Re: [Opensc-devel] Keychain Access only lists expired certificates on my PIV card

[Douglas E E. <dee...@gm...>]

On 5/11/2018 9:42 AM, Matthew X. Economou wrote:
> Dear all,
> 
> When I open the "PIV_II" keychain, Keychain Access only lists expired
> certificates.  The same is true for apps that use Apple's APIs for
> smartcard authentication, e.g., Safari, Slack, Outlook.  This is OpenSC
> 0.18-rc2 running on macOS 10.13.4.  `pkcs11-tool --login --test`
> completes successfully.
> 
> I can use the PIV card with Firefox, so the card itself has valid
> certificates on it.
> 
> I experienced the same behavior in OpenSC 0.17, so this isn't a
> regression.
> 
> Any suggestions on what I should try next?  I saw a debug logging knob
> in opensc.conf, so I'm starting there.


See: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
It shows how use the debugging.

You say it lists only expired certificates. Are any of the certificates on the card actually expired?
The PIV normally has 4 certificates and matching keys: Auth, Sign, Key Management and Card Auth.
But it can also have retired Key Management keys and certificates. These are there to allow you to
decrypt older messages and files.

If this is a US gov issued card for a number of years and it has been updated, you may have some
of these retired keys and their matching expired certificates.

pkcs11-tool -O
would show if you have any of these. For example using a NIST Demo card 15 with
3 retired keys with on-card certificates, and 2 retired keys with off-card certificates,
one of them shows up like:

Public Key Object; RSA 2048 bits
   label:      Retired KEY MAN 2
   ID:         06
   Usage:      encrypt, wrap
Certificate Object; type = X.509 cert
   label:      Retired Certificate for Key Management 2
   subject:    DN: C=US, O=Test Government, OU=Test Department, OU=Test Agency, CN=Test E. Cardholder XV
   ID:         06

Then to read the above cert with ID 06 and display it with OpenSSL use:

pkcs11-tool --read-object --id 06 --type cert | openssl x509 -noout -dates -inform DER

Using slot 0 with a present token (0x0)
notBefore=Apr  3 19:56:01 2008 GMT
notAfter=Apr  3 19:56:01 2010 GMT

(replace -dates with -text to see the full certificate.)


I am not a MacOS person, but it could be the OS has cached some certificates?
Why it is not showing the unexpired certificates is not clear.


> 
> Best wishes,
> Matthew
> 	
> 

-- 

  Douglas E. Engert  <DEE...@gm...>