rohanpinto
commented
3 years ago @vjardin - could you assist with the above ?
Closed jamesd09 closed 9 months ago
rohanpinto
commented
3 years ago @vjardin - could you assist with the above ?
frankmorgner
commented
3 years ago 6D 00 indicates that the java card simulator has some problem rather than the PIV applet. Are you sure that the applet is correctly loaded and installed? Is it possible to use the applet via pkcs11-tool --test --login?
Please note that it should also be possible to do the login without OpenSCToken with Apple's default CTK implementation for PIV cards.
jamesd09
commented
3 years ago Hi @frankmorgner, thanks for assisting.
The output of pkcs11-tool --test --login is as follows:
Using slot 0 with a present token (0x0)
Logging in to "PIV_II".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
testing key 0 (PIV AUTH key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
Decryption (currently only for RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
No errorsIn the log posted above, the line card.c:866:sc_select_file: 'SELECT' error: -1204 (Unsupported INS byte in APDU) was quite bothersome. Not able to understand why would that fail on OpenSC ?
Also, my applet & Java card is working fine with CTK. We moved to OpenSC as we needed more control over how we handle the PIN dialog on the mac login screen. I have follow up queries if you could assist me with please:
Our main objective here is to bypass the user interaction on the PIN dialog that appears on the login screen when the card is inserted.
frankmorgner
commented
3 years ago In the log posted above, the line card.c:866:sc_select_file: 'SELECT' error: -1204 (Unsupported INS byte in APDU) was quite bothersome. Not able to understand why would that fail on OpenSC ?
As said above, this indicates a problem with jCardSim (or whatever Java Card Environment you're using) in combination with your applet; in particular because the very same SELECT doesn't error when being used in PKCS#11 (did you compare the logs?).
Regarding the PIN prompt issue, please see https://github.com/frankmorgner/OpenSCToken/issues/30
frankmorgner
commented
3 years ago You may want to have a look at PAM modules on macOS, which should still work for interactive logon. I'm sure Apple also has some Swift/Obj C API for logon as well...
frankmorgner
commented
1 year ago Apple seems to have added support for persistent tokens, but I have nothing more than the official documantation.
frankmorgner
commented
1 year ago I used to trigger the smart card insertion with a different USB device (e.g. e mouse or a keyboard), this should then start the CTK driver, see http://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html#configuring-vpcd-on-mac-os-x
Hi! I'm trying to achieve the login into macOS Catalina (10.15.5) using the virtual smart card architecture.
This is the configuration that we are using:
Use Case 1: On using the Apple's CTK, and default loginwindow mechanism as the authorization plugin, we are able to see a PIN dialog on the login screen. On providing the PIN and pressing "enter" we get login. This case is working for us.
Use Case 2: On disabling the CTK and enabling OpenSCToken, we do not see the PIN dialog and see the following errors in the OpenSC logs:
Please let us know if we need to provide any additional information. Thanks!