Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- From: "Disiena, Ridley \(MSFC-IS90\)\[EAST2\] via Fed-talk" <email@hidden>
- Date: Tue, 8 Oct 2019 17:59:43 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nasa.gov; dmarc=pass action=none header.from=nasa.gov; dkim=pass header.d=nasa.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uW7HD5GsZIO7y51ip9sUOQ1qIzNMQ/PdIPHcRGqzmpM=; b=RgYZ4rg7qPox6Gd++oSn1n80oQzMlgr0afipK8OBR437SF/7iElwGjOIJGwgydpJvd/DFVTC+s5q2ulePRQNiJ6ILLxtULX613uJVk7ksUutChe+T2W87HZNTwShIeoOI2Az/cKgrZSuNlIgo5nVCMnRAarfGCDo1HrDW5tkx0IMCNj0jDLATbkl7Jf2KfJG9Z5wHFX+f3p/FeBVlbJi7LOjrWlGv+gmw/ohpPnA66tVz6dhKOY2FMY1F1XLfOCtGTUKCiHpBNZAzh+bJv67J+AeMRYfRXD43cFXGkP6BtzVc2XdLadNQ1K1nX6q9ymm7HOsopQXbn+gWuoyNeilkQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d2SKbhCh5oCRAzEEBASwPNMZL1rmq+Zi45liv+e70DzaCXwITAFJFq5Pnt29kQkC2rj3yeN9A2YIYsBGrwFGeBe7FPRB/7V2St6Tmwc52V+aZtfcS2Qt5vjjTTLkCQOWzFdkVOKKQsv2RJMRbncDgMq8R76RDODDQm3wNLtVyEUiwUyCSksYB5HP4ibkSqnsVGjrzYFu0gzfZITyaNDwtoG6WvpwxWC0VoGgfuPraaJYFPeu7+k9W3zAmQTXKyPNAQtkgKOuwtAd1ordy88Fg6Z2ZUM3mXIHSS3vKwKOOU0iHDv53dhhQb7hXXNbX4xf1QHeeDAiI/OO5/6ImnVkRA==
- Dkim-filter: OpenDKIM Filter v2.11.0 ndjsvnpf103.ndc.nasa.gov 7A26A40099EB
- Thread-topic: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Just to add and clarify on "OpenSC sort of worked". Historically the
opensc-pkcs11.so works just fine with PIV cards in Firefox and Thunderbird as
it is an independent PKCS11 module and not a shim to a tokend or CTK. I believe
it works much the same as it does on Linux.
The OpenSC tokend however is a different story: It worked for TLS
Authentication with the PIV Authentication certificate, and the tokend did load
keychain with all current certificates and key, including and all 20
key-histories in the spec. However decryption with the OpenSC tokend always
failed, when using current or historical keys. I worked with the OpenSC
developer and tried to debug the code but we could not zero in on the cause of
the error. So instead I worked with Ludovic to update the PIV.tokend with
changes to support the key history, and stopped trying to use or fix the OpenSC
bug with PIV.
Hope that helps.
RIP tokend... so long, and thanks for all the fish.
-Ridley
On 10/8/19, 1:28 PM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+ridley.disiena=email@hidden on behalf of
email@hidden> wrote:
1. Yes
1a. It did not properly see the certs. Similar to the bug that was in
10.14-10.14.1.
2. Because that is what is in the man page for SmartCardServices-legacy
3. No, I did not. I'm only using keychain-pkcs11 for firefox. Once Mozilla
adds support for CTK I'll uninstall keychain-pkcs11 from my system (sorry Ken).
You don't need to enable it as it's not disabled in 10.14.x.
Allen
On 10/8/19, 1:08 PM, "Blumenthal, Uri - 0553 - MITLL" <email@hidden>
wrote:
Allen,
Could you please clarify for me:
1. When you say "OpenSC sort of worked", do you mean OpenSC.tokend (I
suspect you did, otherwise there's no way the certs would've shown up in
Keychain Access)?
1a. Even though the certs were visible in Keychain Access, Outlook did
not see them? Or saw them but refused to use them?
2. Why do you disable pivtoken via "defaults" instead of
sudo security smartcards token -d com.apple.pivtoken
Is it because your example disables (as you said earlier) the
*entire* CTK framework (I wouldn't think it possible)?
3. Did you try opensc-pkcs11.so (OpenSC PKCS#11 library) with Firefox?
Or only keychain-pkcs11?
P.S. On my Mojave 10.14.6, I did *not* enable legacy smartcard - and
all the smartcard-related software seems to work: PKCS#11 access via
opensc-pkcs11.so, CDSA via OpenSC.tokend, and pivtoken for CTK-capable apps.
All seems to work fine together - with the exception that I don't use Apple
Mail (so, no locked computer for me, ever).
On 10/8/19, 11:45 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
I 100% do not recommend doing this but:
To enable TokenD:
sudo defaults write
/Library/Preferences/com.apple.security.smartcard Legacy -bool true
To disable CTK:
sudo defaults write
/Library/Preferences/com.apple.security.smartcard DisabledTokens -array
com.apple.CryptoTokenKit.pivtoken
In testing OpenSC sort of worked, I could see certs in Keychain
Access, but Outlook didn't recognize them. Again, I don’t recommend this at
all. I really wish Apple had completely killed off TokenD in 10.15 instead of
disabling it. Hopefully they pull the plug in the 10.15 spring update instead
of waiting for 10.16.
The only core app that does not work with CTK is Firefox and I have
a ticket that others should dupe if they want to see it happen sooner,
https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.mozilla.org_show-5Fbug.cgi-3Fid-3D1497522&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=lgWInDMMaL2t51CUvhkPdwFAJtW4eV8mrdtEgoHm8xI&m=8gpwmLZF45RmEWrWbFtEzSa6t0enUfBgIWXV5u5F6e0&s=H7zFXIuU_lD8mdD9c5VVQ-1zOXW3mcWbfgsIw13qloY&e=
. For now keychain-pkcs11 has worked great with Firefox (Thanks Ken!) and you
can even load it via a configuration profile.
Allen
On 10/8/19, 11:29 AM, "Blumenthal, Uri - 0553 - MITLL"
<email@hidden> wrote:
Allen,
Thank you - it's very interesting.
Could you explain
(a) how does one *completely* disable CTK?
(b) once CTK is disabled - were you able to run the
currently-released OpenSC.tokend?
Thanks again!
On 10/8/19, 11:17 AM, "Fed-talk on behalf of Golbig, Allen M.
(GRC-V000)[Peerless Technologies Corp.] via Fed-talk"
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
Outlook supports CTK currently in Microsoft's Insider
Slow/Fast channels. If no other issues pop up before next week, I expect it to
be in 16.30.
TokenD is disabled by default in macOS 10.15. It can be
re-enabled but in my testing I found that both OpenSC and ActivClient are
broken unless you completely disable CTK.
Allen
On 10/8/19, 10:41 AM, "Fed-talk on behalf of Blumenthal,
Uri - 0553 - MITLL via Fed-talk"
<fed-talk-bounces+allen.m.golbig=email@hidden on behalf of
email@hidden> wrote:
In my experience, OpenSC already supports Firefox and
Acrobat perfectly, and is available both as a source repo and as a binary
package. In my opinion, this is the best currently available option for
smartcards (and not just CAC or PIV tokens!) on Catalina - especially because
there's a large community behind it that provides pretty decent support. That
works for all the apps with PKCS#11 capabilities, and for a large number of
tokens.
Apple-native apps (Safari and Apple Mail) were migrated
to CTK, so they can access the tokens (CAC and PIV only) via "pivtoken"
(standard with High Sierra, Mojave, and Catalina).
The real problem is with those apps that still rely on
CDSA API, rather than on the new CTK - such as MS Office (AFAIK).
Unfortunately, neither OpenSC (that provides a PKCS#11 library), nor your
keychain-pkcs11 (that provides a PKCS#11 library) can help with this issue. And
OpenSC.tokend that addressed it up until Mojave, won't work on Catalina.
On 10/8/19, 10:18 AM, "Fed-talk on behalf of Ken
Hornstein via Fed-talk" <fed-talk-bounces+uri=email@hidden on
behalf of email@hidden> wrote:
Everyone,
It is my understanding that MacOS X Catalina has
finally killed off support
for third-party token daemons ("tokend") which make
smart cards available
via the older Keychain APIs.
I tested out my keychain-pkcs11 plugin, and it
worked fine on Catalina
with Firefox (for web browsing) and Adobe Acrobat
(for document
signing). Now obviously I am biased because I
wrote keychain-pkcs11,
but as far as I know currently it is the only
option for CAC/smartcard
support for those two applications on Catalina. If
there are other
options to make these applications work on Catalina
I would love to hear
about them. And if anyone has problems with
keychain-pkcs11 I would
be interested in hearing about them.
--Ken
_______________________________________________
Do not post admin requests to the list. They will
be ignored.
Fed-talk mailing list
(email@hidden)
Help/Unsubscribe/Update your Subscription:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apple.com_mailman_options_fed-2Dtalk_uri-2540ll.mit.edu&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=lgWInDMMaL2t51CUvhkPdwFAJtW4eV8mrdtEgoHm8xI&m=8gpwmLZF45RmEWrWbFtEzSa6t0enUfBgIWXV5u5F6e0&s=XQB-0qSsdN5TQ7_IK5Pp_eSdm2HvFSBzWt2CZAcmXvU&e=
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be
ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apple.com_mailman_options_fed-2Dtalk_uri-2540ll.mit.edu&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=lgWInDMMaL2t51CUvhkPdwFAJtW4eV8mrdtEgoHm8xI&m=8gpwmLZF45RmEWrWbFtEzSa6t0enUfBgIWXV5u5F6e0&s=XQB-0qSsdN5TQ7_IK5Pp_eSdm2HvFSBzWt2CZAcmXvU&e=
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apple.com_mailman_options_fed-2Dtalk_ridley.disiena-2540nasa.gov&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=lgWInDMMaL2t51CUvhkPdwFAJtW4eV8mrdtEgoHm8xI&m=8gpwmLZF45RmEWrWbFtEzSa6t0enUfBgIWXV5u5F6e0&s=8pIHsOTWbQ9RHcp4Qfw5i7eCQXQPPmjFest7PksU46o&e=
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden