Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- Subject: Re: [Fed-Talk] [EXTERNAL] Re: MacOS X Catalina & CAC support
- From: "Walls, Bryan K. \(MSFC-HP27\) via Fed-talk" <email@hidden>
- Date: Tue, 8 Oct 2019 19:35:51 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nasa.gov; dmarc=pass action=none header.from=nasa.gov; dkim=pass header.d=nasa.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DA+xJupM3rTO6DEzaS/5WqhgJnHubblYtyFZuHNEszI=; b=c7LDrU2HCu7z72E/m+LjA5S7XvJVZiqAoUzpwiYz3Vcg1hSyMn5dUtif3g1dLe0eJgSa6L2MgYPJ4K9aXDwfn5l/UosSULaqtd2/yvUunF8WinGOPbTeErm+3PjYuAFdvrjKQLpVceOFN03o3n/V/0GqcUVwrtIxJ/UGDh7EaOWl+Mj6pbYnnarPKY3JwKrssKqK1ZuMQXiF7pndvCgx5gRAQBUx42v9x7P7/ZE/teRyqKzwd9AjHIrH6d+Tb+KGTqUmlqfR+hlkPX62n559qaxZ+wgwsds+23EL1i2BvHiZR/vxV2gIdmNjhi7u4LfceLVhFQTgSiQclzgKC0kCqA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i+nbJ0GEu/gbeAAhdU+F9QJTZhuDXqy1Nlr9tMRLyIyONk7EjMXv/vi1qSuZ/4EIqxodqWM+6V1OGt1bQ/CLJ3+laMoTwU4s8/67uD+GLbbTucIf/2i6AIgu4qL6HOtZSxdrUqEBhkRVEFplC6PrXmt2hpjx4Bi2eIBCx1R9NApZF9RLK8tFMc+hUTqmg3By6F0fI06cySKcItdeAtxQudQydXFlSTt/tJ2mIc/UShkyulmvic+p7rsYA+fN3rSjulMhyOLulohEbB5Zn0KmTbDfWws9HkyROX0RYqtPKUQZWk5DsxlNf+sZaaqL50b+APW0nlWc3uZzA2V8HqXQ9w==
- Dkim-filter: OpenDKIM Filter v2.11.0 ndmsvnpf102.ndc.nasa.gov 079AA40083E3
- Thread-topic: [EXTERNAL] Re: [Fed-Talk] MacOS X Catalina & CAC support
I guess that's what happening with Enterprise Connect, when you are searching
for Smart Card certificates there is a button for Legacy Certificates. I'm
guessing the Legacy button uses the deprecated call rather than
SecIdentitySearchCreate()?
On 10/8/19, 1:35 PM, "Fed-talk on behalf of Ken Hornstein via Fed-talk"
<fed-talk-bounces+bryan.walls=email@hidden on behalf of
email@hidden> wrote:
>Tokend makes the certificates accessible via the same API that apps
>use to access soft certs in the keychain. In fact, it makes the token
>appear as another keychain. That's why the "new API" apps should be
>able to access smartcards via Tokend: they won't be able to tell the
>difference between a soft cert and a cert-on-the-token.
Weeeelll ... there is some magic there.
The old SecKeychain*() APIs have, as far as I can tell, all been deprecated
since 10.7. The NEW API (SecItemCopyMatching()) is the official gateway to
everything key-related. But here is the comments in the Chrome source
code (client_cert_store_mac.cc):
// macOS provides two ways to search for identities.
SecIdentitySearchCreate()
// is deprecated, as it relies on CSSM_KEYUSE_SIGN (part of the deprecated
// CDSM/CSSA implementation), but is necessary to return some certificates
// that would otherwise not be returned by SecItemCopyMatching(), which is
the
// non-deprecated way. However, SecIdentitySearchCreate() will not return
all
// items, particularly smart-card based identities, so it's necessary to
call
// both functions.
I lack the energy to run through every combination of tokend/no tokend and
old/new APIs, but I do remember very distinctly when a Safari upgrade broke
tokend-presented smartcards (it just wouldn't find them anymore); that
suggested to me very strongly, combined with the above comments, that
SecItemCopyMatching() won't find the tokend-presented identities anymore.
>> Chrome calls both the old and new Security framework APIs explicitly
>> for this reason, that's why it's one of the few applications that work
>> with native smartcard support and a tokend.
>
>I'd like to think that Chrome calls both because it wants to pick both
>"soft" identities, and those on the HW tokens.
From what I see the Chrome source code isn't explicitly requesting
smartcard-only identities, so I don't think that's the reason
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.apple.com_mailman_options_fed-2Dtalk_bryan.walls-2540nasa.gov&d=DwICAg&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=hYykOPC6laUMojsQ9JFWEUoNFgpKVX5eXjBJmQRoM8Y&m=HCmz3Qy0Wep9iI2FhkN3qigdaWFMP8Hf6vQVMM9Aq3s&s=58B-KgofjweXUXTuwVVNL0YtfDI1CJVroURgTSTnBPE&e=
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden