Uriel wrote:
zviratko wrote:
OpenSC.tokend doesn't seem to work right (at least for me).
I tried several tokend providers and the one that did work was (I think) CACkey (I believe it provides a PKCS11.tokend into /System/Library/Security/tokend).
I concur regarding OpenSC.tokend.
But I have a whole bunch of *.tokend, including what CACKey provided - and nothing seems to work.
You should just keep one, make a "disabled" folder here and move the rest here, then reboot and try again. It should somewhat work even with the OpenSC one, but in my experience it was the most broken one of the bunch.
Uriel wrote:
zviratko wrote:
Also, you need to personalize the card _first_, before it is correctly recognized by Keychain - I used yubico-piv-tools to upload the keys/certs to the card, and then they showed in keychain.
But I thought my card
was personalized! At least I put the keys & certs on it. I know that Card Capability Container hasn't been properly instantiated, and several other objects don't seem to contain any data (which bothers a lot commercial applications such as PKard), but it is an issue for tokend?
I have no idea what CCC is, to be honest
I read the specs but from what I understood some aspects are still vendor-specific.
I followed this guide for personalization and it worked for me:
https://developers.yubico.com/yubico-piv-tool/I tried various slots and they did what they should (in regard to caching and requiring PINs) and I was able to use 2 certificates in different slots together.
I remember having some trouble signing mails in Mail.app, and I'm not sure how/if I solved it in the end, but the card worked and was shown in keychain - and with CACkey tokend I was able to unlock the keychain from Keychain.app, not just when signing (it just does nothing with OpenSC.tokend and the rest)
It's possible I'm misleading you on the CACkey tokend, though, I don't remember 100% which one I used in the end, and I tried lots of them. I think it was PKCS11.tokend, which I think gets installed with CACkey.
Uriel wrote:
zviratko wrote:
I ended up with a working card but then just scratched it all and went back to opengpg for both Mail and SSH - still hoping an update to smartcardservices or opensc will fix the issues I am seeing. (the most obnoxious one is that ssh-pkcs11-helper turns into a forkbomb on occassion, homebrewing a newer openssh and using that works better).
I see your point.
Unfortunately I need the PIV capabilities and PKI integration.
Please let me know of your progress - I still want to go back to PKI, but GPG worked so flawlessly with gpgtools I just haven't had a real urge to go back.
Oh and one other thing - the last time I tried PKI I tried it with EC keys - things got a bit funky in there as lots of stuff didn't support that (ssh-agent), and I remember Apple's stuff didn't even support 2048bit keys correctly for hash authentication a few years back - not sure if that changed at all as they seem to neglect this subsystem badly...
Login
FAQ
Search
