Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
- Subject: Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
- From: "Neely, Lee via Fed-talk" <email@hidden>
- Date: Wed, 7 Feb 2024 23:39:02 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=llnl.gov; dmarc=pass action=none header.from=llnl.gov; dkim=pass header.d=llnl.gov; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JEjJYxDNrKWOd4ANmA5x4MpB1w28ytpdsEc9psCqs5A=; b=l0NZ4lLqCjpO0gwvuJWa7rQn6YjvXxKuQyFEFNvDtkOa3Vo8Q7hMWyZlNIwynFSgBefxPnJ77LmsDvnhi2fk3ZzwMsojE/ByI4FaYD5zv3hYBpUEUTY+xKSMYeH416hr8ceM+dLCg53lqEj9evO9XUwHkruBPraaGUazIkcT8x2Kgcsb8iu6xD68+bIDprEKlGR2djjSlY3QuNd35aphi5pYRaseSPKpB+wwRzzklUEFmp3wBgG3vYkSiawXTqhFXdLgJPVd843tzZtQboYmOg/wx6e0huWO+BJlxgtIGmDo5EKX3Z5Q+vAiiD9C3Gk3jZshqk+t9NVA2wmbB4jsXw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K7gy9SUSbPj5ghF3hQzEVdx5sPsPl3AMqTT21iKXowxZ0AZj9nsdLCHpQNKaRnHaiy5YgzMJc64NZtrS8fdcubNGSfqnng8IOYIS+cDYEhxzjS6Y92puZP+fjhFx8qt1JJtfFc9c3gQHmkO9ZHm3ii9yjFZwKULAl+rBPTqfMnptGrLtYE8ExYxOoRq4lYgCODEObbBKdWexYKLLSgNAWD5vWcYCgmeZ4X5eU8+lLhhI+2FjTobMfHdYklHbffpH2FMudznb6UiJpLT0Rbs3NuMSov+CCwdiKNjOlorp8o+imsEs32T3rBTxeB41EEJ5N4alUxDROCinIZCSSCwkiQ==
- Thread-topic: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
Give 14.4 b2 a try. Smartcard login is not working Intel (mac tested) – Note to
get logged in no smartcards can be inserted -but after login smartcards will
work with encrypt/decrypt/etc.
We submitted tickets on this – fingers crossed 14.14 b3
Lee Neely
Senior Cyber Advisor
Cyber Security Program, LLNL
From: Ken Hornstein via Fed-talk <email@hidden>
Date: Wednesday, February 7, 2024 at 4:25 PM
To: Grall, Stephen (NIH/NCI) [C] <email@hidden>
Cc: email@hidden <email@hidden>
Subject: Re: [Fed-Talk] [EXTERNAL] Smartcard decryption not working under Sonoma
>There is currently no in-system workaround short of getting both the
>relevant certificate and private key added to the login keychain as you
>said; easier said than done, and your security team may not like you
>doing so. Given the logged error you found, which sounds like more than
>anyone else has been able to find so far, I highly encourage you to open
>an AppleCare Enterprise Support case as I did, so that you can provide
>Apple the relevant information you’ve uncovered; it would benefit us
>all to do so.
Just an update ...
We don't have an AppleCare Enterprise Support account, so I can't submit
a bug report that way. I DID submit a bug report via Feedback Assistant;
in case anyone cares the ID for that is FB13595520. FYI, the error I get
from keychain-pkcs11 is:
SecKeyCreateDecryptedData failed: Error Domain=NSOSStatusErrorDomain Code=-50
"RSAdecrypt wrong input (err -13)" (paramErr: error in user parameter list)
UserInfo={numberOfErrorsDeep=0, NSDescription=RSAdecrypt wrong input (err -13)}
(-50)
Which ... isn't helpful, I think? However, people may be interested in
knowing that decryption with the RSA-OAEP algorithm works fine! The one
that fails is RSA-PKCS1. That doesn't really help us since nearly everything
out there is encrypted with PKCS#1 padding, but it does suggest to me that
the bug is somewhere in the PKCS#1 padding decoding. I put that in my
bug report (but it sure seems like the formatting is all munged up when
I put it in; sigh).
--Ken
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden