Yubico Forum
https://forum.yubico.com/

[QUESTION] OS X: Token-locked Keychain
https://forum.yubico.com/viewtopic.php?f=26&t=1663		 Page 1 of 1
Author:  darco [ Tue Dec 16, 2014 8:26 pm ]
Post subject:  [QUESTION] OS X: Token-locked Keychain
I'm trying to do some advanced fancy stuff on OS X with respect to the OS X keychain, as well as some stuff with encrypted disk images.

I've got a "PIVAUTH" (0x9a) and a "SIGN" (0x9c) certificate on my YKNeo. The "SIGN" cert came from startssl.com, and the "PIVAUTH" cert came from my own CA. Both CAs are trusted. I have OpenSC installed (with the magic tokend), so I see the certs in the keychain. Both are green. Both CA roots are trusted in the system keychain.

The "PIVAUTH" key has a non-critical "keyUsage" set to "Digital Signature, Key Encipherment, Key Agreement". It has a non-critical "extendedKeyUsage" of "Client Authentication". It is unexpired, and has my name as the commonName.

The "SIGN" key has a non-critical "keyUsage" set to "Digital Signature, Key Encipherment, Data Encipherment". It has a non-critical "extendedKeyUsage" of "Client Authentication" and "Email Protection". It is unexpired, and has my email address as the commonName.

I can use both keys for SSL authentication from my web browser. A window pops up asking me for my pin number when logging in. It is fantastic.

I can use the "SIGN" key for signing email in Apple Mail. It is fantastic. HOWEVER, I cannot read encrypted emails in Apple Mail. (I can, however, read encrypted emails if I use thunderbird, which uses the OpenSC pkcs11 module and doesn't use the OS X keychain)

Token-Protected Keychain

The OS X keychain internally supports the idea of having a keychain be encrypted by a public key who's private key is stored in another keychain---which can be a smart card. It's pretty easy to set up.

First, you connect your token. Then you run "sc_auth hash". Note the first key in the list: this is the key that will be used. Then run "systemkeychain -T Library/keychain/token_secured.keychain" to create a keychain that is protected with that public key instead of being protected by a password.

When I try to unlock the keychain, I get the PIN entry box, but after typing in my pin it never unlocks the keychain and I cannot read any of the protected information in the keychain.

Anyone have any idea what might be wrong?

Token-Encrypted Disk Images

I recently found this nifty capability to create a disk image which is encrypted with a private key using "hdiutil". First, you use "sc_auth" to get a list of the key hashes:

Code:
$ sc_auth hash
92FE4542132D972011569F758B00704E8E851ADC PIV AUTH key
1BC7E41912A1EADAC87E9EB8F3FB2EEA361DF772 SIGN key
4C283767C7F2A2BA178C2FD8B9FA6980D7342BDE com.apple.systemdefault
98A10C7D2772EDBBD5632B4AA9126F94EFBC8993 com.apple.kerberos.kdc
4C283767C7F2A2BA178C2FD8B9FA6980D7342BDE com.apple.systemdefault
98A10C7D2772EDBBD5632B4AA9126F94EFBC8993 com.apple.kerberos.kdc


You can then pass that hash into hdiutil when creating an encrypted disk image:

Code:
hdiutil create -encryption -size 50m e.dmg -fs HFS+J -pubkey 1BC7E41912A1EADAC87E9EB8F3FB2EEA361DF772


This *almost* works. Whenever I try to mount the drive, I get a popup window which says "authentication error". Any ideas what might be wrong?
Author:  darco [ Wed Dec 17, 2014 12:38 am ]
Post subject:  Re: [QUESTION] OS X: Token-locked Keychain
By the way, the specific error code I'm getting for the keychain problem is:
Code:
Error: 0xFFFEF7FC -67588 A device failure has occurred.

Wonderfully descriptive. This turns out to be errSecDeviceFailed.
Author:  Klas [ Wed Dec 17, 2014 3:29 pm ]
Post subject:  Re: [QUESTION] OS X: Token-locked Keychain
Haven't tried this exact use-case.
What might be helpful for you is to edit the opensc config file (/Library/OpenSC/etc/opensc.conf if you installed their binary package) and set debug to 9 and point at a debug_file, it might contain interesting things after a run like this.

/klas
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/