• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] MacOS X Catalina & CAC support
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] MacOS X Catalina & CAC support

  • Subject: Re: [Fed-Talk] MacOS X Catalina & CAC support
  • From: Ken Hornstein via Fed-talk <email@hidden>
  • Date: Tue, 08 Oct 2019 14:34:27 -0400
>Tokend makes the certificates accessible via the same API that apps
>use to access soft certs in the keychain. In fact, it makes the token
>appear as another keychain. That's why the "new API" apps should be
>able to access smartcards via Tokend: they won't be able to tell the
>difference between a soft cert and a cert-on-the-token.

Weeeelll ... there is some magic there.

The old SecKeychain*() APIs have, as far as I can tell, all been deprecated
since 10.7.  The NEW API (SecItemCopyMatching()) is the official gateway to
everything key-related.  But here is the comments in the Chrome source
code (client_cert_store_mac.cc):

// macOS provides two ways to search for identities. SecIdentitySearchCreate()
// is deprecated, as it relies on CSSM_KEYUSE_SIGN (part of the deprecated
// CDSM/CSSA implementation), but is necessary to return some certificates
// that would otherwise not be returned by SecItemCopyMatching(), which is the
// non-deprecated way. However, SecIdentitySearchCreate() will not return all
// items, particularly smart-card based identities, so it's necessary to call
// both functions.

I lack the energy to run through every combination of tokend/no tokend and
old/new APIs, but I do remember very distinctly when a Safari upgrade broke
tokend-presented smartcards (it just wouldn't find them anymore); that
suggested to me very strongly, combined with the above comments, that
SecItemCopyMatching() won't find the tokend-presented identities anymore.

>>    Chrome calls both the old and new Security framework APIs explicitly
>>    for this reason, that's why it's one of the few applications that work
>>    with native smartcard support and a tokend.
>
>I'd like to think that Chrome calls both because it wants to pick both
>"soft" identities, and those on the HW tokens.

From what I see the Chrome source code isn't explicitly requesting
smartcard-only identities, so I don't think that's the reason

--Ken
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
      • From: "Walls, Bryan K. \(MSFC-HP27\) via Fed-talk" <email@hidden>
References: 
 >[Fed-Talk] MacOS X Catalina & CAC support (From: Ken Hornstein via Fed-talk <email@hidden>)
 >Re: [Fed-Talk] MacOS X Catalina & CAC support (From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>)
 >Re: [Fed-Talk] MacOS X Catalina & CAC support (From: Ken Hornstein via Fed-talk <email@hidden>)
 >Re: [Fed-Talk] MacOS X Catalina & CAC support (From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>)
 >Re: [Fed-Talk] MacOS X Catalina & CAC support (From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>)
 >Re: [Fed-Talk] MacOS X Catalina & CAC support (From: Ken Hornstein via Fed-talk <email@hidden>)
 >Re: [Fed-Talk] MacOS X Catalina & CAC support (From: "Blumenthal, Uri - 0553 - MITLL via Fed-talk" <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
  • Next by Date: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
  • Previous by thread: Re: [Fed-Talk] MacOS X Catalina & CAC support
  • Next by thread: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
  • Index(es):
    • Date
    • Thread