PKCS11 and Macintoshes

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS11 and Macintoshes

Eric Norman
There's been lots of talk about PKCS11, but hardly anything said about
Macintoshes.
Since I'm one of the ones fortunate enough to use one, I'll say
something.

Apple has chosen to use the CDSA architecture (see
http://www.opengroup.org/security/l2-cdsa.htm).
Well, that's more modern, but not as widely used.  Nevertheless, it
does have far more "security features"
than PKCS11, so I really can't fault Apple for going that route.

Now, what this means is the the preferred way for applications to
access smart cards is to use
the CSSM_whatever API that CDSA provides (or KeyChainServices, or
TrustServices, or ... that
are really just wrappers around CDSA calls).  Such calls for smart card
services will wander through
CDSA and eventually get to a plug-in on the back end that then connects
up with a PCSC daemon
and finally to an ifdhandler.

This is what Safari and Mail.app and other Apple applications do.

So, the preferred way for Mozilla/FireFox/Thunderbird to manipulate
keys and certificates would
be to use the CDSA calls.  But that's going to take a lot of effort
from the Mozilla, etc. developers
since they've already invested a lot in PKCS11.

Therefore, what would be really useful to have for MACs is a PKCS11
library that just presents
the PKCS11 API to applications and translates those calls to CDSA calls.

I've never heard of such a thing.  If someone has, please speak up.  If
someone is anxious to
write some PKCS11 code for the MAC, this would be a useful thing to
have.

Eric Norman
University of WIsconsin

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS11 and Macintoshes

Andreas Jellinghaus-2
Hi Eric,

OpenSC works fine on Mac OS X, too,
as far as I know.

I don't test it currently, as I can't get
axalto egate tokens to work on it :(
If anyone has better luck with that, please
let me know how you did it.

Also a tutorial how to use Mac OS X apps
with OpenSC would be nice to have.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS11 and Macintoshes

Martin Paljak
Have a look at the apple-cdsa mailinglist archive where the same topic
has been around a month ago or so. I still have long draft waiting to
be sent there.

On 9/21/05, Andreas Jellinghaus <[hidden email]> wrote:
> OpenSC works fine on Mac OS X, too,
> as far as I know.
It does.

> I don't test it currently, as I can't get
> axalto egate tokens to work on it :(
> If anyone has better luck with that, please
> let me know how you did it.

I do. I also have a native osx installer that incorporates opensc.

>
> Also a tutorial how to use Mac OS X apps
> with OpenSC would be nice to have.

This requires a cdsa plugin for pkcs#11 (the most sensible way to add
support to os x). If anyone else is working on something similar or
wants to help out drop me a line.

m.



--
Martin Paljak
[hidden email]
http://martin.paljak.pri.ee/
+372.5156495 - phone
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS11 and Macintoshes

Stef Hoeben-2
Hi Martin,

>>Also a tutorial how to use Mac OS X apps
>>with OpenSC would be nice to have.
>>    
>>
>
>This requires a cdsa plugin for pkcs#11 (the most sensible way to add
>support to os x). If anyone else is working on something similar or
>wants to help out drop me a line.
>

A tokend plugin is on my todo list for one of the next months.

However, we were thinking not to use pkcs11 because it's too much
overhead and because the plugin framework itself does the reader
stuff so it probably won't fit in nicely (or not at all).

Instead, I was thinking of making a sort of 'mode' in opensc
where the cards commands (e.g. sc_select_file()) are not send
to the card, but only put into a buffer that can be given to the
tokend framework instead). Or to make a new 'tokend' driver
next to the current pcsc, opensct and ctapi reader drivers..

Comments wellcome...

Cheers,
Stef



_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel