Mac Os X token support - Some progress... === Please read: ".dylib" x ".so" question

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Mac Os X token support - Some progress... === Please read: ".dylib" x ".so" question

Bernardo Höhl-2
Hi list,


I have done very good progress this morning.

I learned a lot, and I am adding my experience to this list, so others might benefit from my experience.

My purpose is to try using tokens or smart cards in my Mac Os X system.

Recently in my country we are obliged to use certification on my company's invoicing and Income Tax routines.

Smart cards and tokens offered in Brazil have none or very little support for Mac Os X.

So, here are a few tips for those who to try to do the same:

1) In the process of trying different tokens and cards, you can easily corrupt your operating system, Installer and unstallers are not perfect, and you will find yourself at the end with a unreliable operating system, although it might look perfect. My one looked perfect, but pcscd daemon was not working at all after some reinstalls.

2) Apples new Mac Os Snow Leopard install disks don't offer a perfect reinstallation like the old "clean install", although the system may look fresh after some of theses restorations, it is not. Only partition disk followed by a new instalation is good enough. So, it is a good idea that you don't run your tests on your main system. If you have another spare computer to use, then use it. Partition and reinstall the system after each failure.

3) It seems also that using multiple tokens on the same system is not  a good idea. This kind of hardware changes and puts files in the heart of your system folder and developers don't seem to care about each other's work.

4) The first step to have a sucessfull working token is to check  if pcscd "daemon" is "seeing" it. I had the wrong idea that pcscd would be running from boot at Mac Os X, and it is not. I tried to test for it many times typing "ps aux | grep pcsc" on terminal and allways did not return a resulting process.

5) I suceeded this morning using aladdin's eToken Pro 72K Java. 

This is what I did:

Start with a fresh Mac Os 10.6.4 system
Install complete package of PKI_Client_Mac_4.55.41.dmg
Reboot the system
don't plug your token yet
Open Terminal.app and type
ps aux | grep pcsc 
hit return
it should result in just a line:

bernardo   741   0.3  0.0  2435040    532 s000  S+   10:26AM   0:00.01 grep pcsc

This means there is only one grep process from the last command you just input

Now plug your eToken and repeat the last command on terminal:

ps aux | grep pcsc

Now it results in two lines, one, the grep you input and the pcscd "daemon" that your eToken has started by just plugining in the hardware.

If you can't get the token to start the pcscd daemon, you better off start everything from the beginning.

Another test:

Run /Applications/eToken Properties.app

It should display info about your token, if it doesn't forget it. Probably pcscd is not working.

Now I installed opensc and sca-0.2.8.dmg on my system.

After installation I type on terminal:
opensc-tool --list-readers
And it now shows my eToken attached!!!

Now this is when I try using my eToken for some pratical reason:

I have a Java Application for invoicing supplied by the taxing office, and it tries to load a PKCS11 library by browsing for a ".so" file in my system.

This is when I tried loading: /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so

And it didn't work. The app says it can not find my token!!

If someone in the list would like to help me by testing this Java App in your system, please ask me for instructions, I would be very thankfull.

Ok. Now I tried to use a more supported application such as Firefox, and tried loading the very same file, and it shows 4 empty slots, although my token is there, plugged.

Searching on the web, I discovered that I should try loading this for aladdin's:

/Library/Frameworks/eToken.framework/Versions/4.55.41/libeToken.dylib 

And now I have sucess. I surfed the web to a certificate required web site, and the certification routine ran fine.

I have seen also that another token, ePass2000 from Feitian, also uses a ".dylib" file in Mac Os X, and is functional under Firefox, the very same way as I described for aladdin's token.

I am at a point that I am in need for some understanding why and how ".dylib" and ".so" files differ, and if there could be a work around to get the Java Invoicing application to work with the aladdin eToken.

Questions:

1) Did I tell the Java Application the correct path for loading the token, "/usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so" ???

2) Why aren't ".dylib" files supported by the Java App?

3) Would I be better off by trying another hardware, that comes with its drivers installed in Mac Os X, such as athena's AseIIIeUSB???

I thank you all for your pacience in reading this long post.

I wish you all a nice sunday.


Bernardo Höhl
Rio de Janeiro - Brazil

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Mac Os X token support - Some progress... === Please read: ".dylib" x ".so" question

Martin Paljak-2
Hello,

On Nov 28, 2010, at 2:58 PM, Bernardo Höhl wrote:
> Now I installed opensc and sca-0.2.8.dmg on my system.
Don't use SCA, use one of the more recent MacInstallers [1]

> This is when I tried loading: /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so
>
> And it didn't work. The app says it can not find my token!!
This assumes that your token has already a Tokend for your device. OpenSC does not support plain Java tokens, you need a

If you have installed OpenSC, you don't need to load the PKCS#11 wrapper from OSX (the path you used above, tokendPKCS11.so) but /Library/OpenSC/lib/opensc-pkcs11.so

If your token is proprietary (not supported by OpenSC) but comes with a separate installer and a PKCS#11 module, you need to load (into firefox or some PKCS#11 compatible Java application) the PKCS#11 module that came with the other software.

In theory a .dylib is like a .so but with a different suffix. But some OS X specific software might think differently, maybe.


[1] http://www.opensc-project.org/opensc/wiki/MacInstaller
--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Mac Os X token support - Some progress... === Please read: ".dylib" x ".so" question

Bernardo Höhl-2
Hi Martin,


Thanks for replying.

I have installed OpenSc on top of SCA, and it seems nw to return more reliable replies. Thanks!

By the way, the path /Library/OpenSC/lib/opensc-pkcs11.so , also doesn't not work when I try loading the PCKS#11 library from the Free Java Application from our local taxing office. I guess, as you said, my aladdin eToken 72K Java token is not supported by OpenSC.

Regarding "dylib" x ".so" files in OS X, something curious occured to me:

I linked the "/Library/Frameworks/eToken.framework/Versions/4.55.41/libeToken.dylib" library to a simbolic link using Unix's "ln -s" creating a /Library/Frameworks/eToken.framework/Versions/4.55.41/libeToken.so file.

I load the device under Firefox using the path to the .so simbolic link file and it works. But when I try to load the same file from the Free Java application, it doesn't work.

So my guess is that it is not just a question of a file extension, but how these libraries were created and are accessed by the application.

Question:

I ordered this morning a new token from Athena, the "ASEKey Crypto Token", it appears to have a native library in Mac Os X, on "/usr/libexec/SmartCardServices/drivers/ifd-ASEIIIeUSB.bundle".

Do you think I have a chance of getting this one to work with the Java Free Application?


Thank you all,


Bernardo Höhl
Rio de Janeiro


=======================================



On 30.11.2010, at 11:36 AM, Martin Paljak wrote:

Hello,

On Nov 28, 2010, at 2:58 PM, Bernardo Höhl wrote:
Now I installed opensc and sca-0.2.8.dmg on my system.
Don't use SCA, use one of the more recent MacInstallers [1]

This is when I tried loading: /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so

And it didn't work. The app says it can not find my token!!
This assumes that your token has already a Tokend for your device. OpenSC does not support plain Java tokens, you need a

If you have installed OpenSC, you don't need to load the PKCS#11 wrapper from OSX (the path you used above, tokendPKCS11.so) but /Library/OpenSC/lib/opensc-pkcs11.so

If your token is proprietary (not supported by OpenSC) but comes with a separate installer and a PKCS#11 module, you need to load (into firefox or some PKCS#11 compatible Java application) the PKCS#11 module that came with the other software.

In theory a .dylib is like a .so but with a different suffix. But some OS X specific software might think differently, maybe.


[1] http://www.opensc-project.org/opensc/wiki/MacInstaller
--
@MartinPaljak.net
+3725156495



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Mac Os X token support - Some progress... === Please read: ".dylib" x ".so" question

Peter Keller-2
Hi Bernardo,

On Tue, 30 Nov 2010, Bernardo Höhl wrote:

> Regarding "dylib" x ".so" files in OS X, something curious occured to me:
>
> I linked the "/Library/Frameworks/eToken.framework/Versions/4.55.41/libeToken.dylib" library to a simbolic link
> using Unix's "ln -s" creating a /Library/Frameworks/eToken.framework/Versions/4.55.41/libeToken.so file.
>
> I load the device under Firefox using the path to the .so simbolic link file and it works. But when I try to load
> the same file from the Free Java application, it doesn't work.
>
> So my guess is that it is not just a question of a file extension, but how these libraries were created and are
> accessed by the application.
On OS X you can manipulate some of the internal information contained in
shared libraries and executables. Just a guess, but this may help in your
case. You may like to look at the 'man' pages for 'otool' (especially the
-D, -L and -l options), 'dyld' and 'install_name_tool'

Regards,
Peter.
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Mac Os X token support - Some progress... === Please read: ".dylib" x ".so" question

Martin Paljak-2

On Nov 30, 2010, at 5:56 PM, Peter Keller wrote:

> Hi Bernardo,
>
> On Tue, 30 Nov 2010, Bernardo Höhl wrote:
>
>> Regarding "dylib" x ".so" files in OS X, something curious occured to me:
>> I linked the "/Library/Frameworks/eToken.framework/Versions/4.55.41/libeToken.dylib" library to a simbolic link
>> using Unix's "ln -s" creating a /Library/Frameworks/eToken.framework/Versions/4.55.41/libeToken.so file.
>> I load the device under Firefox using the path to the .so simbolic link file and it works. But when I try to load
>> the same file from the Free Java application, it doesn't work.
>> So my guess is that it is not just a question of a file extension, but how these libraries were created and are
>> accessed by the application.
>
> On OS X you can manipulate some of the internal information contained in shared libraries and executables. Just a guess, but this may help in your case. You may like to look at the 'man' pages for 'otool' (especially the -D, -L and -l options), 'dyld' and 'install_name_tool'

I don't know about the Free Java application.

Are you sure that the architecture of your PKCS#11 library and your Java version?
Java on 10.6 is 64 bit by default, Firefox 32 bits. If your PKCS#11 library has only 32bit binaries, you need to start java with -d32.

See what "file" command tells about the different PKCS#11 modules.

--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user