Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:21 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Tue Dec 16, 2014 8:26 pm 
Offline

Joined: Tue Nov 18, 2014 9:14 pm
Posts: 95
Location: San Jose, CA
I'm trying to do some advanced fancy stuff on OS X with respect to the OS X keychain, as well as some stuff with encrypted disk images.

I've got a "PIVAUTH" (0x9a) and a "SIGN" (0x9c) certificate on my YKNeo. The "SIGN" cert came from startssl.com, and the "PIVAUTH" cert came from my own CA. Both CAs are trusted. I have OpenSC installed (with the magic tokend), so I see the certs in the keychain. Both are green. Both CA roots are trusted in the system keychain.

The "PIVAUTH" key has a non-critical "keyUsage" set to "Digital Signature, Key Encipherment, Key Agreement". It has a non-critical "extendedKeyUsage" of "Client Authentication". It is unexpired, and has my name as the commonName.

The "SIGN" key has a non-critical "keyUsage" set to "Digital Signature, Key Encipherment, Data Encipherment". It has a non-critical "extendedKeyUsage" of "Client Authentication" and "Email Protection". It is unexpired, and has my email address as the commonName.

I can use both keys for SSL authentication from my web browser. A window pops up asking me for my pin number when logging in. It is fantastic.

I can use the "SIGN" key for signing email in Apple Mail. It is fantastic. HOWEVER, I cannot read encrypted emails in Apple Mail. (I can, however, read encrypted emails if I use thunderbird, which uses the OpenSC pkcs11 module and doesn't use the OS X keychain)

Token-Protected Keychain

The OS X keychain internally supports the idea of having a keychain be encrypted by a public key who's private key is stored in another keychain---which can be a smart card. It's pretty easy to set up.

First, you connect your token. Then you run "sc_auth hash". Note the first key in the list: this is the key that will be used. Then run "systemkeychain -T Library/keychain/token_secured.keychain" to create a keychain that is protected with that public key instead of being protected by a password.

When I try to unlock the keychain, I get the PIN entry box, but after typing in my pin it never unlocks the keychain and I cannot read any of the protected information in the keychain.

Anyone have any idea what might be wrong?

Token-Encrypted Disk Images

I recently found this nifty capability to create a disk image which is encrypted with a private key using "hdiutil". First, you use "sc_auth" to get a list of the key hashes:

Code:
$ sc_auth hash
92FE4542132D972011569F758B00704E8E851ADC PIV AUTH key
1BC7E41912A1EADAC87E9EB8F3FB2EEA361DF772 SIGN key
4C283767C7F2A2BA178C2FD8B9FA6980D7342BDE com.apple.systemdefault
98A10C7D2772EDBBD5632B4AA9126F94EFBC8993 com.apple.kerberos.kdc
4C283767C7F2A2BA178C2FD8B9FA6980D7342BDE com.apple.systemdefault
98A10C7D2772EDBBD5632B4AA9126F94EFBC8993 com.apple.kerberos.kdc


You can then pass that hash into hdiutil when creating an encrypted disk image:

Code:
hdiutil create -encryption -size 50m e.dmg -fs HFS+J -pubkey 1BC7E41912A1EADAC87E9EB8F3FB2EEA361DF772


This *almost* works. Whenever I try to mount the drive, I get a popup window which says "authentication error". Any ideas what might be wrong?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Dec 17, 2014 12:38 am 
Offline

Joined: Tue Nov 18, 2014 9:14 pm
Posts: 95
Location: San Jose, CA
By the way, the specific error code I'm getting for the keychain problem is:
Code:
Error: 0xFFFEF7FC -67588 A device failure has occurred.

Wonderfully descriptive. This turns out to be errSecDeviceFailed.


Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 17, 2014 3:29 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Haven't tried this exact use-case.
What might be helpful for you is to edit the opensc config file (/Library/OpenSC/etc/opensc.conf if you installed their binary package) and set debug to 9 and point at a debug_file, it might contain interesting things after a run like this.

/klas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group