opensc-devel

[Opensc-devel] OpenSC 0.17 breaks PIV card auth on Safari/Citrix Receiver On macOS 10.12+

[Matthew X. E. <xen...@ir...>]

Dear all,

I use OpenSC on my Macs to use PIV cards with Office (e.g., signing
email).  However, this breaks logins to Citrix Receiver via Safari, and
I don't know how to troubleshoot it.  Uninstalling OpenSC restores the
original behavior, i.e., PIV card logins work with Safari/Citrix
Reciever but not Office.  Is there a knob that turns on debug logging
inside of OpenSC or one of its components?  Can I attach a debugger
somehow?  How would I go about figuring this out?

Best wishes,
Matthew

-- 
"The lyf so short, the craft so longe to lerne."

Re: [Opensc-devel] OpenSC 0.17 breaks PIV card auth on Safari/Citrix Receiver On macOS 10.12+

[Douglas E E. <dee...@gm...>]

It sounds like one or both of the MacOS smart card code or OpenSC are
accessing the card in exclusive mode. Both have support for PIV cards
and use pcsc to access the reader.

I do not use MacOS, but there are others on this mailing list that do
and use PIV cards. I am surprised no else has responded.

https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC

See the OpenSC opensc.conf file debug= and debug_file= parameters to turn on debugging.

Also look at the connect_exclusive, disconnect_action, transaction_end_action
and reconnect_action. The default of disconnect_action=reset may be a problem.
I would set it to disconnect_action=leave; But the MaocOS code may also be
causing problems.

https://github.com/OpenSC/OpenSC/wiki/macOS-Quick-Start
might help. Search the wiki

Google for: opensc Mac OS office safari Citrix

Google for: pcsc Mac OS debugging


On 10/10/2017 2:51 PM, Matthew X. Economou wrote:
> Dear all,
> 
> I use OpenSC on my Macs to use PIV cards with Office (e.g., signing
> email).  However, this breaks logins to Citrix Receiver via Safari, and
> I don't know how to troubleshoot it.  Uninstalling OpenSC restores the
> original behavior, i.e., PIV card logins work with Safari/Citrix
> Reciever but not Office.  Is there a knob that turns on debug logging
> inside of OpenSC or one of its components?  Can I attach a debugger
> somehow?  How would I go about figuring this out?
> 
> Best wishes,
> Matthew
> 

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] OpenSC 0.17 breaks PIV card auth on Safari/Citrix Receiver On macOS 10.12+

[Frank M. <fra...@gm...>]

*Apple's CryptoTokenKit breaks non-Apple software! *Only use OpenSC and
disable the PIVToken:



*sudo defaults write /Library/Preferences/com.apple.security.smartcard
DisabledTokens -array com.apple.CryptoTokenKit.pivtoken*
Regards, Frank.

2017-10-11 15:07 GMT+02:00 Douglas E Engert <dee...@gm...>:

>
> It sounds like one or both of the MacOS smart card code or OpenSC are
> accessing the card in exclusive mode. Both have support for PIV cards
> and use pcsc to access the reader.
>
> I do not use MacOS, but there are others on this mailing list that do
> and use PIV cards. I am surprised no else has responded.
>
> https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
>
> See the OpenSC opensc.conf file debug= and debug_file= parameters to turn
> on debugging.
>
> Also look at the connect_exclusive, disconnect_action,
> transaction_end_action
> and reconnect_action. The default of disconnect_action=reset may be a
> problem.
> I would set it to disconnect_action=leave; But the MaocOS code may also be
> causing problems.
>
> https://github.com/OpenSC/OpenSC/wiki/macOS-Quick-Start
> might help. Search the wiki
>
> Google for: opensc Mac OS office safari Citrix
>
> Google for: pcsc Mac OS debugging
>
>
> On 10/10/2017 2:51 PM, Matthew X. Economou wrote:
>
>> Dear all,
>>
>> I use OpenSC on my Macs to use PIV cards with Office (e.g., signing
>> email).  However, this breaks logins to Citrix Receiver via Safari, and
>> I don't know how to troubleshoot it.  Uninstalling OpenSC restores the
>> original behavior, i.e., PIV card logins work with Safari/Citrix
>> Reciever but not Office.  Is there a knob that turns on debug logging
>> inside of OpenSC or one of its components?  Can I attach a debugger
>> somehow?  How would I go about figuring this out?
>>
>> Best wishes,
>> Matthew
>>
>>
> --
>
>  Douglas E. Engert  <DEE...@gm...>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

Re: [Opensc-devel] OpenSC 0.17 breaks PIV card auth on Safari/Citrix Receiver On macOS 10.12+

[Matthew X. E. <xen...@ir...>]

Doug, Frank,

Thanks for your help.  Frank's suggestion to disable com.apple.CryptoTokenKit.pivtoken fixed the problem I was having.  I'll add this to the Mac docs on the OpenSC wiki, as I can't find it documented anywhere.

Best wishes,
Matthew

-- 
"The lyf so short, the craft so longe to lerne."

Re: [Opensc-devel] OpenSC 0.17 breaks PIV card auth on Safari/Citrix Receiver On macOS 10.12+

[Matthew X. E. <xen...@ir...>]

Actually, why doesn't the macOS installer disable pivtoken itself?  Does
disabling that break something else? 

-- 
"The lyf so short, the craft so longe to lerne."

Re: [Opensc-devel] OpenSC 0.17 breaks PIV card auth on Safari/Citrix Receiver On macOS 10.12+

[Ludovic R. <lud...@gm...>]

2017-10-12 3:12 GMT+02:00 Matthew X. Economou <xen...@ir...>:

> Actually, why doesn't the macOS installer disable pivtoken itself?  Does
> disabling that break something else?
>

You may want to use the pivtoken provided by Apple to use with your PIV
card and use OpenSC for a non-PIV card (maybe disabled PIV support from
OpenSC).

I think that OpenSC does not yet provide a CryptoTokenKit Smart Card
Driver, but just a tokend (old technology). So using the Apple pivtoken may
be better for some user.

Bye

-- 
 Dr. Ludovic Rousseau