Yosemite and OpenSC/PKCS11/PCSC head

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Yosemite and OpenSC/PKCS11/PCSC head

Dirk-Willem van Gulik
FWIIW - found that out of the box OpenSC (head) on Yosemite 10.10 does not quite work (after below tiny tweak to get it to compile); it segfaults in _Block_release() on exit/cleanup. Besides that most things seem fine - except for keychain interaction (i.e. have your pkcs#15 appear in the normal keychain, etc).

The culprint seems to be:

         int sc_release_context(sc_context_t *ctx)
        ...
               if (ctx->reader_driver->ops->finish != NULL)
              ctx->reader_driver->ops->finish(ctx);

with the reader_driver being the stock (i.e. Apple its) PCSC. Commenting this out does make things spring to live sufficiently to get chipcards to work with SSH, the browser for client auth, Osirix and so on.

Unfortunately in PCSC no obvious changes stand out - all seems rather well - and it is almost as if _Block_release() is not something in the code but added by clang/linker/c++magic late in the game.

Suggestions appreciated.

Dw.




index 1a0a8bc..5033f83 100755
--- a/MacOSX/build-package.in
+++ b/MacOSX/build-package.in
@@ -10,7 +10,7 @@ BUILDPATH=${PWD}
 
 # Use new locations for SDK on 10.8+
 OSX_RELEASE=`sw_vers -productVersion`
-case ${OSX_RELEASE:0:4} in
+case ${OSX_RELEASE} in
        "10.8")
                SYSROOT="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.8.sdk"
                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.8"
@@ -19,12 +19,20 @@ case ${OSX_RELEASE:0:4} in
                SYSROOT="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk"
                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.9"
        ;;
+       "10.10")
+               SYSROOT="/Applications/Xcode6-Beta6.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk"
+               export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.9"
+       ;;
        *)
+               echo EEEEK - ${OSX_RELEASE}- not known.
+               exit 1
                SYSROOT="/Developer/SDKs/MacOSX10.6.sdk"
                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.6"
        ;;
 esac
 



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Yosemite and OpenSC/PKCS11/PCSC head

Rasmus Sten
Hi,

with Xcode 6 beta 7 and Yosemite DP 7 I have managed to get a working OpenSC.tokend with Keychain integration (including certificate authentication in Safari) as well as opensc-pkcs11.so for SSH public key authentication. pkcs15-tool and others still segfaults in _Block_release.

I had to poke around quite a bit to get all the dependencies in place and make some minor modifications to get things to build. If anyone else wants to take a look a pushed a snapshot of my changes to the OpenSC.tokend repo here: https://github.com/pajp/OpenSC.tokend/tree/rasmus-yosemite-build-env (using OpenSC sources from revision 5279bfa2d14d2186b31189748bcf89d908f00512). I can share the compiled binaries as well of course if anyone's interested, just thought I'd first share this progress. I'd like to rebase my changes to OpenSC.tokend into a nicer commit if there's interest in actually merging it upstream at some point.

Note that I did not comment out the cleanup code in sc_release_context() so either I'm just lucking out (e.g. if it's a use-after-free that just happens to not crash on my system) or if Apple fixed some memory allocation bug in their libraries since you tried. Either way - there are still issues but it can be used for at least some purposes.

. -+ Rasmus


> 23 aug 2014 kl. 15:45 skrev Dirk-Willem van Gulik <[hidden email]>:
>
> FWIIW - found that out of the box OpenSC (head) on Yosemite 10.10 does not quite work (after below tiny tweak to get it to compile); it segfaults in _Block_release() on exit/cleanup. Besides that most things seem fine - except for keychain interaction (i.e. have your pkcs#15 appear in the normal keychain, etc).
>
> The culprint seems to be:
>
> int sc_release_context(sc_context_t *ctx)
> ...
>       if (ctx->reader_driver->ops->finish != NULL)
>             ctx->reader_driver->ops->finish(ctx);
>
> with the reader_driver being the stock (i.e. Apple its) PCSC. Commenting this out does make things spring to live sufficiently to get chipcards to work with SSH, the browser for client auth, Osirix and so on.
>
> Unfortunately in PCSC no obvious changes stand out - all seems rather well - and it is almost as if _Block_release() is not something in the code but added by clang/linker/c++magic late in the game.
>
> Suggestions appreciated.
>
> Dw.
>
>
>
>
> index 1a0a8bc..5033f83 100755
> --- a/MacOSX/build-package.in
> +++ b/MacOSX/build-package.in
> @@ -10,7 +10,7 @@ BUILDPATH=${PWD}
>
> # Use new locations for SDK on 10.8+
> OSX_RELEASE=`sw_vers -productVersion`
> -case ${OSX_RELEASE:0:4} in
> +case ${OSX_RELEASE} in
>      "10.8")
>              SYSROOT="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.8.sdk"
>              export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.8"
> @@ -19,12 +19,20 @@ case ${OSX_RELEASE:0:4} in
>              SYSROOT="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk"
>              export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.9"
>      ;;
> +       "10.10")
> +               SYSROOT="/Applications/Xcode6-Beta6.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk"
> +               export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.9"
> +       ;;
>      *)
> +               echo EEEEK - ${OSX_RELEASE}- not known.
> +               exit 1
>              SYSROOT="/Developer/SDKs/MacOSX10.6.sdk"
>              export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.6"
>      ;;
> esac
>
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Yosemite and OpenSC/PKCS11/PCSC head

Martin Paljak-4
Hello,

On 04/09/14 08:20, Rasmus Sten wrote:
> with Xcode 6 beta 7 and Yosemite DP 7 I have managed to get a working OpenSC.tokend with Keychain integration (including certificate authentication in Safari) as well as opensc-pkcs11.so for SSH public key authentication. pkcs15-tool and others still segfaults in _Block_release.

It is good to test with developer previews but I would not rush to make
conclusions or commit to strange hacks/workarounds just because an apple
DP seems to behave weird. Once there is a public release, we shall see
how things work, what is broken and what comes as a "surprise". But if
you have already made the effort of running apple betas/previews, do
file bugs at them, please. Maybe it helps.


> I had to poke around quite a bit to get all the dependencies in place and make some minor modifications to get things to build. If anyone else wants to take a look a pushed a snapshot of my changes to the OpenSC.tokend repo here: https://github.com/pajp/OpenSC.tokend/tree/rasmus-yosemite-build-env (using OpenSC sources from revision 5279bfa2d14d2186b31189748bcf89d908f00512). I can share the compiled binaries as well of course if anyone's interested, just thought I'd first share this progress. I'd like to rebase my changes to OpenSC.tokend into a nicer commit if there's interest in actually merging it upstream at some point.

Clone OpenSC and run ./MacOSX/build should produce an installer .dmg.
But that probably needs some tweaking for 10.10

Looking at your changes I see some code cleanups of the historic
dependencies (bundled frameworks) and some meaningful changes in the
xcode project (path cleanups) and some hard-coded desktop paths (not good).



> Note that I did not comment out the cleanup code in sc_release_context() so either I'm just lucking out (e.g. if it's a use-after-free that just happens to not crash on my system) or if Apple fixed some memory allocation bug in their libraries since you tried. Either way - there are still issues but it can be used for at least some purposes.

See my first note. PC/SC/CCID on OSX has been horribly broken in
different ways since it was introduced in 10.4/10.5 or so.

m.


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Yosemite and OpenSC/PKCS11/PCSC head

Dirk-Willem van Gulik
In reply to this post by Dirk-Willem van Gulik
This has now been resolved (radar 18114499) - as of build 14A361c/september 15.

With that build (as far as I can see) all of OpenSC has sprung to live; including keychain, browser and ssh integration for the normal x509 PKI smartcard/chipcards with certs and chains.

Thanks,

Dw

> On 23 Aug 2014, at 14:45, Dirk-Willem van Gulik <[hidden email]> wrote:
>
> FWIIW - found that out of the box OpenSC (head) on Yosemite 10.10 does not quite work (after below tiny tweak to get it to compile); it segfaults in _Block_release() on exit/cleanup. Besides that most things seem fine - except for keychain interaction (i.e. have your pkcs#15 appear in the normal keychain, etc).
>
> The culprint seems to be:
>
> int sc_release_context(sc_context_t *ctx)
> ...
>       if (ctx->reader_driver->ops->finish != NULL)
>               ctx->reader_driver->ops->finish(ctx);
>
> with the reader_driver being the stock (i.e. Apple its) PCSC. Commenting this out does make things spring to live sufficiently to get chipcards to work with SSH, the browser for client auth, Osirix and so on.
>
> Unfortunately in PCSC no obvious changes stand out - all seems rather well - and it is almost as if _Block_release() is not something in the code but added by clang/linker/c++magic late in the game.
>
> Suggestions appreciated.
>
> Dw.
>
>
>
>
> index 1a0a8bc..5033f83 100755
> --- a/MacOSX/build-package.in
> +++ b/MacOSX/build-package.in
> @@ -10,7 +10,7 @@ BUILDPATH=${PWD}
>
> # Use new locations for SDK on 10.8+
> OSX_RELEASE=`sw_vers -productVersion`
> -case ${OSX_RELEASE:0:4} in
> +case ${OSX_RELEASE} in
>        "10.8")
>                SYSROOT="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.8.sdk"
>                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.8"
> @@ -19,12 +19,20 @@ case ${OSX_RELEASE:0:4} in
>                SYSROOT="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk"
>                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.9"
>        ;;
> +       "10.10")
> +               SYSROOT="/Applications/Xcode6-Beta6.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk"
> +               export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.9"
> +       ;;
>        *)
> +               echo EEEEK - ${OSX_RELEASE}- not known.
> +               exit 1
>                SYSROOT="/Developer/SDKs/MacOSX10.6.sdk"
>                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.6"
>        ;;
> esac
>
>
>


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Yosemite and OpenSC/PKCS11/PCSC head

Martin Paljak-4
Hello,

I updated OpenSC.tokend source and build files so that building
against 10.9 SDK is possible and also so that building on 10.10 is
"almost possible".

Build is successful but I don't know how to get rid of the
registration step at the end.

Otherwise the situation on 10.10 is not very bright atm.


--
Martin
+372 515 6495


On Tue, Sep 16, 2014 at 3:30 PM, Dirk-Willem van Gulik
<[hidden email]> wrote:

> This has now been resolved (radar 18114499) - as of build 14A361c/september 15.
>
> With that build (as far as I can see) all of OpenSC has sprung to live; including keychain, browser and ssh integration for the normal x509 PKI smartcard/chipcards with certs and chains.
>
> Thanks,
>
> Dw
>
>> On 23 Aug 2014, at 14:45, Dirk-Willem van Gulik <[hidden email]> wrote:
>>
>> FWIIW - found that out of the box OpenSC (head) on Yosemite 10.10 does not quite work (after below tiny tweak to get it to compile); it segfaults in _Block_release() on exit/cleanup. Besides that most things seem fine - except for keychain interaction (i.e. have your pkcs#15 appear in the normal keychain, etc).
>>
>> The culprint seems to be:
>>
>>        int sc_release_context(sc_context_t *ctx)
>>       ...
>>              if (ctx->reader_driver->ops->finish != NULL)
>>                      ctx->reader_driver->ops->finish(ctx);
>>
>> with the reader_driver being the stock (i.e. Apple its) PCSC. Commenting this out does make things spring to live sufficiently to get chipcards to work with SSH, the browser for client auth, Osirix and so on.
>>
>> Unfortunately in PCSC no obvious changes stand out - all seems rather well - and it is almost as if _Block_release() is not something in the code but added by clang/linker/c++magic late in the game.
>>
>> Suggestions appreciated.
>>
>> Dw.
>>
>>
>>
>>
>> index 1a0a8bc..5033f83 100755
>> --- a/MacOSX/build-package.in
>> +++ b/MacOSX/build-package.in
>> @@ -10,7 +10,7 @@ BUILDPATH=${PWD}
>>
>> # Use new locations for SDK on 10.8+
>> OSX_RELEASE=`sw_vers -productVersion`
>> -case ${OSX_RELEASE:0:4} in
>> +case ${OSX_RELEASE} in
>>        "10.8")
>>                SYSROOT="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.8.sdk"
>>                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.8"
>> @@ -19,12 +19,20 @@ case ${OSX_RELEASE:0:4} in
>>                SYSROOT="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk"
>>                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.9"
>>        ;;
>> +       "10.10")
>> +               SYSROOT="/Applications/Xcode6-Beta6.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk"
>> +               export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.9"
>> +       ;;
>>        *)
>> +               echo EEEEK - ${OSX_RELEASE}- not known.
>> +               exit 1
>>                SYSROOT="/Developer/SDKs/MacOSX10.6.sdk"
>>                export CFLAGS="-isysroot $SYSROOT -arch i386 -arch x86_64 -mmacosx-version-min=10.6"
>>        ;;
>> esac
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce.
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel