I've got a "PIVAUTH" (0x9a) and a "SIGN" (0x9c) certificate on my YKNeo. The "SIGN" cert came from startssl.com, and the "PIVAUTH" cert came from my own CA. Both CAs are trusted. I have OpenSC installed (with the magic tokend), so I see the certs in the keychain. Both are green. Both CA roots are trusted in the system keychain.
The "PIVAUTH" key has a non-critical "keyUsage" set to "Digital Signature, Key Encipherment, Key Agreement". It has a non-critical "extendedKeyUsage" of "Client Authentication". It is unexpired, and has my name as the commonName.
The "SIGN" key has a non-critical "keyUsage" set to "Digital Signature, Key Encipherment, Data Encipherment". It has a non-critical "extendedKeyUsage" of "Client Authentication" and "Email Protection". It is unexpired, and has my email address as the commonName.
I can use both keys for SSL authentication from my web browser. A window pops up asking me for my pin number when logging in. It is fantastic.
I can use the "SIGN" key for signing email in Apple Mail. It is fantastic. HOWEVER, I cannot read encrypted emails in Apple Mail. (I can, however, read encrypted emails if I use thunderbird, which uses the OpenSC pkcs11 module and doesn't use the OS X keychain)
Token-Protected Keychain
The OS X keychain internally supports the idea of having a keychain be encrypted by a public key who's private key is stored in another keychain---which can be a smart card. It's pretty easy to set up.
First, you connect your token. Then you run "sc_auth hash". Note the first key in the list: this is the key that will be used. Then run "systemkeychain -T Library/keychain/token_secured.keychain" to create a keychain that is protected with that public key instead of being protected by a password.
When I try to unlock the keychain, I get the PIN entry box, but after typing in my pin it never unlocks the keychain and I cannot read any of the protected information in the keychain.
Anyone have any idea what might be wrong?
Token-Encrypted Disk Images
I recently found this nifty capability to create a disk image which is encrypted with a private key using "hdiutil". First, you use "sc_auth" to get a list of the key hashes:
Code:
$ sc_auth hash
92FE4542132D972011569F758B00704E8E851ADC PIV AUTH key
1BC7E41912A1EADAC87E9EB8F3FB2EEA361DF772 SIGN key
4C283767C7F2A2BA178C2FD8B9FA6980D7342BDE com.apple.systemdefault
98A10C7D2772EDBBD5632B4AA9126F94EFBC8993 com.apple.kerberos.kdc
4C283767C7F2A2BA178C2FD8B9FA6980D7342BDE com.apple.systemdefault
98A10C7D2772EDBBD5632B4AA9126F94EFBC8993 com.apple.kerberos.kdc
You can then pass that hash into hdiutil when creating an encrypted disk image:
Code:
hdiutil create -encryption -size 50m e.dmg -fs HFS+J -pubkey 1BC7E41912A1EADAC87E9EB8F3FB2EEA361DF772
This *almost* works. Whenever I try to mount the drive, I get a popup window which says "authentication error". Any ideas what might be wrong?Statistics: Posted by darco — Tue Dec 16, 2014 8:26 pm
]]>