Slovenian eOI on Mac only exposes the PIN-less applet about opensc HOT 13 OPEN

Currently only one applet at a time can be active. I think this is an OpenSC limitation. To select an active applet, enable/disable the relevant application block in opensc.conf (either E828BD080F014E585031 or E828BD080F014E585030)`. However I think the pinless applet should, by default, be disabled, so I am not sure why you are only seeing the pinless applet/slot

from opensc.

I think this is a limitation of OpenSCToken, which expects all keys and certificates to be in the generic card application:
https://github.com/frankmorgner/OpenSCToken/blob/f860cabca2d99bd600eb2affb2a8ef0a2a9b4bc0/OpenSCToken/Token.m#L106-L108

Basically, that needs to be extended to the other applications on the card as well, which is similar to what is done in the PKCS#11 library:

Interestingly, minidriver.c also only binds the generic application. Could you please check if this problem also occurs on Windows using certutil.exe -scinfo?

from opensc.

Yes, it's the same on Windows. As I've said before, the solution, or rather workaround, (at least on Windows, I have no experience with Macs) is to enable just the applet you need...

from opensc.

I added multi-app support into OpenSCToken. Unfortunately, I can only do some basic tests. Would you mind testing the macOS package from here https://github.com/OpenSC/OpenSC/actions/runs/7653681110 ?

from opensc.

Would someone please test the macOS artifacts linked above? This adds support for all applications on the card, without the need for the mentioned workaround. thank you

from opensc.

Should this work on Linux?

from opensc.

@frankmorgner Sorry for the late reply, I have been hit with life as a truck. I tested this and am having issues with basic OpenSC usage. MacOS doesnt detect any smartcards and pkcs11-tool takes a suspiciously long time to list slots. What kind of logs would be useful to you?

Here is a log of OPENSC_DEBUG=9 pkcs11-tool --list-slots: https://gist.github.com/craftbyte/02f689b04e8e45bfbb43b72e32c96f1b

from opensc.

Should this work on Linux?

It should... The pinless applet is disabled by default though and when/if enabled it erroneously asks for PIN, although it is not needed. See #2646 (comment)

from opensc.

Thank you @llogar. I was wondering about this modification @frankmorgner linked, because I was following this support and as I can see there are two features missing as "by desing as of now" in openSC:

1. PINless is not there but with circumvention
2. Support is there for just one app per card and the forementioned fix should add this. So all 3 apps on the card need to be enabled in config. One at a time.

from opensc.

There are only 2 applets of interest (well, the 3rd one is eMRTD applet, but I think it's irrelevant in this context). If both are enabled there are 3 virtual slots (1 slot for pinless applet and 2 slots for the signature applet (1 for NormPIN and 1 for SigPIN). I prefer to have only one applet enabled at a time, as If I remember correctly, firefox (or perhaps thunderbird) kept nagging me for PIN entry for the unneeded one. But ymmv.

from opensc.

I added multi-app support into OpenSCToken. Unfortunately, I can only do some basic tests. Would you mind testing the macOS package from here https://github.com/OpenSC/OpenSC/actions/runs/7653681110 ?

This modification should allow using all certificates from all applets in OpenSCToken at the same time without modifying the active applet in opensc.conf. To test this, download the build artifact (https://github.com/OpenSC/OpenSC/actions/runs/7653681110/artifacts/1194532843), install the dmg. sc_auth identities should now show all certificates.

from opensc.