opensc / opensc.tokend Goto Github PK

Tokend module for OS X with support for all cards supported by OpenSC

License: Other

C++ 46.84% C 53.10% Python 0.06%

opensc.tokend's Issues

can't see my italian CRS/CNS in 10.10 keychain

Hallo, I've built and installed latest version of OpenSC (0.15.0). MY SC works flawless with firefox using the pkcs11 library, but it doesn't show up in OS X keychain. Is there any way to fix this?

epass2003 tokend MacOS 10.12

The tokend driver doesn't appear to be working for us under 10.12 or 10.12.1. The token (epass2003) does appear in keychain access, but attempts to use the certificate on the device seem to fail. Our use case is a vpn client (globalprotect), but we're unable to get the certificate to work even in stock safari when connecting to a certificate authenticated website (eliminating the vpn client as the culprit). The same setup works just fine with 10.11. WIth a working 10.11 setup, upgrading to 10.12 makes it stop working. We've tried both the binary version of OpenSC with the driver (0.16), as well as a package compiled from git source (b1aa790).

non-tokend (ssh with opensc-pkcs11.so) works just fine.

OpenSC always prompts for a PIN to access public key, which is wrong

OpenSC (involved files are src/pkcs11/framework-pkcs15.c and src/tools/pkcs15-tool.c) always prompts for a PIN to access public keys, which is not correct. The following patch fixes this problem. It has been tested on El Capitan 10.11.2, and worked fine with my PIV tokens. My patch also adds some debugging output to src/libopensc/pkcs15-sec.c - I needed that to debug signatures based on SHA-2, and ECDSA. It has no relation to this issue, or this fix - so feel free to incorporate it if it seems useful, or ignore otherwise. I understand the PR mechanism, but it doesn't seem worth it cloning the entire OpenSC repo merely to submit 5-6 lines of change.

diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
index 019d8a1..fdd32de 100644
--- a/src/libopensc/pkcs15-sec.c
+++ b/src/libopensc/pkcs15-sec.c
@@ -336,8 +336,11 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
        }

        /* Probably never happens, but better make sure */
-       if (inlen > sizeof(buf) || outlen < modlen)
+       if (inlen > sizeof(buf) || outlen < modlen) {
+               sc_log(ctx, "inlen=%d sizeof(buf)=%d outlen=%d modlen=%d",
+                      inlen, sizeof(buf), outlen, modlen);
                LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
+       }

        memcpy(buf, in, inlen);

diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index e103550..89e811d 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -3880,8 +3880,13 @@ pkcs15_pubkey_get_attribute(struct sc_pkcs11_session *session, void *object, CK_
        case CKA_TOKEN:
        case CKA_SENSITIVE:
                check_attribute_buffer(attr, sizeof(CK_BBOOL));
-               *(CK_BBOOL*)attr->pValue = TRUE;
-               break;
+               if (pubkey->pub_p15obj)
+                       *(CK_BBOOL*)attr->pValue = (pubkey->pub_p15obj->flags & SC_PKCS15_PIN_FLAG_CASE_SENSITIVE) != 0;
+               else if (cert && cert->cert_p15obj)
+                       *(CK_BBOOL*)attr->pValue = (cert->pub_p15obj->flags & SC_PKCS15_PIN_FLAG_CASE_SENSITIVE) != 0;
+               else
+                       return CKR_ATTRIBUTE_TYPE_INVALID;
+                       break;
        case CKA_LOCAL:
                check_attribute_buffer(attr, sizeof(CK_BBOOL));
                if (pubkey->pub_info)
diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c
index 7aa981f..1d4a59a 100644
--- a/src/tools/pkcs15-tool.c
+++ b/src/tools/pkcs15-tool.c
@@ -688,8 +688,10 @@ static int read_public_key(void)
        if (r >= 0) {
                if (verbose)
                        printf("Reading public key with ID '%s'\n", opt_pubkey);
+#if 0
                r = authenticate(obj);
                if (r >= 0)
+#endif
                        r = sc_pkcs15_read_pubkey(p15card, obj, &pubkey);
        } else if (r == SC_ERROR_OBJECT_NOT_FOUND) {
                /* No pubkey - try if there's a certificate */

Current sha2 branch lost the ability to RSA-sign

Happens now consistently. Prompts for a PIN, reports that cannot sign. Debugging output is insufficient (this is at debug=3;)

======================================================================
0x7fff70f99300 22:32:09.140733193388597 [tokend] reader-pcsc.c:190:pcsc_internal_transmit: called
0x7fff70f99300 22:32:09.4294967893 [tokend] apdu.c:187:sc_apdu_log:
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
0x7fff70f99300 22:32:09.140733193388629 [tokend] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
0x7fff70f99300 22:32:09.120259084885 [tokend] apdu.c:552:sc_transmit: returning with: 0 (Success)
0x7fff70f99300 22:32:09.-4294966699 [tokend] card.c:434:sc_unlock: called
0x7fff70f99300 22:32:09.597 [tokend] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0x7fff70f99300 22:32:09.597 [tokend] pkcs15-pin.c:368:sc_pkcs15_verify_pin: PIN cmd result 0
0x7fff70f99300 22:32:09.317106025398869 [tokend] pkcs15-pin.c:594:sc_pkcs15_pincache_add: called
0x7fff70f99300 22:32:09.317106025398869 [tokend] pkcs15-pin.c:618:sc_pkcs15_pincache_add: caching refused (user consent)
0x7fff70f99300 22:32:09.4294967893 [tokend] card.c:434:sc_unlock: called
0x7fff70f99300 22:32:09.597 [tokend] reader-pcsc.c:574:pcsc_unlock: called
0x7fff70f99300 22:32:09.598 [tokend] pkcs15-pin.c:373:sc_pkcs15_verify_pin: returning with: 0 (Success)
0x7fff70f99300 22:32:09.598 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:203:_verifyPIN:   In OpenSCToken::verify returned 0 for pin 1
0x7fff70f99300 22:32:09.6011854084296933974 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:168:verifyPIN:   PIN verified
0x7fff70f99300 22:32:09.3473459727243936342 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCKeyHandle.cpp:219:generateSignature: In OpenSCKeyHandle::generateSignature()
0x7fff70f99300 22:32:19.860 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:354:getAcl: In OpenSCToken::getAcl()
0x7fff70f99300 22:32:19.140733193388892 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:136:pinStatus: In OpenSCToken::pinStatus for pinNum (1)
0x7fff70f99300 22:32:19.860 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:152:isLocked: In OpenSCToken::isLocked()
0x7fff70f99300 22:32:19.4294968156 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:139:pinStatus: In OpenSCToken::pinStatus Verified
0x7fff70f99300 22:32:19.4294968166 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:354:getAcl: In OpenSCToken::getAcl()
0x7fff70f99300 22:32:19.140733193388902 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:136:pinStatus: In OpenSCToken::pinStatus for pinNum (1)
0x7fff70f99300 22:32:19.870 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:152:isLocked: In OpenSCToken::isLocked()
0x7fff70f99300 22:32:19.4294968166 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:139:pinStatus: In OpenSCToken::pinStatus Verified
0x7fff70f99300 22:32:19.4294968174 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:354:getAcl: In OpenSCToken::getAcl()
0x7fff70f99300 22:32:19.140733193388910 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:136:pinStatus: In OpenSCToken::pinStatus for pinNum (1)
0x7fff70f99300 22:32:19.878 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:152:isLocked: In OpenSCToken::isLocked()
0x7fff70f99300 22:32:19.4294968174 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:139:pinStatus: In OpenSCToken::pinStatus Verified
0x7fff70f99300 22:32:19.4294968216 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:354:getAcl: In OpenSCToken::getAcl()
0x7fff70f99300 22:32:19.140733193388952 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:136:pinStatus: In OpenSCToken::pinStatus for pinNum (1)
0x7fff70f99300 22:32:19.920 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:152:isLocked: In OpenSCToken::isLocked()
0x7fff70f99300 22:32:19.4294968216 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:139:pinStatus: In OpenSCToken::pinStatus Verified
0x7fff70f99300 22:32:20.4294967988 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:354:getAcl: In OpenSCToken::getAcl()
0x7fff70f99300 22:32:20.140733193388724 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:136:pinStatus: In OpenSCToken::pinStatus for pinNum (1)
0x7fff70f99300 22:32:20.692 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:152:isLocked: In OpenSCToken::isLocked()
0x7fff70f99300 22:32:20.4294967988 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:139:pinStatus: In OpenSCToken::pinStatus Verified
0x7fff70f99300 22:32:20.4294968005 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:354:getAcl: In OpenSCToken::getAcl()
0x7fff70f99300 22:32:20.140733193388741 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:136:pinStatus: In OpenSCToken::pinStatus for pinNum (1)
0x7fff70f99300 22:32:20.709 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:152:isLocked: In OpenSCToken::isLocked()
0x7fff70f99300 22:32:20.4294968005 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:139:pinStatus: In OpenSCToken::pinStatus Verified
0x7fff70f99300 22:32:20.4294968013 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:354:getAcl: In OpenSCToken::getAcl()
0x7fff70f99300 22:32:20.140733193388749 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:136:pinStatus: In OpenSCToken::pinStatus for pinNum (1)
0x7fff70f99300 22:32:20.717 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:152:isLocked: In OpenSCToken::isLocked()
0x7fff70f99300 22:32:20.4294968013 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:139:pinStatus: In OpenSCToken::pinStatus Verified
0x7fff70f99300 22:32:20.4294968071 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:354:getAcl: In OpenSCToken::getAcl()
0x7fff70f99300 22:32:20.140733193388807 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:136:pinStatus: In OpenSCToken::pinStatus for pinNum (1)
0x7fff70f99300 22:32:20.775 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:152:isLocked: In OpenSCToken::isLocked()
0x7fff70f99300 22:32:20.4294968071 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:139:pinStatus: In OpenSCToken::pinStatus Verified

tokend does not work any more

my environment is

ProductName: Mac OS X
ProductVersion: 10.15.1
BuildVersion: 19B88

opensc version is OpenSC-0.20.0-rc1-15-geac516f, rev: eac516f, commit-time: 2019-10-03 13:57:09 +0200

I run sudo defaults write /Library/Preferences/com.apple.security.smartcard Legacy -bool true then reboot.

pcsctest result is PC/SC Test Completed Successfully ! also pkcs11-tool --test --login result is No errors}

MacOS Xcode-10 tokend fails to build

With update of Xcode to Xcode-10, OpenSC.tokend can no longer be built. The main cause seems to be that Xcode-10 finally dropped completely support for the deprecated libstdc++.

Attempts to build as-is lead to libstdc++ not found. Switch to libc++ by using -std=libc++ message.

Switching the project (via Tokend.xcodeproj) from "libstdc++" (which no longer exists on the system) to "Compiler default" results in a lot of errors like

. . . . .
In file included from /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:82:
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/cstdlib:98:28: error: expected ';' after top level declarator
_LIBCPP_BEGIN_NAMESPACE_STD
                           ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/cstdlib:162:1: error: unknown type name '_LIBCPP_END_NAMESPACE_STD'
_LIBCPP_END_NAMESPACE_STD
^
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:25:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.h:32:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/Tokend/Token.h:33:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/build/security_utilities.framework/Headers/osxcode.h:25:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/build/security_utilities.framework/Headers/refcount.h:31:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/build/security_utilities.framework/Headers/threading.h:35:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/build/security_utilities.framework/Headers/utilities.h:32:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/build/security_cdsa_utilities.framework/Headers/cssmbridge.h:32:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/build/security_cdsa_utilities.framework/Headers/cssmerrors.h:31:
In file included from /Users/ur20980/src/OpenSC/OpenSC.tokend/build/security_utilities.framework/Headers/errors.h:33:
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:93:1: error: expected unqualified-id
namespace std  // purposefully not using versioning namespace
^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:97:29: error: variable has incomplete type 'class _LIBCPP_EXCEPTION_ABI'
class _LIBCPP_EXCEPTION_ABI exception
                            ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:97:7: note: forward declaration of 'std::_LIBCPP_EXCEPTION_ABI'
class _LIBCPP_EXCEPTION_ABI exception
      ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:97:38: error: expected ';' after top level declarator
class _LIBCPP_EXCEPTION_ABI exception
                                     ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:105:29: error: variable has incomplete type 'class _LIBCPP_EXCEPTION_ABI'
class _LIBCPP_EXCEPTION_ABI bad_exception
                            ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:97:7: note: forward declaration of 'std::_LIBCPP_EXCEPTION_ABI'
class _LIBCPP_EXCEPTION_ABI exception
      ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:106:5: error: expected ';' after top level declarator
    : public exception
    ^
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include/c++/v1/exception:106:7: error: expected unqualified-id
    : public exception
      ^
fatal error: too many errors emitted, stopping now [-ferror-limit=]

** INSTALL FAILED **

Here's the complete log:
tokend-build-log.txt

Note, that under Xcode-9.4.1 it builds OK on High Sierra 10.13.6.

xcodebuild on OSX 10.10 fails with unwanted "register launch services"

RegisterWithLaunchServices build/OpenSC.tokend
    cd /Users/martin/OpenSC/OpenSC.tokend
    builtin-lsRegisterURL /Users/martin/OpenSC/OpenSC.tokend/build/OpenSC.tokend
error: Failed to register 'OpenSC.tokend' with Launch Services, error code: -10811

With Mac OS X 10.11.5 tokend does not work any more

Everything was fine until the upgrade to Mac OS X 10.11.5. From that point, no token is recognized by tokend. Low-level tools and OpenSSL access seem to work OK.

Mac OS X 10.11.5, Xcode-7.3.1. OpenSC from Github towards-0.16.0. https://github.com/mouse07410/OpenSC.tokend.git, which has been working fine until now. Thursby PKard tokend also stopped recognizing tokens.

Here's what I find in system.log:

May 19 23:45:05 Uris-MacBook-Air com.apple.SecurityServer[98]: Token reader Yubico Yubikey NEO OTP+U2F+CCID inserted into system
May 19 23:45:05 Uris-MacBook-Air com.apple.SecurityServer[98]: reader Yubico Yubikey NEO OTP+U2F+CCID: state changed 0 -> 34
May 19 23:45:06 Uris-MacBook-Air com.apple.SecurityServer[98]: token in reader Yubico Yubikey NEO OTP+U2F+CCID cannot be used (error 100002)

/tmp/opensc-debug.log is attached (at debug=9):
opensc-debug-0.16.0-a.txt

OpenSC-level access and OpenSSL/libp11 still are OK - see the attached. It starts with the token being inserted, and then I run my OpenSSL-based test (which succeeds).
opensc-debug-0.16.0-b.txt

Also, neither one of the tokend's (OpenSC.tokend and Thursby PKard) managed to store anything in /var/db/TokenCache directory. Before they'd store the token info there... Before you ask - no, I did not try them both at the same time. One was uninstalled before installing the other one.

UPDATE

The problem was alleviated by adding symlink as suggested by Metsma here: https://forums.developer.apple.com/message/139013#139013

ccccccejjfcudkhcelvhbbecrhujgljbjgjkclbfvtti

OpenSC.tokend cannot PIN-unlock a PIV card

Environment

Mac OS X 10.9.5 Mavericks, Xcode-7.0.1 installed (same results with Xcode-6.1.1).
Smart card readers:
- SCR3310 v2.0
- Yubikey NEO https://www.yubico.com/products/yubikey-hardware/yubikey-neo/ (firmware 3.3.0) plugs directly into the USB port
Smart cards:
- US DoD CAC (with RSA keys and certificates), used in SCR3310
- Yubikey NEO (PIV applet v0.1.3) with RSA-2048 keys and certificates (also tried with ECC P256 certificates, same results)
OpenSC.tokend from the current OpenSC-0.15.0 Github repo.
SmartCardServices (alternative to OpenSC.tokend - not installed or used together)

Expectations - what I need

Insert the card
Work with it using utilities (piv-tool, pkcs15-tool, etc)
Have applications like Keychain Access, Safari, Firefox, Chrome access credentials on the card/token

What does work

Lower-level utilities appear to work OK. I can read both CAC card and Yubikey NEO (PIV applet), load and read certificates, etc. I can make Firefox work with it by loading the appropriate PKCS11 library (in this case /Library/OpenSC/lib/opensc-pkcs11.so).

When I install SmartCardServices-2.0.1 http://smartcardservices.macosforge.org/trac/wiki/installers and remove CAC.tokend so that PIV.tokend is picked instead - CAC card is fully functional. But NEO token is not recognized/accepted by it at all, which is why I cannot just stick with SmartCardServices for all my needs.

What does not work

Card can't be unlocked by the correct PIN. Consequently, none of the Mac OS X applications that relate on tokend. In particular:

Kechain Access
Safari
Apple Mail
Google Chrome

OpenSC.tokend appears to "see" the tokens and even determine what certificates are loaded - but it is unable to unlock the token, and (I think - therefore) unable to work with it.

In Keychain Access, when I select the tab "Certificates" - I see all the certificates I loaded on the token.
But when I select the tab "My Certificates" - it is empty.

I noticed a direct correlation between the ability of the Keychain Access to work with the private keys (to unlock the token) and the ability of other applications (e.g. Apple Mail) to work with that token too: if Keychain fails - Apple Mail fails too, and so does Safari.

To compare, with PIV.tokend from SmardCardServices-2.0.1 even before I unlock the CAC token, it detects both certificates and corresponding private keys. Coincidentally, it unlocks the token fine. Unfortunately I cannot use PIV.tokend with NEO, because NEO isn't recognized by PIV.tokend.

Update Based on the OpenSC logs, OpenSC.tokend succeeds in passing the PIN to the smart card (both CAC and NEO), receives OK (Success, PIN Verified) from the smart card, but somehow does not report this success to the application that initiated the operation.

Logs

Here's what I have in the /var/log/system.log:

From opensc-debug.log:

0x7fff78114300 18:18:46.140733193388670 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend
/OpenSC/OpenSCRecord.cpp:233:getAcl:   retuning 2 ACL entries
0x7fff78114300 18:18:52.4294967408 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/Open
SC/OpenSCToken.cpp:149:verifyPIN: In OpenSCToken::verifyPIN(1)
0x7fff78114300 18:18:52.4294967408 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/Open
SC/OpenSCToken.cpp:155:verifyPIN:   Activating workaround for PIN #1
0x7fff78114300 18:18:52.317106025398384 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend
/OpenSC/OpenSCToken.cpp:172:_verifyPIN: In OpenSCToken::_verifyPIN(), PIN num is: 1
0x7fff78114300 18:18:52.317106025398384 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:186:_verifyPIN:   sc_pkcs15_get_objects(pin_id=01): 2
0x7fff78114300 18:18:52.140733193388144 [tokend] pkcs15-pin.c:295:sc_pkcs15_verify_pin: called
0x7fff78114300 18:18:52.140733193388144 [tokend] pkcs15-pin.c:296:sc_pkcs15_verify_pin: PIN(type:0;method:1;len:)
0x7fff78114300 18:18:52.112 [tokend] card.c:394:sc_lock: called
0x7fff78114300 18:18:52.317106025398384 [tokend] reader-pcsc.c:526:pcsc_lock: called
0x7fff78114300 18:18:52.113 [tokend] sec.c:159:sc_pin_cmd: called
0x7fff78114300 18:18:52.113 [tokend] apdu.c:563:sc_transmit_apdu: called
0x7fff78114300 18:18:52.113 [tokend] card.c:394:sc_lock: called
0x7fff78114300 18:18:52.140733193388145 [tokend] apdu.c:530:sc_transmit: called
0x7fff78114300 18:18:52.140733193388145 [tokend] apdu.c:384:sc_single_transmit: called
0x7fff78114300 18:18:52.140733193388145 [tokend] apdu.c:389:sc_single_transmit: CLA:0, INS:20, P1:0, P2:80, data(8) 0x7fff5ee23f70
0x7fff78114300 18:18:52.317106025398385 [tokend] reader-pcsc.c:254:pcsc_transmit: reader 'Yubico Yubikey NEO OTP+U2F+CCID'
0x7fff78114300 18:18:52.140733193388145 [tokend] apdu.c:187:sc_apdu_log:
Outgoing APDU data [   13 bytes] =====================================
00 20 00 80 08 xx xx xx xx xx xx FF FF . ...yyyyyy..
======================================================================
0x7fff78114300 18:18:52.140733193388145 [tokend] reader-pcsc.c:184:pcsc_internal_transmit: called
0x7fff78114300 18:18:52.4294967441 [tokend] apdu.c:187:sc_apdu_log:
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
0x7fff78114300 18:18:52.140733193388177 [tokend] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
ning with: 0 (Success)
0x7fff78114300 18:18:52.120259084433 [tokend] apdu.c:552:sc_transmit: returning with: 0 (Success)
0x7fff78114300 18:18:52.-4294967151 [tokend] card.c:434:sc_unlock: called
0x7fff78114300 18:18:52.145 [tokend] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0x7fff78114300 18:18:52.145 [tokend] pkcs15-pin.c:368:sc_pkcs15_verify_pin: PIN cmd result 0
0x7fff78114300 18:18:52.317106025398417 [tokend] pkcs15-pin.c:594:sc_pkcs15_pincache_add: called
0x7fff78114300 18:18:52.317106025398417 [tokend] pkcs15-pin.c:634:sc_pkcs15_pincache_add: PIN(PIV Card Holder pin) cached
0x7fff78114300 18:18:52.4294967441 [tokend] card.c:434:sc_unlock: called
0x7fff78114300 18:18:52.145 [tokend] reader-pcsc.c:566:pcsc_unlock: called
0x7fff78114300 18:18:52.146 [tokend] pkcs15-pin.c:373:sc_pkcs15_verify_pin: returning with: 0 (Success)
0x7fff78114300 18:18:52.146 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:192:_verifyPIN:   In OpenSCToken::verify returned 0 for pin 1
0x7fff78114300 18:18:52.6011854084296933522 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCToken.cpp:158:verifyPIN:   About to call BEGIN()
0x7fff78114300 18:18:52.146 [tokend] /Users/uri/src/OpenSC/OpenSC.tokend/OpenSC/OpenSCKeyHandle.cpp:189:decrypt: In OpenSCKeyHandle::decrypt(ciphertext length = 256)
0x7fff78114300 18:18:52.140733193388178 [tokend] pkcs15-sec.c:95:sc_pkcs15_decipher: called
0x7fff78114300 18:18:52.317106025398418 [tokend] padding.c:283:sc_get_encoding_flags: called
0x7fff78114300 18:18:52.317106025398418 [tokend] padding.c:287:sc_get_encoding_flags: iFlags 0x2, card capabilities 0x1
0x7fff78114300 18:18:52.317106025398418 [tokend] padding.c:316:sc_get_encoding_flags: pad flags 0x2, secure algorithm flags 0x0
0x7fff78114300 18:18:52.317106025398418 [tokend] padding.c:317:sc_get_encoding_flags: returning with: 0 (Success)
0x7fff78114300 18:18:52.146 [tokend] card.c:394:sc_lock: called
0x7fff78114300 18:18:52.317106025398418 [tokend] reader-pcsc.c:526:pcsc_lock: called
0x7fff78114300 18:18:52.4294967442 [tokend] sec.c:68:sc_set_security_env: called
0x7fff78114300 18:18:52.317106025398418 [tokend] card-piv.c:2217:piv_set_security_env: called
0x7fff78114300 18:18:52.317106025398418 [tokend] card-piv.c:2221:piv_set_security_env: flags=00000014 op=1 alg=0 algf=00000000 algr=00000000 kr0=9d, krfl=1
0x7fff78114300 18:18:52.317106025398418 [tokend] card-piv.c:2248:piv_set_security_env: returning with: 0 (Success)
0x7fff78114300 18:18:52.140432545677458 [tokend] sec.c:72:sc_set_security_env: returning with: 0 (Success)
0x7fff78114300 18:18:52.4294967442 [tokend] sec.c:40:sc_decipher: called
0x7fff78114300 18:18:52.317106025398418 [tokend] card-piv.c:2413:piv_decipher: called
0x7fff78114300 18:18:52.4294967442 [tokend] card-piv.c:2277:piv_validate_general_authentication: called
0x7fff78114300 18:18:52.146 [tokend] card-piv.c:447:piv_general_io: called
0x7fff78114300 18:18:52.146 [tokend] card-piv.c:450:piv_general_io: 87 07 9d 266 : 255 256
0x7fff78114300 18:18:52.146 [tokend] card.c:394:sc_lock: called
0x7fff78114300 18:18:52.146 [tokend] card-piv.c:490:piv_general_io: calling sc_transmit_apdu flags=1 le=256, resplen=4096, resp=0x7fff5ee23650
0x7fff78114300 18:18:52.140733193388179 [tokend] apdu.c:563:sc_transmit_apdu: called
0x7fff78114300 18:18:52.147 [tokend] card.c:394:sc_lock: called
0x7fff78114300 18:18:52.140733193388179 [tokend] apdu.c:530:sc_transmit: called
0x7fff78114300 18:18:52.140733193388179 [tokend] apdu.c:384:sc_single_transmit: called
0x7fff78114300 18:18:52.140733193388179 [tokend] apdu.c:389:sc_single_transmit: CLA:10, INS:87, P1:7, P2:9D, data(255) 0x7fff5ee24810
0x7fff78114300 18:18:52.317106025398419 [tokend] reader-pcsc.c:254:pcsc_transmit: reader 'Yubico Yubikey NEO OTP+U2F+CCID'
0x7fff78114300 18:18:52.140733193388179 [tokend] apdu.c:187:sc_apdu_log:
Outgoing APDU data [  260 bytes] =====================================
10 87 07 9D FF 7C 82 01 06 82 00 81 82 01 00 4B .....|.........K
30 9A 10 3E E1 1C 33 1C 5E A9 7E F2 DC 25 BB 65 0..>..3.^.~..%.e
52 21 6C B0 0D B3 3B EB CE 84 74 DD 8E 44 18 18 R!l...;...t..D..
35 67 7E C3 F1 ED 11 63 67 52 32 97 C7 A4 B7 97 5g~....cgR2.....
6F 35 15 0A 2C BD 78 F2 31 DB 4F 1C 57 88 24 92 o5..,.x.1.O.W.$.
07 EF 96 D0 80 C6 2E 47 64 8F F1 F7 EF 1B 41 4E .......Gd.....AN
FE 07 A1 54 0B D3 2B 3A 2C FB 7B 0A 99 D3 27 71 ...T..+:,.{...'q
68 F1 FB 75 A5 30 C1 E6 8F 96 5C 7B EA 25 B8 BC h..u.0....\{.%..
8D 04 40 A4 63 5E B6 91 D5 83 E6 EB 82 28 AB EE [email protected]^.......(..
07 B2 80 05 15 C2 8D DA 77 62 BA 82 A0 72 4B 17 ........wb...rK.
F6 16 51 83 74 80 15 38 39 E6 2A AB 98 DF 18 E5 ..Q.t..89.*.....
08 6B C0 C8 89 27 32 00 E9 64 91 86 72 77 68 BA .k...'2..d..rwh.
D0 98 D3 A0 D5 B2 DE 27 69 26 43 B5 20 7E 5C B1 .......'i&C. ~\.
21 C5 C5 AD 82 71 80 43 63 36 23 9E CE 42 7F 65 !....q.Cc6#..B.e
96 A6 00 D4 0A 83 29 A6 BE EC 6F 04 62 89 BA 83 ......)...o.b...
E9 62 45 72 D3 BD 79 C3 6F CA D6 BC 5D 44 20 42 .bEr..y.o...]D B
98 C0 97 33                                     ...3
======================================================================
0x7fff78114300 18:18:52.140733193388179 [tokend] reader-pcsc.c:184:pcsc_internal_transmit: called
0x7fff78114300 18:18:52.4294967474 [tokend] apdu.c:187:sc_apdu_log:
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
0x7fff78114300 18:18:52.140733193388210 [tokend] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
0x7fff78114300 18:18:52.120259084466 [tokend] apdu.c:552:sc_transmit: returning with: 0 (Success)

Based on the above log, it appears that OpenSC.tokend succeeds in all the operations with smart card. The problem is somewhere where it communicates with the OS and/or applications.

Syslog for NEO:

     Mar 18 11:48:53 hostname com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (c62cfe2c4e51372d76c7a0492489dda9b7c12......671) subservice 12 using driver com.apple.tokend.opensc
     Mar 18 11:49:00 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
     Mar 18 11:49:00 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[44833] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
     Mar 18 11:49:00 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
     Mar 18 11:49:00 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[44833] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
     Mar 18 11:49:00 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
     ...... 
     Mar 18 11:49:22 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
     Mar 18 11:49:22 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[44833] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
     Mar 18 11:49:30 hostname authexec[44838]: executing /Library/Frameworks/VirusScanPreferences.framework/Versions/Current/Resources/prefsHelperTool
     Mar 18 11:49:32 hostname launchservicesd[100]: Application App:"Keychain Access" asn:0x0-a80a8 pid:44833 refs=7 @ 0x7fd62a50f650 tried to be brought forward, but isn't in fPermittedFrontApps ( ( "LSApplication:0x0-0xa90a9 pid=44837 "SecurityAgent"")), so denying. : LASSession.cp #1481 SetFrontApplication() q=LSSession 100006/0x186a6 queue
     Mar 18 11:49:32 hostname WindowServer[151]: [cps/setfront] Failed setting the front application to Keychain Access, psn 0x0-0xa80a8, securitySessionID=0x186a6, err=-13066
     Mar 18 11:49:32 hostname kernel[0]: Sandbox: mDNSResponder(45) deny file-read-data /
     Mar 18 11:49:32 --- last message repeated 4 times ---

Syslog for CAC:

     Mar 18 14:48:14 hostname com.apple.SecurityServer[38]: reader SCM SCR 3310 00 00 inserted token  "PIV_II" (d8e2......afe) subservice 7 using driver com.apple.tokend.opensc
     Mar 18 14:48:31 hostname apsd[663]: CFNetwork SSLHandshake failed (-9806) 
     Mar 18 14:48:52 hostname launchservicesd[100]: Application App:"Google Chrome" asn:0x0-10010  pid:658 refs=7 @ 0x7fca336027b0 tried to be brought forward, but isn't in fPermittedFrontApps ( (  "LSApplication:0x0-0x21021 pid=805 "SecurityAgent"")), so denying. : LASSession.cp #1481  SetFrontApplication() q=LSSession 100006/0x186a6 queue
     Mar 18 14:48:52 hostname WindowServer[151]: [cps/setfront] Failed setting the front application to  Google Chrome, psn 0x0-0x10010, securitySessionID=0x186a6, err=-13066
     Mar 18 14:48:52 hostname kernel[0]: Sandbox: mDNSResponder(45) deny file-read-data /
     Mar 18 14:48:52 --- last message repeated 4 times ---

Low-level operations

$ piv-tool -n
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
PIV-II card
$ pkcs15-tool -c
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
X.509 Certificate [Certificate for PIV Authentication]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 01
    Encoded serial : 02 04 55E515DF
X.509 Certificate [Certificate for Digital Signature]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 02
    Encoded serial : 02 04 56149706
X.509 Certificate [Certificate for Key Management]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 03
    Encoded serial : 02 04 5614980B
X.509 Certificate [Certificate for Card Authentication]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 04
    Encoded serial : 02 04 55E51974
$ yubico-piv-tool -a status
CHUID:  3019d4e739da739ced39ce739d836858210842108421384210c3f53410fa65ccb593e3eb47510f9ac1cc1e896f350832303330303130313e00fe00
Slot 9a:
    Algorithm:  RSA2048
    Subject DN: CN=uri
    Issuer DN:  C=US, ST=MA, O=The Burrow, OU=Gatherers, CN=Forest RSA CA 3
    Fingerprint:    e403cd9afb75328b16289b59e082f673736386f4a57ec4209e088bbd266d04c8
    Not Before: Sep  1 03:06:27 2015 GMT
    Not After:  Sep  1 03:06:27 2018 GMT
Slot 9c:
    Algorithm:  RSA2048
    Subject DN: [email protected], CN=Mouse Mousevich
    Issuer DN:  C=US, ST=MA, O=The Burrow, OU=Gatherers, CN=Forest RSA CA 3
    Fingerprint:    76339363b5cceca244b2edbad8b40c01686e71fbd91e6f5f317d3e503d0ea32f
    Not Before: Oct  7 03:54:56 2015 GMT
    Not After:  Oct  7 03:54:56 2018 GMT
Slot 9d:
    Algorithm:  RSA2048
    Subject DN: [email protected], CN=Mouse Mousevich
    Issuer DN:  C=US, ST=MA, O=The Burrow, OU=Gatherers, CN=Forest RSA CA 3
    Fingerprint:    3968d8f42f947d22936e879e688503470bd329f2434febdcc35db792c121e5d3
    Not Before: Oct  7 03:58:36 2015 GMT
    Not After:  Oct  7 03:58:36 2018 GMT
Slot 9e:
    Algorithm:  RSA2048
    Subject DN: CN=uri
    Issuer DN:  C=US, ST=MA, O=The Burrow, OU=Gatherers, CN=Forest RSA CA 3
    Fingerprint:    ac951e59be89e3fe2e73fb5b8215a902f989039d9ba12ab400802e505d9a8340
    Not Before: Sep  1 03:21:04 2015 GMT
    Not After:  Sep  1 03:21:04 2018 GMT
PIN tries left: 10

I'm also seeking help on the Yubico forum http://forum.yubico.com/viewtopic.php?f=26&t=1768&p=7064#p7064 , but I think there's a better chance here because the problem seems to be with the tokend, or rather with how tokend interacts with the Yosemite OS and applications.

PIN Code gets rejected when trying to logon to an Active Directory Domain

First a short but very necessary thank you for that wonderful piece of software made publicly available - it has helped a great deal so far.
In an attempt to logon to an Active Directory Domain using a PKCS15 SmartCard we got as close as being prompted with the proper domain user and asked to enter the PIN Code.

opensc-tokend.log, Level 3 - Find Level 5 attached below.

10x7fff78cb0000 16:43:25.514 [tokend] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0x7fff78cb0000 16:43:25.579 [tokend] sec.c:72:sc_set_security_env: returning with: 0 (Success)
0x7fff78cb0000 16:43:25.4294968016 [tokend] card-atrust-acos.c:754:atrust_acos_compute_signature: returning with: -1211 (Security status not satisfied)
0x7fff78cb0000 16:43:25.4294968016 [tokend] sec.c:58:sc_compute_signature: returning with: -1211 (Security status not satisfied)
0x7fff78cb0000 16:43:25.140733193388833 [tokend] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0x7fff78cb0000 16:43:25.801 [tokend] card-atrust-acos.c:748:atrust_acos_compute_signature: returning with: -1300 (Invalid arguments)
0x7fff78cb0000 16:43:25.801 [tokend] sec.c:58:sc_compute_signature: returning with: -1300 (Invalid arguments)

loglevel5.txt

From what we could figure is that each attempt of entering the PIN Code reaches the Smart Card.
So if we would enter a wrong code for more than 4 times the card gets locked, but even if we enter the correct PIN it would keep asking for it.

I would really appreciate advice on that matter.

Best Regards
Martin

PIN not recognized with Gemalto Prox-DU reader

The reader is Contact & Contactless. Trying with CAC and Yubikey NEO using NFC. In both cases PIN is not verified, returning 6D 00:

0x7fff74594300 12:38:53.453 [tokend] /Users/ur20980/Src/OpenSC/OpenSC.tokend-mouse/OpenSC/OpenSCToken.cpp:203:_verifyPIN: In OpenSCToken::_verifyPIN(), PIN num is: 1
0x7fff74594300 12:38:53.453 [tokend] /Users/ur20980/Src/OpenSC/OpenSC.tokend-mouse/OpenSC/OpenSCToken.cpp:217:_verifyPIN:   sc_pkcs15_get_objects(pin_id=01): 2
0x7fff74594300 12:38:53.453 [tokend] pkcs15-pin.c:295:sc_pkcs15_verify_pin: called
0x7fff74594300 12:38:53.453 [tokend] pkcs15-pin.c:296:sc_pkcs15_verify_pin: PIN(type:0;method:1;len:)
0x7fff74594300 12:38:53.453 [tokend] card.c:394:sc_lock: called
0x7fff74594300 12:38:53.453 [tokend] reader-pcsc.c:543:pcsc_lock: called
0x7fff74594300 12:38:53.454 [tokend] sec.c:159:sc_pin_cmd: called
0x7fff74594300 12:38:53.454 [tokend] apdu.c:546:sc_transmit_apdu: called
0x7fff74594300 12:38:53.454 [tokend] card.c:394:sc_lock: called
0x7fff74594300 12:38:53.454 [tokend] apdu.c:513:sc_transmit: called
0x7fff74594300 12:38:53.454 [tokend] apdu.c:367:sc_single_transmit: called
0x7fff74594300 12:38:53.454 [tokend] apdu.c:372:sc_single_transmit: CLA:0, INS:20, P1:0, P2:80, data(8) 0x7fff57d02f70
0x7fff74594300 12:38:53.454 [tokend] reader-pcsc.c:269:pcsc_transmit: reader 'Gemalto Prox Dual USB PC Link Reader(1)'
0x7fff74594300 12:38:53.454 [tokend] reader-pcsc.c:270:pcsc_transmit:
Outgoing APDU (13 bytes):
00 20 00 80 08 31 32 33 34 35 36 37 38 . ...12345678
0x7fff74594300 12:38:53.454 [tokend] reader-pcsc.c:199:pcsc_internal_transmit: called
0x7fff74594300 12:38:53.463 [tokend] reader-pcsc.c:279:pcsc_transmit:
Incoming APDU (2 bytes):
6D 00 m.
0x7fff74594300 12:38:53.463 [tokend] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
0x7fff74594300 12:38:53.463 [tokend] apdu.c:535:sc_transmit: returning with: 0 (Success)
0x7fff74594300 12:38:53.463 [tokend] card.c:434:sc_unlock: called
0x7fff74594300 12:38:53.463 [tokend] iso7816.c:121:iso7816_check_sw: Instruction code not supported or invalid
0x7fff74594300 12:38:53.463 [tokend] sec.c:206:sc_pin_cmd: returning with: -1204 (Unsupported INS byte in APDU)
0x7fff74594300 12:38:53.463 [tokend] pkcs15-pin.c:368:sc_pkcs15_verify_pin: PIN cmd result -1204
0x7fff74594300 12:38:53.463 [tokend] card.c:434:sc_unlock: called
0x7fff74594300 12:38:53.463 [tokend] reader-pcsc.c:583:pcsc_unlock: called
0x7fff74594300 12:38:53.463 [tokend] pkcs15-pin.c:373:sc_pkcs15_verify_pin: returning with: -1204 (Unsupported INS byte in APDU)

Mac OS X Yosemite Problem

I built OpenSC for Mac and installed it on Mavericks and Yosemite. After the installation Opensc.tokend is added in /Library/Security/tokend directory. On Mavericks it works fine, in Chrome, Firefox, Safari and I can use its tools from terminal too. As for the Yosemite it works in Firefox and I can use its tools from terminal, but I couldn't make it work in Chrome and Safari. My smart card is not added in Keychain. Can you tell me what the problem is? Is there any solution?