|
List Info
Thread: Re: Using PIV Card to Authenticate to MAC ( Problems )
|
|
| Re: Using PIV Card to Authenticate to
MAC ( Problems ) |
 
United States |
2007-03-05 09:12:32 |
Kenneth Carrera wrote:
> Douglas,
>
> Thank you very much for the response. I really
appreciate it.
>
> I tried using the opensc-tool, piv-tool, and
pkcs15-tool. From those, I
> can bring up the card ATR so I know my card is being
recognized, but I
> cannot successfully run any of the other commands. Did
you do anything
> special to your opensc.conf file?
What it said in the Wiki page:
http://www.opensc-project.org/opensc/wiki/UnitedStatesP
IV
Double check the ATR too.
But looking closer, I also commented out the use_cacching =
true;
and commented out the builtin_emulators = ...
line as it does not list the PIV as it should.
See the attached diff. If this does not help, send a copy of
your
opensc.conf.
>
> Also, are you able to perform smart card login to your
MAC using OpenSC?
No, but on unix have Heimdal (and MIT development) Kerberos
using PKINIT
to authenticate to Active Directory using pam_krb5. Apple
has said they
would fully support PIV, so we expect that when they do we
would use
whatever they they provide.
>
> Thank you again for your help! Ken
>
>
>
> ----- Original Message ----
> From: Douglas E. Engert <deengert anl.gov>
> To: Kenneth Carrera <kcarrera411yahoo.com>
> Cc: opensc-userlists.opensc-project.org;
> opensc-devellists.opensc-project.org
> Sent: Friday, March 2, 2007 4:27:47 PM
> Subject: Re: [opensc-devel] Using PIV Card to
Authenticate to MAC (
> Problems )
>
> Kenneth Carrera wrote:
> > Hello all:
> >
> > I am trying to configure my MAC to accept a PIV
Card.
> > I have installed OpenSC (SCA for MAC) and can now
read
> > my smart card ATR. My keychain can recognize when
the
> > card is inserted.
> >
> > However, I cannot seem to access the data or the
> > certificates on the card. I made sure to
configure my
> > Opensc.config file to work with the new PIV card
(
> > Oberthur ). Is there anything else I can do to
try to
> > get the card to work with MAC? Thank you in
advance
> > for any help offered!
>
> How are you trying to access the data on the card?
>
> I am assuming the card has at least a certificate and
> key, either a test one from Oberthur, or issued by
> whomever gave you the card.
>
> You can start by using the /Library/OpenSC/opensc-tool
> -l and -a options is a terminal window.
>
> Then ./pkcs15-tool -c should show that you have a
certificate.
> (It may not really be there.)
>
> ./pkcs15-tool -r 1
>
> should read the certificate and show it in PEM format.
>
> If you bring up the Keychain utility and hit the
"show Keychains"
> button in the lower left, its should show all your
keychains.
> The PIV card would be listed as PIV_II, and the main
window should
> show you have an Auth key, and a certifcate. (You may
have
> other certs and keys as well There can be 4. In my
tests I only
> write out the auth cert to the card.
>
> The one other issue is if the certificate is
compressed.
> Code has been sent to the devel list to handle this,
but is
> has not been added to the distribution. I don't have a
card
> with a compressed cert, so can not test it. If you
suspect
> that the cert is compressed, we can talk about that
too.
>
> Safari should be able to use this to some web site, if
the
> site trusts the CA that signed your certifcate.
>
>
> >
> > Ken
> >
> >
> >
> >
>
____________________________________________________________
________________________
> > Need a quick answer? Get one in minutes from
people who know.
> > Ask your question on www.Answers.yahoo.com
> <http://www.answers.
yahoo.com/>
> > _______________________________________________
> > opensc-devel mailing list
> > opensc-devellists.opensc-project.org
> > http://www.opensc-project.org/mailman/listinfo/opensc
-devel
> >
> >
>
> --
>
> Douglas E. Engert <DEEngertanl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
>
>
------------------------------------------------------------
------------
> Expecting? Get great news right away with email
Auto-Check.
> <http://us.r
d.yahoo.com/evt=49982/*http://advision.webevents.yahoo.com/m
ailbeta/newmail_tools.html>
> Try the Yahoo! Mail Beta.
> <http://us.r
d.yahoo.com/evt=49982/*http://advision.webevents.yahoo.com/m
ailbeta/newmail_tools.html>
--
Douglas E. Engert <DEEngertanl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
|
|
 |
| Re: Using PIV Card to Authenticate to
MAC ( Problems ) |
United States |
2007-03-05 10:00:54 |
Douglas,
I think I am getting a little closer. Now in my
keychain, the lock Icon is locked. That was a little
different that before. Attached is my opensc.conf
file. Would you mind to take a look at it?
I really appreciate any help you provide.
Ken
--- "Douglas E. Engert" <deengertanl.gov> wrote:
>
>
> Kenneth Carrera wrote:
> > Douglas,
> >
> > Thank you very much for the response. I really
> appreciate it.
> >
> > I tried using the opensc-tool, piv-tool, and
> pkcs15-tool. From those, I
> > can bring up the card ATR so I know my card is
> being recognized, but I
> > cannot successfully run any of the other
commands.
> Did you do anything
> > special to your opensc.conf file?
>
> What it said in the Wiki page:
>
>
http://www.opensc-project.org/opensc/wiki/UnitedStatesP
IV
> Double check the ATR too.
>
> But looking closer, I also commented out the
> use_cacching = true;
> and commented out the builtin_emulators = ...
> line as it does not list the PIV as it should.
>
> See the attached diff. If this does not help, send a
> copy of your
> opensc.conf.
>
> >
> > Also, are you able to perform smart card login to
> your MAC using OpenSC?
>
> No, but on unix have Heimdal (and MIT development)
> Kerberos using PKINIT
> to authenticate to Active Directory using pam_krb5.
> Apple has said they
> would fully support PIV, so we expect that when they
> do we would use
> whatever they they provide.
>
> >
> > Thank you again for your help! Ken
> >
> >
> >
> > ----- Original Message ----
> > From: Douglas E. Engert <deengertanl.gov>
> > To: Kenneth Carrera <kcarrera411yahoo.com>
> > Cc: opensc-userlists.opensc-project.org;
> > opensc-devellists.opensc-project.org
> > Sent: Friday, March 2, 2007 4:27:47 PM
> > Subject: Re: [opensc-devel] Using PIV Card to
> Authenticate to MAC (
> > Problems )
> >
> > Kenneth Carrera wrote:
> > > Hello all:
> > >
> > > I am trying to configure my MAC to accept a
PIV
> Card.
> > > I have installed OpenSC (SCA for MAC) and
can
> now read
> > > my smart card ATR. My keychain can
recognize
> when the
> > > card is inserted.
> > >
> > > However, I cannot seem to access the data
or
> the
> > > certificates on the card. I made sure to
> configure my
> > > Opensc.config file to work with the new PIV
> card (
> > > Oberthur ). Is there anything else I can do
to
> try to
> > > get the card to work with MAC? Thank you
in
> advance
> > > for any help offered!
> >
> > How are you trying to access the data on the
card?
> >
> > I am assuming the card has at least a certificate
> and
> > key, either a test one from Oberthur, or issued
by
> > whomever gave you the card.
> >
> > You can start by using the
> /Library/OpenSC/opensc-tool
> > -l and -a options is a terminal window.
> >
> > Then ./pkcs15-tool -c should show that you have a
> certificate.
> > (It may not really be there.)
> >
> > ./pkcs15-tool -r 1
> >
> > should read the certificate and show it in PEM
> format.
> >
> > If you bring up the Keychain utility and hit the
> "show Keychains"
> > button in the lower left, its should show all
your
> keychains.
> > The PIV card would be listed as PIV_II, and the
> main window should
> > show you have an Auth key, and a certifcate. (You
> may have
> > other certs and keys as well There can be 4. In
my
> tests I only
> > write out the auth cert to the card.
> >
> > The one other issue is if the certificate is
> compressed.
> > Code has been sent to the devel list to handle
> this, but is
> > has not been added to the distribution. I don't
> have a card
> > with a compressed cert, so can not test it. If
you
> suspect
> > that the cert is compressed, we can talk about
> that too.
> >
> > Safari should be able to use this to some web
> site, if the
> > site trusts the CA that signed your certifcate.
> >
> >
> > >
> > > Ken
> > >
> > >
> > >
> > >
> >
>
____________________________________________________________
________________________
> > > Need a quick answer? Get one in minutes
from
> people who know.
> > > Ask your question on www.Answers.yahoo.com
> > <http://www.answers.
yahoo.com/>
> > >
_______________________________________________
> > > opensc-devel mailing list
> > > opensc-devellists.opensc-project.org
> > >
>
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
> > >
> > >
> >
> > --
> >
> > Douglas E. Engert <DEEngertanl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
> >
> >
> >
>
------------------------------------------------------------
------------
> > Expecting? Get great news right away with email
> Auto-Check.
> >
>
<http://us.r
d.yahoo.com/evt=49982/*http://advision.webevents.yahoo.com/m
ailbeta/newmail_tools.html>
> > Try the Yahoo! Mail Beta.
> >
>
<http://us.r
d.yahoo.com/evt=49982/*http://advision.webevents.yahoo.com/m
ailbeta/newmail_tools.html>
>
> --
>
> Douglas E. Engert <DEEngertanl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> > --- opensc.conf.orig 2006-09-13
10:56:26.000000000
> -0500
> +++ opensc.conf 2006-09-13 11:28:51.000000000 -0500
> -68,8 +68,8
> # Some IFD handlers do not properly handle APDUs
> with
> # large lc or le bytes.
> #
> - max_send_size = 252;
> - max_recv_size = 252;
> + max_send_size = 256;
> + max_recv_size = 256;
> #
> # Connect to reader in exclusive mode.
> # Default: false
> -222,6 +222,23
> # pkcs15emu = "PIV-II";
> # }
>
> + card_atr
>
3b:db:96:00:81:b1:fe:45:1f:03:80:f9:a0:00:00:03:08:00:00:10:
00:18
> {
> + # Oberthur complient cards 5/10/2006
> + # only show first cert on card
> + flags = 20;
> + name = "PIV-II";
> + driver = "piv";
> + }
> +
> + card_atr
>
3B:7D:96:00:00:80:31:80:65:B0:83:11:11:AC:83:00:90:00
> {
> + # GemSafe 800-73-1 does not protect the cert
> with the pin
> + # only show first cert on card
> + flags = 20;
> + name = "PIV-II";
> + driver = "piv";
> + }
> +
> +
> # Estonian ID card and Micardo driver currently
> play together with T=0 only.
> # In theory only the 'cold' ATR should be
> specified, as T=0 will be the preferred
> # protocol once you boot it up with T=0, but be
> paranoid.
> -257,7 +274,7
> # applications.
> # Default: false
> #
> - use_caching = true;
> + ##use_caching = true;
> # Enable pkcs15 emulation.
> # Default: yes
> # enable_pkcs15_emulation = no;
> -269,7 +286,7
> # Default: yes
> # enable_builtin_emulation = yes;
> # list of the builtin pkcs15 emulators to test
> - builtin_emulators = esteid, openpgp, tcos,
> starcert, infocamere, postecert, actalis,
> atrust-acosi, gemsafe, tccardos;
> + #builtin_emulators = esteid, openpgp, tcos,
> starcert, infocamere, postecert, actalis,
> atrust-acosi, gemsafe, tccardos;
>
> # additional settings per driver
> #
> -281,6 +298,8
> # The location of the driver library
> # module =
> /usr/lib/opensc/drivers/p15emu_custom.so;
> # }
> + emulate PIV-II {
> + }
> }
> }
>
>
____________________________________________________________
________________________
The fish are biting.
Get more visitors on your site using Yahoo! Search
Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_
v2.php
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
|
|
 |
| Re: Using PIV Card to Authenticate to
MAC ( Problems ) |
United States |
2007-03-05 10:02:14 |
Douglas,
I think I am getting a little closer. Now in my
keychain, the lock Icon is locked. That was a little
different that before. Attached is my opensc.conf
file. Would you mind to take a look at it?
I really appreciate any help you provide.
Ken
--- "Douglas E. Engert" <deengertanl.gov> wrote:
>
>
> Kenneth Carrera wrote:
> > Douglas,
> >
> > Thank you very much for the response. I really
> appreciate it.
> >
> > I tried using the opensc-tool, piv-tool, and
> pkcs15-tool. From those, I
> > can bring up the card ATR so I know my card is
> being recognized, but I
> > cannot successfully run any of the other
commands.
> Did you do anything
> > special to your opensc.conf file?
>
> What it said in the Wiki page:
>
>
http://www.opensc-project.org/opensc/wiki/UnitedStatesP
IV
> Double check the ATR too.
>
> But looking closer, I also commented out the
> use_cacching = true;
> and commented out the builtin_emulators = ...
> line as it does not list the PIV as it should.
>
> See the attached diff. If this does not help, send a
> copy of your
> opensc.conf.
>
> >
> > Also, are you able to perform smart card login to
> your MAC using OpenSC?
>
> No, but on unix have Heimdal (and MIT development)
> Kerberos using PKINIT
> to authenticate to Active Directory using pam_krb5.
> Apple has said they
> would fully support PIV, so we expect that when they
> do we would use
> whatever they they provide.
>
> >
> > Thank you again for your help! Ken
> >
> >
> >
> > ----- Original Message ----
> > From: Douglas E. Engert <deengertanl.gov>
> > To: Kenneth Carrera <kcarrera411yahoo.com>
> > Cc: opensc-userlists.opensc-project.org;
> > opensc-devellists.opensc-project.org
> > Sent: Friday, March 2, 2007 4:27:47 PM
> > Subject: Re: [opensc-devel] Using PIV Card to
> Authenticate to MAC (
> > Problems )
> >
> > Kenneth Carrera wrote:
> > > Hello all:
> > >
> > > I am trying to configure my MAC to accept a
PIV
> Card.
> > > I have installed OpenSC (SCA for MAC) and
can
> now read
> > > my smart card ATR. My keychain can
recognize
> when the
> > > card is inserted.
> > >
> > > However, I cannot seem to access the data
or
> the
> > > certificates on the card. I made sure to
> configure my
> > > Opensc.config file to work with the new PIV
> card (
> > > Oberthur ). Is there anything else I can do
to
> try to
> > > get the card to work with MAC? Thank you
in
> advance
> > > for any help offered!
> >
> > How are you trying to access the data on the
card?
> >
> > I am assuming the card has at least a certificate
> and
> > key, either a test one from Oberthur, or issued
by
> > whomever gave you the card.
> >
> > You can start by using the
> /Library/OpenSC/opensc-tool
> > -l and -a options is a terminal window.
> >
> > Then ./pkcs15-tool -c should show that you have a
> certificate.
> > (It may not really be there.)
> >
> > ./pkcs15-tool -r 1
> >
> > should read the certificate and show it in PEM
> format.
> >
> > If you bring up the Keychain utility and hit the
> "show Keychains"
> > button in the lower left, its should show all
your
> keychains.
> > The PIV card would be listed as PIV_II, and the
> main window should
> > show you have an Auth key, and a certifcate. (You
> may have
> > other certs and keys as well There can be 4. In
my
> tests I only
> > write out the auth cert to the card.
> >
> > The one other issue is if the certificate is
> compressed.
> > Code has been sent to the devel list to handle
> this, but is
> > has not been added to the distribution. I don't
> have a card
> > with a compressed cert, so can not test it. If
you
> suspect
> > that the cert is compressed, we can talk about
> that too.
> >
> > Safari should be able to use this to some web
> site, if the
> > site trusts the CA that signed your certifcate.
> >
> >
> > >
> > > Ken
> > >
> > >
> > >
> > >
> >
>
____________________________________________________________
________________________
> > > Need a quick answer? Get one in minutes
from
> people who know.
> > > Ask your question on www.Answers.yahoo.com
> > <http://www.answers.
yahoo.com/>
> > >
_______________________________________________
> > > opensc-devel mailing list
> > > opensc-devellists.opensc-project.org
> > >
>
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
> > >
> > >
> >
> > --
> >
> > Douglas E. Engert <DEEngertanl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
> >
> >
> >
>
------------------------------------------------------------
------------
> > Expecting? Get great news right away with email
> Auto-Check.
> >
>
<http://us.r
d.yahoo.com/evt=49982/*http://advision.webevents.yahoo.com/m
ailbeta/newmail_tools.html>
> > Try the Yahoo! Mail Beta.
> >
>
<http://us.r
d.yahoo.com/evt=49982/*http://advision.webevents.yahoo.com/m
ailbeta/newmail_tools.html>
>
> --
>
> Douglas E. Engert <DEEngertanl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> > --- opensc.conf.orig 2006-09-13
10:56:26.000000000
> -0500
> +++ opensc.conf 2006-09-13 11:28:51.000000000 -0500
> -68,8 +68,8
> # Some IFD handlers do not properly handle APDUs
> with
> # large lc or le bytes.
> #
> - max_send_size = 252;
> - max_recv_size = 252;
> + max_send_size = 256;
> + max_recv_size = 256;
> #
> # Connect to reader in exclusive mode.
> # Default: false
> -222,6 +222,23
> # pkcs15emu = "PIV-II";
> # }
>
> + card_atr
>
3b:db:96:00:81:b1:fe:45:1f:03:80:f9:a0:00:00:03:08:00:00:10:
00:18
> {
> + # Oberthur complient cards 5/10/2006
> + # only show first cert on card
> + flags = 20;
> + name = "PIV-II";
> + driver = "piv";
> + }
> +
> + card_atr
>
3B:7D:96:00:00:80:31:80:65:B0:83:11:11:AC:83:00:90:00
> {
> + # GemSafe 800-73-1 does not protect the cert
> with the pin
> + # only show first cert on card
> + flags = 20;
> + name = "PIV-II";
> + driver = "piv";
> + }
> +
> +
> # Estonian ID card and Micardo driver currently
> play together with T=0 only.
> # In theory only the 'cold' ATR should be
> specified, as T=0 will be the preferred
> # protocol once you boot it up with T=0, but be
> paranoid.
> -257,7 +274,7
> # applications.
> # Default: false
> #
> - use_caching = true;
> + ##use_caching = true;
> # Enable pkcs15 emulation.
> # Default: yes
> # enable_pkcs15_emulation = no;
> -269,7 +286,7
> # Default: yes
> # enable_builtin_emulation = yes;
> # list of the builtin pkcs15 emulators to test
> - builtin_emulators = esteid, openpgp, tcos,
> starcert, infocamere, postecert, actalis,
> atrust-acosi, gemsafe, tccardos;
> + #builtin_emulators = esteid, openpgp, tcos,
> starcert, infocamere, postecert, actalis,
> atrust-acosi, gemsafe, tccardos;
>
> # additional settings per driver
> #
> -281,6 +298,8
> # The location of the driver library
> # module =
> /usr/lib/opensc/drivers/p15emu_custom.so;
> # }
> + emulate PIV-II {
> + }
> }
> }
>
>
____________________________________________________________
________________________
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.c
om/collections/265
____________________________________________________________
________________________
Any questions? Get answers on any topic at
www.Answers.yahoo.com. Try it now.
____________________________________________________________
________________________
Be a PS3 game guru.
Get your game face on with the latest PS3 news and
previews at Yahoo! Games.
http://videogames.yahoo.com/platform?platform=120121
____________________________________________________________
________________________
Now that's room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
htt
p://farechase.yahoo.com/promo-generic-14795097
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
|
|
| |
[1-3]
|
|