Igor Delovski Board

[Ike]

Ludovic Rousseau - PCSC sample in Objective-C

Ludovic Rousseau - PCSC sample in C

"In Yosemite (Mac OS X 10.10) Apple introduced a new API to access smart
cards. See OS X Yosemite and smart cards status.

This API is not a wrapper above PC/SC. It is the native API to be used on Mac
OS X. You do not need to install it, it comes with the OS. "

[delovski]

Ludovic Rousseau - Differences between Apple pcsc-lite and the "official" pcsc-lite


Do not support USB devices with more than 1 CCID interface (bug #10469006)
Do not support extended APDU longer than 1958 bytes (bug #9983001 and #7334726)
Do not support more than 16 PCSC contexts per application (bug #10038432)
reader.h header file is not provided in the PCSC Framework (bug #7101554)
pcscd does not support TAG_IFD_THREAD_SAFE (bug #6584566)
pcscd crashes when the smart card reader is removed when in communication (bug #6114944)
PC/SC never returns the warm ATR of a dual-ATR card (bug #5964019)

[delovski]

github - OpenSC - tools and libraries for smart cards

"OpenSC provides a set of libraries and utilities to work with smart cards. Its
main focus is on cards that support cryptographic operations, and facilitate
their use in security applications such as authentication, mail encryption and
digital signatures. OpenSC implements the PKCS#11 API so applications sup-
porting this API (such as Mozilla Firefox and Thunderbird) can use it. On the
card OpenSC implements the PKCS#15 standard and aims to be compatible
with every software/card that does so, too."

[Ike]

LR - macOS Sierra and (legacy) smart card login

"It is easy to configure a user account to use a smartcard to login with macOS
Sierra. Some steps are not easy to guess so I wrote this documentation for me
to remember."

[Ike]

LR - pcsc-tools

"These tools are used to test a PC/SC driver, card or reader or send commands
in a friendly environment (text or graphical user interface)."

[Ike]

so - Mac OS X El Capitan Smart Card Services PKCS#11 Tokend
compilation and installation

"I would like to install PKCS#11 Tokend to my Mac OS X El Capitan (10.11.2)
so I can access PKCS#11 enabled devices from Safari.

In my experience, you'd be better off using OpenSC with tokend fork. It builds
OK on Mac OS X 10.10 and 10.11, and supports RSA and ECC tokens (and SHA-2)."

[Ike]

LR - Free software Tokend above PKCS#11 (for Mac OS X)

"Gemalto released the source code of its tokend.

PKCS#11 Tokend

The goal of this tokend is to be able to use any PKCS#11 library in CDSA and
then with native Apple Applications (Mail, Safari, Key Chain, File Vault, etc.)"

[Ike]

so - How exactly does __attribute__((constructor)) work?

"Here is another concrete example.It is for a shared library. The shared
library's main function is to communicate with a smart card reader. But
it can also receive 'configuration information' at runtime over udp. The
udp is handled by a thread which MUST be started at init time."

[Ike]

tools.ietf.org - The PKCS #11 URI Scheme

"This memo specifies a PKCS #11 Uniform Resource Identifier (URI) Scheme
for identifying PKCS #11 objects stored in PKCS #11 tokens and also for
identifying PKCS #11 tokens, slots, or libraries. The URI scheme is based on
how PKCS #11 objects, tokens, slots, and libraries are identified in 'PKCS #11
v2.20: Cryptographic Token Interface Standard'."

[Ike]

oasis-open.org - PKCS #11 Cryptographic Token Interface Base Specification Version 2.40

"This document specifies the data types and functions available to an applica-
tion requiring cryptographic services using the ANSI C programming language.
The supplier of a Cryptoki library implementation typically provides these data
types and functions via ANSI C header files. Generic ANSI C header files for
Cryptoki are available from the PKCS#11 web page. This document and up-to-
date errata for Cryptoki will also be available from the same place."

[Ike]

tech.springcard.com - PC/SC UNDER UNIX/LINUX/MAC WITH PCSC-LITE

"Starting with MacOS X version 10.4, the PCSC-Lite package and the CCID
driver are included in the system. We just need to add entries for SpringCard
readers into the configuration file of the CCID driver to have them supported.

CCID driver's Info.plist

/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist"

[Ike]

appspot.com - Smart card ATR parsing

"Enter an ATR (Answer To Reset) and I will parse it for you."

[Ike]

gemalto.com - IDGo 800

"IDGo 800 is a cryptographic middleware suite supporting the IDPrime .NET
and MD smart cards and secure elements range.

The IDGo 800 suite includes several components:
- IDGo 800 Minidriver, available on Windows environments
- IDGo 800 Credential Provider, available on Windows environments
- IDGo 800 PKCS#11 libraries, available on Windows, Mac OS and Linux environments"

[Ike]

travis_fold:start:git.checkout

"[1mSetOwnerAndGroup travis:staff /Users/travis/build/OpenSC/OpenSC/target/Library/Security/tokend/OpenSC.tokend

cd /Users/travis/build/OpenSC/OpenSC/OpenSC.tokend

/usr/sbin/chown -RH travis:staff /Users/travis/build/OpenSC/OpenSC/target/Library/Security/tokend/OpenSC.tokend



SetMode u+w,go-w,a+rX /Users/travis/build/OpenSC/OpenSC/target/Library/Security/tokend/OpenSC.tokend

cd /Users/travis/build/OpenSC/OpenSC/OpenSC.tokend

/bin/chmod -RH u+w,go-w,a+rX /Users/travis/build/OpenSC/OpenSC/target/Library/Security/tokend/OpenSC.tokend



RegisterWithLaunchServices /Users/travis/build/OpenSC/OpenSC/target/Library/Security/tokend/OpenSC.tokend

cd /Users/travis/build/OpenSC/OpenSC/OpenSC.tokend

builtin-lsRegisterURL /Users/travis/build/OpenSC/OpenSC/target/Library/Security/tokend/OpenSC.tokend

note: Registration was skipped, code -10811"

[Ike]

a - tokend: MAC OS 10.11 support

"<x-man-page://7/SmartCardServices>

Take a look at the SmartCardServices man page. Language was added in
OS X El Capitan to make it clear that tokend modules can be installed in
/Library/Security/tokend."

manpagez.com - man SmartCardServices-legacy

"DISABLING NEW SMART CARD SUPPORT

It is possible to turn of the new tokens by setting the global preference:

sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken"

[Ike]

LR - macOS Sierra: Smart Card Driver Extensions

"Support for Smart Card Driver Extensions
You can now create NSExtension-based smart card drivers, allowing the
contents of certain types of smart cards to be presented as part of the
system keychain. This mechanism is intended to replace the deprecated
Common Data Security Architecture, although for macOS 10.12, both
architectures are supported."

[Ike]

piv-guides - Document Mac OS PIV tokend use and support

"Your PIV authentication key pair and public cert is exactly like using a self-
signed cert and key pair to SSH

The key pair and certificate are on hardware PIV card

Ensure your workstation or jump server can recognize the credential and
enabling the correct drivers on the client are included"

[Ike]

lr - pcscd debug output on Mac OS X

"The important option here is -s. If you want to disable the automatic launch
of pcscd you need to start securityd with -s off. But you do not start securityd
yourself. securityd is started by another daemon: launchd.

/System/Library/LaunchDaemons/com.apple.securityd.plist."

[delovski]

Tokend-Dev -- Tokend Developer Discussions

"This Tokend-Dev list is intended for the discussion of all things related to the
development of Tokend modules to support various Smart Cards and emerging
token devices. You should send any questions you have on developing your
own Tokend module and issues specific to Tokend interaction with your Smart
Card(s)."

[Ike]

scs - Gemalto Tokend problem on ElCapitain & Sierra

"token in reader ActivIdentity USB Reader V3 cannot be used (error 100002)"

[Ike]

apple - PIVToken: Using CryptoTokenKit to add support for new types of tokens

"This sample demonstrates how to write an extension for CryptoTokenKit
framework to support new types of SmartCards or any other cryptographic
token."

apple - CryptoTokenKit Framework

"Access Smart Cards and manage user interactions."

[Ike]

scs - CVE-2013-1867: tokend (Apple, Gemalto) - privacy leak & arbitrary file creation

"A telltale sign of this is the existence of directories with the card-label in
locations such as /var/db, /etc or /usr/share. In fact, a search for any file
or directory names that matches part of the label of the chipcard or any of
its tokens is propably a concern. See CVE-2013-1866 for related information."

[Ike]

fda - Running PIVToken example [SOLVED]

I have downloaded PIVToken example from here and trying to run it. I have
put several breakpoints in the source code, but when I run it from XCode,
none of them gets hit.

[Ike]

lists.apple - Multiple PIN Handling/On-Access PIN in TokenD

"I've tried using 2 PIN slots in the TokenD and assigning the relevant Records
and KeyHandles to use slot 1 for applet A's items and slot 2 for applet B's
items... and it seems to "get it" when it needs to authenticate for using applet
B's items the first time... however when it goes and checks for pinStatus the
second time around after it had authenticated once to B, it looks for the
pinStatus on slot 1... not the slot 2 that is assigned as the owner and the
necessary ACL authorizer for decrypt/sign..."

[Ike]

lists.apple.com - Apple-CDSA

"Apple's implementation of CDSA. (Common Data Security Architecture)"

[Ike]

esteid-tokend - Known issues

"Only authentication certificate (only that certificate is registered in keychain
and only authentication related functions are supported) and PIN1 is supported
since keychain pin dialog does not identify which pin is asked from user (IB-4070)"

[delovski]

ars - Crippling crypto weakness opens millions of smartcards to cloning

"Gemalto IDPrime.NET almost certainly isn't the only smartcard vulnerable
to ROCA.

The vulnerability resides in all RSA keys generated by the faulty Infineon
library. To optimize speed, the library uses a structure of underlying prime
numbers that makes the keys much more susceptible to a mathematical
process known as factorization.

Identifying affected keys is quick and in expensive and requires only access
to a public key. Attackers can then run all vulnerable public keys through an
attack dubbed Return of the Coppersmith Attack, or ROCA, for the type of
factorization method it uses."

[Ike]

git - Installing OpenSC PKCS#11 Module in Firefox, Step by Step

"This step by step description is can also be found in Mozilla's knowledge base."

see: 10.11.6 broke digital signing in Adobe?