Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- From: "Golbig, Allen M. \(GRC-V000\)\[Peerless Technologies Corp.\] via Fed-talk" <email@hidden>
- Date: Tue, 8 Oct 2019 17:27:03 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nasa.gov; dmarc=pass action=none header.from=nasa.gov; dkim=pass header.d=nasa.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NZR/nOjmo8fGk4J3WIoUupb6f3JsdiON49NPmNfrjgA=; b=i3bop0y7yKTYg56cAYZGCPcE971dKTlKC7sOqx6iCwUhqkN1fCMx6uBzacO/htt6l2GdWtErlVA3R3eYJlD6lEuYeMeHsKHL2b0S10Nd2Pep+r6r00YEEObBD9Djwy4K0cZrbyBq550vAJRrTJ9yiAZLdTc9HqZ9XDxDDXAx9mbfOsiweP7zTSZ5EkhDQL7BVfBBsGPmdAqLU8wwM9mbdlk1h2MYEMQlfTbN8oYPkrNQc6QdAeYdqUL/+7Kwlhqaof+zxd70N01ej95pzS0SpgEoiDyufPzup3R5cwo9J7j40sbX3jMaujgnM7fbqkUMhrdU44l46O5t5nXIANTgEw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PFxSc1SfsFJs0qoWxff1KmGWdnUbPoEOPwMnQlvOYaJwQ+1+MVOc8MUZ+5boUc/AtneuVya3nF8pjOmDLECHa4FrDjzkuMwzNYm8VBMjf9unM/ydcSjm23krPT3X1EXOVyYIdIKmeGjQ5kUvJSNFEOmNAfTaQJ7pSSDRW42lX0Lx5WTEI5PmeNuwPqz0ovuXtAtGFKVoKOvQGycUmqrPO525JWIHfEA/aDg4zoghtpiIRvEWK6VNrqElDkMGRgR+WLDWa21FZEy3QRKDxei8C3UGCmvS+4BTT/Gg+WHn/do2jyk+PIRZto0rS0nkU0WAqBOtcmGMY5Xdp16tv+6s6w==
- Dkim-filter: OpenDKIM Filter v2.11.0 ndmsvnpf102.ndc.nasa.gov 8B8A6400A022
- Thread-topic: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
1. Yes
1a. It did not properly see the certs. Similar to the bug that was in
10.14-10.14.1.
2. Because that is what is in the man page for SmartCardServices-legacy
3. No, I did not. I'm only using keychain-pkcs11 for firefox. Once Mozilla adds
support for CTK I'll uninstall keychain-pkcs11 from my system (sorry Ken).
You don't need to enable it as it's not disabled in 10.14.x.
Allen
On 10/8/19, 1:08 PM, "Blumenthal, Uri - 0553 - MITLL" <email@hidden> wrote:
Allen,
Could you please clarify for me:
1. When you say "OpenSC sort of worked", do you mean OpenSC.tokend (I
suspect you did, otherwise there's no way the certs would've shown up in
Keychain Access)?
1a. Even though the certs were visible in Keychain Access, Outlook did not
see them? Or saw them but refused to use them?
2. Why do you disable pivtoken via "defaults" instead of
sudo security smartcards token -d com.apple.pivtoken
Is it because your example disables (as you said earlier) the *entire*
CTK framework (I wouldn't think it possible)?
3. Did you try opensc-pkcs11.so (OpenSC PKCS#11 library) with Firefox? Or
only keychain-pkcs11?
P.S. On my Mojave 10.14.6, I did *not* enable legacy smartcard - and all
the smartcard-related software seems to work: PKCS#11 access via
opensc-pkcs11.so, CDSA via OpenSC.tokend, and pivtoken for CTK-capable apps.
All seems to work fine together - with the exception that I don't use Apple
Mail (so, no locked computer for me, ever).
On 10/8/19, 11:45 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
I 100% do not recommend doing this but:
To enable TokenD:
sudo defaults write /Library/Preferences/com.apple.security.smartcard
Legacy -bool true
To disable CTK:
sudo defaults write /Library/Preferences/com.apple.security.smartcard
DisabledTokens -array com.apple.CryptoTokenKit.pivtoken
In testing OpenSC sort of worked, I could see certs in Keychain Access,
but Outlook didn't recognize them. Again, I don’t recommend this at all. I
really wish Apple had completely killed off TokenD in 10.15 instead of
disabling it. Hopefully they pull the plug in the 10.15 spring update instead
of waiting for 10.16.
The only core app that does not work with CTK is Firefox and I have a
ticket that others should dupe if they want to see it happen sooner,
https://bugzilla.mozilla.org/show_bug.cgi?id=1497522. For now keychain-pkcs11
has worked great with Firefox (Thanks Ken!) and you can even load it via a
configuration profile.
Allen
On 10/8/19, 11:29 AM, "Blumenthal, Uri - 0553 - MITLL" <email@hidden>
wrote:
Allen,
Thank you - it's very interesting.
Could you explain
(a) how does one *completely* disable CTK?
(b) once CTK is disabled - were you able to run the
currently-released OpenSC.tokend?
Thanks again!
On 10/8/19, 11:17 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
Outlook supports CTK currently in Microsoft's Insider Slow/Fast
channels. If no other issues pop up before next week, I expect it to be in
16.30.
TokenD is disabled by default in macOS 10.15. It can be
re-enabled but in my testing I found that both OpenSC and ActivClient are
broken unless you completely disable CTK.
Allen
On 10/8/19, 10:41 AM, "Fed-talk on behalf of Blumenthal, Uri -
0553 - MITLL via Fed-talk"
<fed-talk-bounces+allen.m.golbig=email@hidden on behalf of
email@hidden> wrote:
In my experience, OpenSC already supports Firefox and
Acrobat perfectly, and is available both as a source repo and as a binary
package. In my opinion, this is the best currently available option for
smartcards (and not just CAC or PIV tokens!) on Catalina - especially because
there's a large community behind it that provides pretty decent support. That
works for all the apps with PKCS#11 capabilities, and for a large number of
tokens.
Apple-native apps (Safari and Apple Mail) were migrated to
CTK, so they can access the tokens (CAC and PIV only) via "pivtoken" (standard
with High Sierra, Mojave, and Catalina).
The real problem is with those apps that still rely on CDSA
API, rather than on the new CTK - such as MS Office (AFAIK). Unfortunately,
neither OpenSC (that provides a PKCS#11 library), nor your keychain-pkcs11
(that provides a PKCS#11 library) can help with this issue. And OpenSC.tokend
that addressed it up until Mojave, won't work on Catalina.
On 10/8/19, 10:18 AM, "Fed-talk on behalf of Ken Hornstein
via Fed-talk" <fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
Everyone,
It is my understanding that MacOS X Catalina has
finally killed off support
for third-party token daemons ("tokend") which make
smart cards available
via the older Keychain APIs.
I tested out my keychain-pkcs11 plugin, and it worked
fine on Catalina
with Firefox (for web browsing) and Adobe Acrobat (for
document
signing). Now obviously I am biased because I wrote
keychain-pkcs11,
but as far as I know currently it is the only option
for CAC/smartcard
support for those two applications on Catalina. If
there are other
options to make these applications work on Catalina I
would love to hear
about them. And if anyone has problems with
keychain-pkcs11 I would
be interested in hearing about them.
--Ken
_______________________________________________
Do not post admin requests to the list. They will be
ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden