Menu
▾
▴
Re: [Opensc-devel] Keychain Access only lists expired certificates on my PIV card
|
From: Frank M. <fra...@gm...> - 2018-05-12 10:00:24
|
The problem you're experiencing could be the one from this ticket: https://github.com/OpenSC/OpenSC/issues/1300. You could try to check whether an older version of macOS is effected and/or in what regard the expired certificates differ from the current one (other than thevalidity period). Regards, Frank. 2018-05-11 18:32 GMT+02:00 Douglas E Engert <dee...@gm...>: > > > On 5/11/2018 9:42 AM, Matthew X. Economou wrote: > >> Dear all, >> >> When I open the "PIV_II" keychain, Keychain Access only lists expired >> certificates. The same is true for apps that use Apple's APIs for >> smartcard authentication, e.g., Safari, Slack, Outlook. This is OpenSC >> 0.18-rc2 running on macOS 10.13.4. `pkcs11-tool --login --test` >> completes successfully. >> >> I can use the PIV card with Firefox, so the card itself has valid >> certificates on it. >> >> I experienced the same behavior in OpenSC 0.17, so this isn't a >> regression. >> >> Any suggestions on what I should try next? I saw a debug logging knob >> in opensc.conf, so I'm starting there. >> > > > See: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC > It shows how use the debugging. > > You say it lists only expired certificates. Are any of the certificates on > the card actually expired? > The PIV normally has 4 certificates and matching keys: Auth, Sign, Key > Management and Card Auth. > But it can also have retired Key Management keys and certificates. These > are there to allow you to > decrypt older messages and files. > > If this is a US gov issued card for a number of years and it has been > updated, you may have some > of these retired keys and their matching expired certificates. > > pkcs11-tool -O > would show if you have any of these. For example using a NIST Demo card 15 > with > 3 retired keys with on-card certificates, and 2 retired keys with off-card > certificates, > one of them shows up like: > > Public Key Object; RSA 2048 bits > label: Retired KEY MAN 2 > ID: 06 > Usage: encrypt, wrap > Certificate Object; type = X.509 cert > label: Retired Certificate for Key Management 2 > subject: DN: C=US, O=Test Government, OU=Test Department, OU=Test > Agency, CN=Test E. Cardholder XV > ID: 06 > > Then to read the above cert with ID 06 and display it with OpenSSL use: > > pkcs11-tool --read-object --id 06 --type cert | openssl x509 -noout -dates > -inform DER > > Using slot 0 with a present token (0x0) > notBefore=Apr 3 19:56:01 2008 GMT > notAfter=Apr 3 19:56:01 2010 GMT > > (replace -dates with -text to see the full certificate.) > > > I am not a MacOS person, but it could be the OS has cached some > certificates? > Why it is not showing the unexpired certificates is not clear. > > > >> Best wishes, >> Matthew >> >> >> > -- > > Douglas E. Engert <DEE...@gm...> > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
