Skip to content

feat: system-provided smart card support for macOS #492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 17, 2025
Merged

feat: system-provided smart card support for macOS #492

merged 4 commits into from
Sep 17, 2025

Conversation

@TheBestTvarynka
Copy link
Collaborator

@TheBestTvarynka TheBestTvarynka commented Sep 3, 2025
edited
Loading

Hi,

This PR adds system-provided smart card support for macOS. This implementation should also work on Linux and Windows, but dev-testing has shown that we have a bug in the WinSCard layer (something related to the scars cache, but needs further investigation).

See more details in the following intermediate PRs:

Configuration

You should configure the following environment variables before trying to connect:

name value meaning
SSPI_PKCS11_MODULE_PATH <path/to/pkcs11 module> sspi-rs will resolve this module in runtime and use it for communicating with the smart card
SSPI_KDC_URL <KCD URL> This variable can be omitted if DNS is configured
SSPI_LOG_LEVEL trace You can set any log level you want
SSPI_LOG_PATH <path/to/logfile> Any file path
SSPI_SCARD_TYPE system This variable can be either system or emulated
WINSCARD_USE_SYSTEM_SCARD true Enables system-provided scards. Set to false to use an emulated smart card. This is needed for our WinSCard module.
WINSCARD_SMARTCARD_CONTAINER_NAME <container name> It is needed for scare cache initialization
WINSCARD_CERTIFICATE_FILE_PATH <path/to/smartcard/certificate> It is needed for scare cache initialization. Alternatively, the WINSCARD_CERTIFICATE_FILE_DATA variable can be set with base64-encoded certificate data

Example

./sdl-freerdp /v:DESKTOP-QELPR32.tbt.com /u:t2 /d:tbt.com /p:123456 /smartcard-logon /sec:nla /cert:ignore /log-level:TRACE /auth-pkg-list:\!ntlm,kerberos /sspi-module:/Users/user/Documents/projects/sspi-rs/target/debug/libsspi.dylib /kerberos:pkcs11-module:"/usr/local/lib/libykcs11.2.7.2.dylib" /winscard-module:/Users/user/Documents/projects/sspi-rs/target/debug/libsspi.dylib > rdp.out.log

@TheBestTvarynka TheBestTvarynka self-assigned this Sep 3, 2025
@TheBestTvarynka TheBestTvarynka marked this pull request as ready for review September 5, 2025 18:05
CBenoit
CBenoit reviewed Sep 8, 2025
View reviewed changes
Copy link
Member

@CBenoit CBenoit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: I’m waiting on devops to fix a permission problem before merging, hopefully okay in not too long!

@TheBestTvarynka
Copy link
Collaborator Author

TheBestTvarynka commented Sep 16, 2025

I’m waiting on devops to fix a permission problem

@CBenoit any updates? 🙃

@CBenoit CBenoit force-pushed the dev/macos-scard-support branch from 75986f7 to 1a64c20 Compare September 17, 2025 02:18
CBenoit
CBenoit approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@CBenoit CBenoit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@CBenoit CBenoit enabled auto-merge (rebase) September 17, 2025 02:19
@CBenoit CBenoit merged commit 758af31 into master Sep 17, 2025
42 checks passed
@CBenoit CBenoit deleted the dev/macos-scard-support branch September 17, 2025 02:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CBenoit CBenoit CBenoit approved these changes

Assignees

@TheBestTvarynka TheBestTvarynka

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TheBestTvarynka @CBenoit