Yubico Forum

where can i get the PIV applet >_<

I wanna start testing the smartcard capabilities for a couple clients who run tax preparation offices.

--edit--
[SOLVED]

the howto on the top of this forum is for OSX viewtopic.php?f=26&t=1171
however i had it all working already appearantly.

deinstalled openSC, all still working fine

Just install GPG-Tools, if you can get your hands on a linux box then thah might be an ideal location for personalization of the key, keeps OSX clean

Just needed to import my public key and set trust to 5, Ultimately. THEN and ONLY THEN pgp recognizes the private keys on the card as usable.

Please do publish your pull, I'd like to see it.

The libccid provided by apple is incredibly old and doesn't support most of the readers out there. You can add support for the Yubikey NEO, as well as many other useful readers by updating libccid and installing it over the Apple provided one.

This process is described on the libccid page. This works brilliantly and allows normal access to the NEO through pcscd.

If you want the PIV applet to show up in Keychain Access and be otherwise accessible to the OS, you need to install the OpenSC.tokend module in /System/Library/Security/tokend. You can build it, as well as OpenSC, or download binaries from the OpenSC repo.

Keep in mind, though, that if you install OpenSC.tokend, the Yubikey will be snatched up by the OS whenever it's inserted and will be inaccessible by GPG. If you want to use it with GPG, you'll need to kill the 'pcscd' process, first. (There must be some way to make gpg and pcscd play nice together, but I haven't yet worked it out. I'll certainly post the solution when I figure it out!)

You can download a pre-built CCID free software driver ("unofficial" warning, maybe) with NEO support from here:
https://github.com/martinpaljak/osx-ccid-installer

No, gpg and OpenSC.tokend don't match and probably never will, because that's the apparent design decision of GnuPG developers - their application needs to have exclusive access.

The interesting thing here is that while NEO does not provide any of the applets as default selected (there's cure for that) what gets picked up - OpenPGP or PIV - depends on your configuration and might not be what you want.

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452

Which is a shame, since GPG handles cards so poorly compared to OpenSC and ensures that certain connected readers are only ever used for one or the other.

You should be able to put the following in ~/.gnupg/scdaemon.conf and use pcscd (instead of the integrated CCID drivers) to access the card

...but I've never been able to get that to work. The version of scdaemon provided with MacGPG never looks at scdaemon.conf and I can't figure out exactly where it's being called from to change its arguments.


Can you elaborate on this? How do you change the default applet and what is the effect of having a default applet selected?

No apparent difference for default applet in case of piv or openpgp. Do use gpgtools.org and with a single reader you dont have to change anything iirc. I dont recall release card option though....


And i just used yubiclip to log on from a tablet. Nice.

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452

Actually, it looks like scdaemon does read its config file. If you add

to ~/.gnupg/scdaemon.conf, gpg will read from the Yubikey even if it is not the only/first reader on your system.

Also, it looks like some of the other options in there are being handled. 'disable-ccid' and 'pcsc-driver' seem to be working, as all access is through pcscd. 'card-timeout' doesn't seem to be doing anything, though.

I think 'card-timeout' isn't working because gpg-agent is keeping a connection to scdaemon open. I use gpg-agent for ssh, though, so I can't really disable it. Frustrating! Who cares if gpg-agent has a connection open? I should be able to sleep the card until an actual transaction occurs.

We need a scdaemon that isn't so restrictive. Have you tried gnupg-pkcs11-scd?

Cannot build gnupg-pkcs11-scd on Mac, because it needs pkcs11-helper, which does not exist on Mac, and porting did not work for me.

I needed to modify the ~/.gnupg/scdaemon.conf:


In general, having GPGTools https://gpgtools.org installed provided with gpg2, gpg-agent, and scdaemon to use with NEO. I was able to secure email in OpenPGP mode using NEO and GPGTools.

Regarding PIV, the story is more difficult. It seems fairly straightforward to access NEO with tools from OpenSC https://github.com/OpenSC/OpenSC/releases, and using OpenSSL, or Keystore Explorer http://keystore-explorer.sourceforge.net/ (and of course yubico-piv-tool) one is able to generate keys & certificates, and load them on the NEO. The problem is - I'm not aware of any application that can use those certificates, either for email, or for login, or such.

OpenSC.tokend https://github.com/OpenSC/OpenSC.tokend recognizes NEO but cannot unlock it, or do anything useful with it (in fact it refuses to unlock any smart card, so there must be something wrong with my setup, but I can't figure out what it could be).
PKard does not recognize NEO (because NEO does not return Card Capabilities Container).

Update
After some change (among many - can't tell what exactly it was) OpenSC.tokend stopped recognizing NEO. But I guess I shouldn't complain because it started unlocking CAC and PIV cards successfully. Though at this time NEO PIV == No-Go.