Deprecated tokend API is now replaced

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Deprecated tokend API is now replaced

Ludovic Rousseau
Hello,

Apple provides a sample implementation for PIVToken, a token using the
new API that replaces tokend.

See http://ludovicrousseau.blogspot.fr/2016/07/macos-sierra-and-pivtoken-source-code.html

I guess the "OpenSC project" may want to also provide a token for OpenSC.

I am also interested to know what the PIV experts on this list have to
say about the sample code provided by Apple.

Bye

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Deprecated tokend API is now replaced

Douglas E Engert
A quick glance at the web page shows they have been reading NIST 800-73-4 and looks like they support most of the 800-73-3 features.
The History object is supported in that as they will read the on-card retired key management certificates. But not off card certificates which have on card keys (as best as I can tell. )  They also
mention ECDH  and  alwaysAuthenticate for the SIGN_KEY, as per standard.

They don't need to use some of the other objects, like Printed information, Finger Prints. So no need to have code to read them
(The Microsoft PIV driver does not read them either.)

They expect the card to have a  Card Capability Container object. (Microsoft expects the card to have a CHUID object.)
They and Microsoft use these objects  to get the equivalent of a card serial number.

No support for PKCS#11, pkcs#15 or openssl engine that I can see. Microsoft does not provide these either.
So OpenSC still has a niche to fill if these are important for other applications.

As they point out: "This sample demonstrates how to write an extension for CryptoTokenKit framework this is an example,  which could be used with other smart cards." And as you said, someone might
want to write the equivalent of the  windows minidriver to support smartcards other then PIV.

Its not obvious if or how they handle interference from other smart card middleware running at the same time on the machine. Such as CAC middleware or OpenSC that may change the selected applet or
reset the card, or security state. Also not clear if session or transaction locking is used.

Just as on Windows, if you stick with PIV cards and the OS vendor's applications or APIs,  you would not need OpenSC at all.

On 7/4/2016 9:25 AM, Ludovic Rousseau wrote:

> Hello,
>
> Apple provides a sample implementation for PIVToken, a token using the
> new API that replaces tokend.
>
> See http://ludovicrousseau.blogspot.fr/2016/07/macos-sierra-and-pivtoken-source-code.html
>
> I guess the "OpenSC project" may want to also provide a token for OpenSC.
>
> I am also interested to know what the PIV experts on this list have to
> say about the sample code provided by Apple.
>
> Bye
>

--

  Douglas E. Engert  <[hidden email]>
 


------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Deprecated tokend API is now replaced

Ludovic Rousseau
Thanks Douglas, I knew I could find PIV experts on this list :-)

The token uses the TKSmartCardTokenSession class:
https://developer.apple.com/library/prerelease/content/samplecode/PIVToken/Listings/PIVToken_Token_h.html line 46:

@interface PIVTokenSession : TKSmartCardTokenSession<TKTokenSessionDelegate>


This class manages the exclusive accesses for you:
https://developer.apple.com/reference/cryptotokenkit/tksmartcardtokensession/1773453-smartcard?language=objc

" Discussion

This property can only be accessed in the implementation of a TKTokenSessionDelegate protocol delegate method. If the associated token has a value set for the AID property, this property opens an exclusive session to the card, with the application already selected.

You should not call beginSessionWithReply: or endSession on the returned value. Instead, the system will take care of beginning the exclusive session and terminating it when the current token request servicing is finished. "


The AID used by the token is defined in Info.plist file as:

            <key>com.apple.ctk.aid</key>
            <string>a000000308 00001000 0100</string>



It looks like the CryptoTokenKit API is adapted to PIV like cards.
It may be more complex to write a token for other kind of cards.

Bye

2016-07-04 21:07 GMT+02:00 Douglas E Engert <[hidden email]>:

> A quick glance at the web page shows they have been reading NIST 800-73-4 and looks like they support most of the 800-73-3 features.
> The History object is supported in that as they will read the on-card retired key management certificates. But not off card certificates which have on card keys (as best as I can tell. )  They also
> mention ECDH  and  alwaysAuthenticate for the SIGN_KEY, as per standard.
>
> They don't need to use some of the other objects, like Printed information, Finger Prints. So no need to have code to read them
> (The Microsoft PIV driver does not read them either.)
>
> They expect the card to have a  Card Capability Container object. (Microsoft expects the card to have a CHUID object.)
> They and Microsoft use these objects  to get the equivalent of a card serial number.
>
> No support for PKCS#11, pkcs#15 or openssl engine that I can see. Microsoft does not provide these either.
> So OpenSC still has a niche to fill if these are important for other applications.
>
> As they point out: "This sample demonstrates how to write an extension for CryptoTokenKit framework this is an example,  which could be used with other smart cards." And as you said, someone might
> want to write the equivalent of the  windows minidriver to support smartcards other then PIV.
>
> Its not obvious if or how they handle interference from other smart card middleware running at the same time on the machine. Such as CAC middleware or OpenSC that may change the selected applet or
> reset the card, or security state. Also not clear if session or transaction locking is used.
>
> Just as on Windows, if you stick with PIV cards and the OS vendor's applications or APIs,  you would not need OpenSC at all.
>
> On 7/4/2016 9:25 AM, Ludovic Rousseau wrote:
>> Hello,
>>
>> Apple provides a sample implementation for PIVToken, a token using the
>> new API that replaces tokend.
>>
>> See http://ludovicrousseau.blogspot.fr/2016/07/macos-sierra-and-pivtoken-source-code.html
>>
>> I guess the "OpenSC project" may want to also provide a token for OpenSC.
>>
>> I am also interested to know what the PIV experts on this list have to
>> say about the sample code provided by Apple.
>>
>> Bye
>>
>
> --
>
>   Douglas E. Engert  <[hidden email]>
>
>
>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel



--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel