Yubico Forum

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-04-23T18:45:32+01:00

I'm sorry - I did not make it clear that my main problem is with the NEO PIV applet. NEO OpenPGP applet appears fine, and indeed works fine with Apple Mail (with the GPG Tools installed).

Statistics: Posted by Uriel — Thu Apr 23, 2015 6:45 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-04-18T03:06:16+01:00

Quote:

My main problem is getting the NEO recognized by Keychain, and/or my Apple Mail. OpenSC software (but not tokend) and yubico-piv-tool work well enough with the NEO's PIV applet.

This question (http://forum.yubico.com/viewtopic.php?f=23&t=1843) has some (unsatisfactory) ways to get the encryption key into the OSX GPG Keychain; and if there's an answer, it may offer a better way(s). FWIW all of these methods then had OSX Mail working automatically for me. I could even eject the Yubikey and *not* be able to read mail, which is exactly what should happen; and be able to read it again after re-inserting the Yubikey.

Hope this helps, /rb

Statistics: Posted by rbondi — Sat Apr 18, 2015 3:06 am

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-20T03:56:11+01:00

Yeah, that worked. Got a ton of logs, for both CAC and NEO. Will analyze and post here.

One weird thing - with CAC, even though it can't be unlocked by Keychain Access (and its certs don't seem visible by Apple Mail), I could successfully configure MS Outlook 2011 to use CAC to sign email (verified - it worked). But Keychain saw and reported on the private keys as well, just couldn't unlock.

With NEO - Keychain does not see the private keys at all, only the certs. And no other tokend-related app (that I tried) was able to do anything with NEO PIV. (So far, that is.)

Statistics: Posted by uri — Fri Mar 20, 2015 3:56 am

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-19T15:10:27+01:00

You can

/Library/OpenSC/etc/opensc.conf

search for "tokend"

Statistics: Posted by zviratko — Thu Mar 19, 2015 3:10 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-19T14:59:47+01:00

Yes, we talk about both: original CAC cards, and Yubikey NEO.

Yes,the do seem to have different problems.

However, at this point I have a few solutions that seem to work well with CAC on Mac:

CACKey package http://cacformac.com/downloads.htm
SmartCard Services http://smartcardservices.macosforge.org/trac/wiki/installers (remove the CAC.tokend from /System/Library/Security/tokend/ directory)
PKard
Centrify Express
OpenSC.tokend https://github.com/OpenSC/OpenSC.tokend sees the CAC and all its certs, but does not work with it

For NEO PIV applet - only OpenSC.tokend even sees the token, but just like with CAC, it refuses to do anything useful with it. Which means that all the applications that rely on tokend, don't even see the NEO token (in PIV mode).

I wish I could enable debugging output of OpenSC.tokend...

Statistics: Posted by Uriel — Thu Mar 19, 2015 2:59 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-19T09:33:02+01:00

Original CAC might be a different beast - are we talking about it, or about the PIV applet that we initialize ourselves? I reckon the original CAC and DoD cards will have a different structure than what yubico-piv-tool gives us, and different problems.

Statistics: Posted by zviratko — Thu Mar 19, 2015 9:33 am

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-19T03:35:22+01:00

Statistics: Posted by uri — Thu Mar 19, 2015 3:35 am

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-18T22:13:53+01:00

The certificate(s) were visible in the "Certificates" tab of Keychain Access. Nothing was visible in "My Certificates" tab.

Re. OpenSC FAQ: it does not seem to be correct, what can I say. What it states contradicts my direct experience.

Deleting everything in /var/db/TokenCache/config and /var/db/TokenCache/tokens resulted in both NEO and CAC not being recognized any more.

Continuing experiments.

Statistics: Posted by Uriel — Wed Mar 18, 2015 10:13 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-18T19:39:01+01:00

I don't think OSX cares about the slots themselves - the certificates should definetly be visible, in my case they 100% are.

Keychain unlocking has nothing to do with actually using the keys - it is just a cosmetic feature. It might cause PIN to get cached by Keychain for some tokens, but even in "locked" state it is completely usable (assuming everything else works).
Quoting from OpenSC FAQ:

Quote:

Q: It seems to be impossible to unlock the smart card keychain in Keychain Access.app ?

A: The padlock in the Keychain Access GUI is just a GUI feature, it does not relate to unlocking smart card items with a PIN code. The PIN for the related key will be asked if used (for example, with Google Chrome for SSL authentication)

I don't know what else to suggest - maybe try deleting the contents of /var/db/TokenCache - but that should not be an issue if you changed the CHUID...

Statistics: Posted by zviratko — Wed Mar 18, 2015 7:39 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-18T19:02:30+01:00

1. Putting the same cert in 9a had no visible effect. The card is still visible as "PIV-II" in Keychain. It shows one certificate (which makes sense, because neither PIV Auth nor Card Auth are supposed to be usable by applications such as Keychain, AFAIK). It is still not unlock-able.

Naturally, when I select "My Certificates" (which means - certificates for which I have private keys) is shows nothing.

2. Unlocking is not pointless - it enables access to the private keys. Since it turns out impossible - I'm not surprised that neither Apple Mail nor MS Outlook-2011 even saw my certs on the NEO. So of course I was unable to sign with it.

6. Darn. So how to get OpenSC.tokend to work with NEO??? (And maybe Centrify?)

7. Yeah, except that the card has no room for the intermediate certs - that's what belongs to the Keychain . But I've got that .p12 imported just fine, so doubt that part is a problem.

Yeah, I've rebooted many times by now. Yeah, right now the only tokend in /System/Library/Security/tokend is OpenSC.tokend:

Code:

$ ll /System/Library/Security/tokend
total 0
drwxr-xr-x  5 root  wheel  170 Mar 17 17:21 ./
drwxr-xr-x  8 root  wheel  272 Mar 16 13:05 ../
drwxr-xr-x  3 root  wheel  102 Oct 30 06:12 OpenSC.tokend/
drwxr-xr-x  7 root  wheel  238 Mar 17 17:21 tmp/
drwxr-xr-x  5 root  wheel  170 Apr 17  2014 uiplugins/

I think this is the relevant part of the logs:

Code:

Mar 18 11:48:51 hostname com.apple.SecurityServer[38]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 18 11:48:53 hostname com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (c62cfe2c4e51372d76c7a0492489dda9b7c12671) subservice 12 using driver com.apple.tokend.opensc
Mar 18 11:49:00 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 11:49:00 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[44833] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
...
Mar 18 13:27:06 hostname com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 removed token "PIV_II" (c62cfe2c4e51372d76c7a0492489dda9b7c12671) subservice 12
Mar 18 13:27:15 hostname com.apple.SecurityServer[38]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 18 13:27:17 hostname com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (c62cfe2c4e51372d76c7a0492489dda9b7c12671) subservice 12 using driver com.apple.tokend.opensc
...
Mar 18 13:40:32 hostname apsd[588]: CFNetwork SSLHandshake failed (-9806)
Mar 18 13:40:40 hostname authexec[78741]: executing /Library/Frameworks/VirusScanPreferences.framework/Versions/Current/Resources/prefsHelperTool
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error for error: The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)
Mar 18 13:40:48 hostname secd[597]:  securityd_xpc_dictionary_handler Keychain Access[78549] DeviceInCircle The operation couldn’t be completed. (com.apple.security.sos.error error 2 - Public Key not available - failed to register before call)

And maybe this (happens with PKCS11.tokend):

Code:

Mar 17 01:02:59 MacBook-Air.local com.apple.SecurityServer[15]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 17 01:03:04 MacBook-Air.local com.apple.SecurityServer[15]: token in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 cannot be used (error 2147549225)

And this - on the same (MacBook Air) machine but with OpenSC.tokend:

Code:

Mar 17 01:53:27 MacBook-Air.local com.apple.SecurityServer[15]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 17 01:53:31 MacBook-Air.local com.apple.SecurityServer[15]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (5269d71a0501b05bbffa28e25bd8e73d569b21b2) subservice 7 using driver com.apple.tokend.opensc
.....
Mar 17 01:53:49 MacBook-Air.local launchservicesd[80]: Application App:"iTerm" asn:0x0-20020 pid:371 refs=7 @ 0x7fbc52519d60 tried to be brought forward, but isn't in fPermittedFrontApps ( ( "LSApplication:0x0-0x22022 pid=455 "SecurityAgent"")), so denying. : LASSession.cp #1481 SetFrontApplication() q=LSSession 100004/0x186a4 queue
Mar 17 01:53:49 MacBook-Air.local WindowServer[112]: [cps/setfront] Failed setting the front application to iTerm, psn 0x0-0x20020, securitySessionID=0x186a4, err=-13066
Mar 17 01:53:49 MacBook-Air kernel[0]: Sandbox: mDNSResponder(65) deny file-read-data /
Mar 17 01:53:49 --- last message repeated 4 times ---
Mar 17 01:53:49 MacBook-Air kernel[0]: Sandbox: apsd(87) deny file-read-data /
Mar 17 01:53:50 MacBook-Air.local sandboxd[282] ([87]): apsd(87) deny file-read-data /
Mar 17 01:54:03 --- last message repeated 3 times ---

Though the last message could be from gpg-agent...

Statistics: Posted by Uriel — Wed Mar 18, 2015 7:02 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-16T23:48:44+01:00

Post logs, I'll take a look tomorrow.
Are you sure you cleaned all the tokends from the system? Have you tried rebooting?

Maybe something is different on your 10.9.5 - CCID driver most probably? I know that some yubico software actually patches the supported readers, but I don't remember which one - not sure what messages you would get if it wasn't supported (but my guess would be no message at all, not even the 229 error). 10.9 should actually work better than 10.10...

Statistics: Posted by zviratko — Mon Mar 16, 2015 11:48 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-16T23:44:40+01:00

1. maybe try putting the same cert in 9a as well if it doesn't work with only 9c, it could by mandatory in some implementations
2. I don't have PKard, but can you post a few previous lines? This doesn't really tell if the PKard tokend was used. This (229 code) is however the same I got when my card was not provisioned to the tokend's liking (empty or "wrong" slots)

As for OpenSC - do not try unlocking it in keychain - it's pointless and just UI. Try using it (sign an email), that will tell you if it works.

6. Both OpenSC and Centrify work for me (now)

7. Yes. Typically, what you want on card is:
a) the private key
b) the certificate signed by authority
c) all intermediate certificates, possibly including the root authority
(this is what I have in my .p12)

I don't think intermediate CAs are imported by yubico-piv-tool (I don't know if that's even supported with PIV applet), so you might need to import the intermediate CAs into keychain to use the identity. But this will come after you see the card in keychain and has is irrelevant at this point. It's just a common problem when trying to actually use it without having all the anchors up to the trusted root (and I guess it's a bug that software like Firefox needs it).

Statistics: Posted by zviratko — Mon Mar 16, 2015 11:44 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-16T22:01:24+01:00

1. I will blast the PIV applet, and re-create as you suggest, one slot at a time. Starting with 9c.

Update. tried with filling the 9c slot only, same result: NEO PIV not recognized by Keychain, because no tokend seems comfortable with it.

2. The original (fully provisioned) NEO PIV (will try slot-by-slot later).

With Thursby PKard:

Code:

Mar 16 16:42:48  PKard[29341]: TSSCardClass: presence NOT detected '/Library/Logs/com.thursby.pki.caching.disabled' uid=91
Mar 16 16:42:48  com.apple.SecurityServer[38]: token in reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 cannot be used (error 229)

With OpenSC (first token inserted was CAC - wanted to see if it can unlock it; it couldn't. Second inserted token was NEO):

Code:

Mar 16 00:02:46  apsd[671]: CFNetwork SSLHandshake failed (-9806)
...skipping...
ken "PIV_II" (d8e21ddbb4709a69c13ba7fc55908a4a8dd94afe) subservice 7
Mar 16 16:47:26  apsd[671]: CFNetwork SSLHandshake failed (-9806)
Mar 16 16:47:38  com.apple.SecurityServer[38]: Token reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted into system
Mar 16 16:47:40  com.apple.SecurityServer[38]: reader Yubico Yubikey NEO OTP+U2F+CCID 00 00 inserted token "PIV_II" (930ec3d62bec500b8c71636d353d5b821e51378d) subservice 6 using driver com.apple.tokend.opensc
Mar 16 16:47:56  apsd[671]: CFNetwork SSLHandshake failed (-9806)

4. Will try after this.
Update. Failed, behavior as before (i.e., as with the fully-provisioned card).

5. I don't know, but would expect that any UUID in the right format should work. Your experience seems to confirm this assumption.

6. Can you tell me which one you have installed right now, that seems to work OK with the NEO PIV?

7. So that PKCS12 file contains your private key, and the corresponding public key (probably with signatures, so it's actually a cert)?

Update. Figured that out, converting between different key+cert formats on the fly. Thanks, OpenSSL!

Statistics: Posted by Uriel — Mon Mar 16, 2015 10:01 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-16T21:10:17+01:00

1. Test with just one slot, then fill it gradually - security and purpose of the slots differ, so I'd try not complicating things unless at least something works

2. Then look at /var/log/system.log - it could hint at what's wrong (and which tokend is actually used)

3. yeah, you're right here

4. with OpenSC.tokend, I need to put my cert in the 9c slot. Putting the same cert in 9a slot doesn't work (everything seems fine but it can't sign anything - but I am not sure 100% that there isn't something else wrong here)

5. Yes, just a "-a set-chuid" to yubico-piv-tool. I haven't investigated the purpose of CHUID, looks to me that as long as it is a new UUID it should work, even if it isn't the "right" number. No?

6. I always just keep one. Don't leave more than one tokend installed (unless it's for a different card).

7. My certificate comes from StartSSL and it was generated in Firefox. I exported it from here and haven't touched it afterwards. It contains my key+cert, and the Startcom Intermediate CA and root CA certificates (those don't get to the card).

Statistics: Posted by zviratko — Mon Mar 16, 2015 9:10 pm

Re: [Q?] NEO does not show up in Keychain (nor in Apple Mail

2015-03-16T20:56:48+01:00

Strange indeed.

1. Yes I filled all the slots - but with different keys/certificates (of course ).

2. At this time I'm just trying to ascertain that the card is usable by the OS apps (such as Mail and Keychain, and Safari/Chrome) in the PIV mode - and the simplest way I know of checking it is via Keychain.

3. Keychain doesn't see/detect the NEO at all. So I'd guess it's not a question of seeing a wrong cert.

4. What do you mean by "OpenSC works...with 9c slot"?

5. Centrify - what did you do with/for CHUID? Initiated it via "yubico-piv-tool" to a (sort of) random value? Or constructed a meaningful one, and fed to the card? If latter - how exactly did you construct it, and how did you write it to the card?

6. How many tokend's do you currently have installed (and appearing in /System/Library/Security/tokend)?

7. How did you create your cert.pkcs12? (Just to make sure)

Thanks!

Statistics: Posted by Uriel — Mon Mar 16, 2015 8:56 pm