Closed bottee closed 5 years ago
frankmorgner
commented
5 years ago Your token is just not visible in Keychain, but should work as expected in Safari or Chrome, see https://github.com/frankmorgner/OpenSCToken#comparison-with-opensctokend. I've updated the documentation to include some useful commands to check if the card is functioning, see https://github.com/frankmorgner/OpenSCToken
bottee
commented
5 years ago Thank you for the support. Unfortunately I'm still not able get it working:
user$ sc_auth identities
objc[47072]: Class TKTokenRefImpl is implemented in both /System/Library/Frameworks/Security.framework/Versions/A/Security (0x7fff94899098) and /System/Library/Frameworks/CryptoTokenKit.framework/ctkbind.bundle/Contents/MacOS/ctkbind (0x10ff0cd40). One of the two will be used. Which one is undefined.
objc[47072]: Class TKTokenRefCtkd is implemented in both /System/Library/Frameworks/Security.framework/Versions/A/Security (0x7fff948990c0) and /System/Library/Frameworks/CryptoTokenKit.framework/ctkbind.bundle/Contents/MacOS/ctkbind (0x10ff0cd68). One of the two will be used. Which one is undefined.I still don't see any smartcard. I use macos 10.14.6
frankmorgner
commented
5 years ago I'm puzzled: Your previous dump of system_profiler SPSmartCardsDataType showed that a card is available. Could it be that there aren't any keys/certs on your card?
bottee
commented
5 years ago There are keys/certs on my card as described here:
https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card
And the puzzling happend already on my first post. There was already security list-smartcards showing No smartcards found.
Do you have any hints?
bottee
commented
5 years ago Here are some infos about the keys:
gpg2 --card-edit
Reader ...........: Nitrokey Nitrokey Pro
Application ID ...: D27600012401030300050000873E0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 0000873E
Name of cardholder: [nicht gesetzt]
Language prefs ...: de
Sex ..............: unbestimmt
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 4
KDF setting ......: on
Signature key ....: 4AA3 E8C4 D2B6 FC11 2DB8 C392 BC08 D82F 7615 3162
created ....: 2019-09-29 13:28:08
Encryption key....: BCEF 0295 B462 BF5C B676 4485 5C5B EFE6 0C58 511D
created ....: 2019-09-29 13:28:08
Authentication key: 070C EB81 F0AA E65D C4B6 B2B2 A1FD A61A 0E52 F80A
created ....: 2019-09-29 13:28:08
General key info..:
pub rsa2048/BC08D82F76153162 2019-09-29 Name <name@domain.de>
sec> rsa2048/BC08D82F76153162 erzeugt: 2019-09-29 verfällt: niemals
Kartennummer:0005 0000873E
ssb> rsa2048/A1FDA61A0E52F80A erzeugt: 2019-09-29 verfällt: niemals
Kartennummer:0005 0000873E
ssb> rsa2048/5C5BEFE60C58511D erzeugt: 2019-09-29 verfällt: niemals
Kartennummer:0005 0000873Ename$ /Library/OpenSC/bin/pkcs11-tool --login --test
Using slot 0 with a present token (0x0)
Logging in to "User PIN (OpenPGP card)".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
testing key 0 (Encryption key) -- can't be used for signature, skipping
testing key 1 (Authentication key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
testing key 1 (2048 bits, label=Authentication key) with 1 signature mechanism
RSA-PKCS: OK
Verify (currently only for RSA)
testing key 0 (Encryption key) -- can't be used to sign/verify, skipping
testing key 1 (Authentication key) with 1 mechanism
RSA-PKCS: OK
Unwrap: not implemented
Decryption (currently only for RSA)
testing key 0 (Encryption key)
RSA-PKCS: OK
testing key 1 (Authentication key)
RSA-PKCS: OK
No errorsI found out that I need a certificate together with the keys on the card. So I did follow the examples for, I guess, s/mime here https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card#6-import-key-resp-certificate
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin
openssl pkcs12 -in myprivate.p12 -nocerts -out mykey.pem
pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 2Before I did only follow the instructions under https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card#3-generating-keys for, I guess, PGP.
Now, system_profiler SPSmartCardsDataType displays also the certificate, security list-smartcards shows the Nitrokey and and sc_auth identities an unpaired identity.
But when I try to pair this unpaired identity I get following error message: TKAuthenticationHintsProvider error -11
Therefore I open a new Issue 14
Hi,
I'm trying to get CryptoTokenKit running with the NitroKey Pro 2 but a smartcard is not detected: