Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>
- Date: Tue, 8 Oct 2019 17:55:41 +0000
- Thread-topic: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Allen,
Thanks for the info - very helpful.
But from your answers I see that you don't use any OpenSSL-based software that
uses token-based keys/certificates. Otherwise, you'd find that you need a
PKCS#11 library to interface between OpenSSL and the token. Currently,
opensc-pkcs11.so fits this bill.
On 10/8/19, 1:28 PM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
1. Yes
1a. It did not properly see the certs. Similar to the bug that was in
10.14-10.14.1.
2. Because that is what is in the man page for SmartCardServices-legacy
3. No, I did not. I'm only using keychain-pkcs11 for firefox. Once Mozilla
adds support for CTK I'll uninstall keychain-pkcs11 from my system (sorry Ken).
You don't need to enable it as it's not disabled in 10.14.x.
Allen
On 10/8/19, 1:08 PM, "Blumenthal, Uri - 0553 - MITLL" <email@hidden>
wrote:
Allen,
Could you please clarify for me:
1. When you say "OpenSC sort of worked", do you mean OpenSC.tokend (I
suspect you did, otherwise there's no way the certs would've shown up in
Keychain Access)?
1a. Even though the certs were visible in Keychain Access, Outlook did
not see them? Or saw them but refused to use them?
2. Why do you disable pivtoken via "defaults" instead of
sudo security smartcards token -d com.apple.pivtoken
Is it because your example disables (as you said earlier) the
*entire* CTK framework (I wouldn't think it possible)?
3. Did you try opensc-pkcs11.so (OpenSC PKCS#11 library) with Firefox?
Or only keychain-pkcs11?
P.S. On my Mojave 10.14.6, I did *not* enable legacy smartcard - and
all the smartcard-related software seems to work: PKCS#11 access via
opensc-pkcs11.so, CDSA via OpenSC.tokend, and pivtoken for CTK-capable apps.
All seems to work fine together - with the exception that I don't use Apple
Mail (so, no locked computer for me, ever).
On 10/8/19, 11:45 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
I 100% do not recommend doing this but:
To enable TokenD:
sudo defaults write
/Library/Preferences/com.apple.security.smartcard Legacy -bool true
To disable CTK:
sudo defaults write
/Library/Preferences/com.apple.security.smartcard DisabledTokens -array
com.apple.CryptoTokenKit.pivtoken
In testing OpenSC sort of worked, I could see certs in Keychain
Access, but Outlook didn't recognize them. Again, I don’t recommend this at
all. I really wish Apple had completely killed off TokenD in 10.15 instead of
disabling it. Hopefully they pull the plug in the 10.15 spring update instead
of waiting for 10.16.
The only core app that does not work with CTK is Firefox and I have
a ticket that others should dupe if they want to see it happen sooner,
https://bugzilla.mozilla.org/show_bug.cgi?id=1497522. For now keychain-pkcs11
has worked great with Firefox (Thanks Ken!) and you can even load it via a
configuration profile.
Allen
On 10/8/19, 11:29 AM, "Blumenthal, Uri - 0553 - MITLL"
<email@hidden> wrote:
Allen,
Thank you - it's very interesting.
Could you explain
(a) how does one *completely* disable CTK?
(b) once CTK is disabled - were you able to run the
currently-released OpenSC.tokend?
Thanks again!
On 10/8/19, 11:17 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
Outlook supports CTK currently in Microsoft's Insider
Slow/Fast channels. If no other issues pop up before next week, I expect it to
be in 16.30.
TokenD is disabled by default in macOS 10.15. It can be
re-enabled but in my testing I found that both OpenSC and ActivClient are
broken unless you completely disable CTK.
Allen
On 10/8/19, 10:41 AM, "Fed-talk on behalf of Blumenthal,
Uri - 0553 - MITLL via Fed-talk"
<fed-talk-bounces+allen.m.golbig=email@hidden on behalf of
email@hidden> wrote:
In my experience, OpenSC already supports Firefox and
Acrobat perfectly, and is available both as a source repo and as a binary
package. In my opinion, this is the best currently available option for
smartcards (and not just CAC or PIV tokens!) on Catalina - especially because
there's a large community behind it that provides pretty decent support. That
works for all the apps with PKCS#11 capabilities, and for a large number of
tokens.
Apple-native apps (Safari and Apple Mail) were migrated
to CTK, so they can access the tokens (CAC and PIV only) via "pivtoken"
(standard with High Sierra, Mojave, and Catalina).
The real problem is with those apps that still rely on
CDSA API, rather than on the new CTK - such as MS Office (AFAIK).
Unfortunately, neither OpenSC (that provides a PKCS#11 library), nor your
keychain-pkcs11 (that provides a PKCS#11 library) can help with this issue. And
OpenSC.tokend that addressed it up until Mojave, won't work on Catalina.
On 10/8/19, 10:18 AM, "Fed-talk on behalf of Ken
Hornstein via Fed-talk" <fed-talk-bounces+uri=email@hidden on
behalf of email@hidden> wrote:
Everyone,
It is my understanding that MacOS X Catalina has
finally killed off support
for third-party token daemons ("tokend") which make
smart cards available
via the older Keychain APIs.
I tested out my keychain-pkcs11 plugin, and it
worked fine on Catalina
with Firefox (for web browsing) and Adobe Acrobat
(for document
signing). Now obviously I am biased because I
wrote keychain-pkcs11,
but as far as I know currently it is the only
option for CAC/smartcard
support for those two applications on Catalina. If
there are other
options to make these applications work on Catalina
I would love to hear
about them. And if anyone has problems with
keychain-pkcs11 I would
be interested in hearing about them.
--Ken
_______________________________________________
Do not post admin requests to the list. They will
be ignored.
Fed-talk mailing list
(email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be
ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden