unless you are writing your own smartcard
middleware (like OpenSCToken) you shouldn't be making ANY calls to
any of the calls into the CryptoTokenKit framework! You should only
be calling the Security framework. At this point you're already mad
and frustrated because you wasted a few days looking at the CryptoTokenKit
framework documentation.
- There are TWO sets of APIs; I differentiate these as the "old API"
and the "New API"; I don't like calling the new API "CryptoTokenKit"
because you don't actually make any CryptoTokenKit calls and
that's confusing to me. The old API involves the SecKeychain*()
calls. The new API involves callsing SecItemCopyMatching() and
dealing with the output of that. The SecKeychain*() calls are
relatively straightforward and have a fair number of examples.
SecItemCopyMatching() can take a lot of entries in it's query dictionary
and how they all interact is a bit of a mess, and there's much less
example code.
- Testing BOTH of those APIs is kind of complicated. If you are using
a token daemon, you need to ONLY use the old calls. Smartcards
presented via tokend aren't visible using the new API, and if you're
not using tokend then the old API calls don't work. That means you
need test things both with and without a third-paty smartcard enabler.
And as we all know those things can be kind of fragile sometimes so
you may not want to break a working setup.
None of these things are impossible, it's just a steep hill to climb. I
suspect the number of Firefox developers that have smartcards is small,
and they are worried about breaking things for existing users. It would
have been easier if Apple had written a transition document explaining
how things had changed and how users of the SecKeychain APIs should
transition to SecItemCopyMatching() (and it sure would have been nice if
they had made SecItemCopyMatching() find smartcards presented via tokend).
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden