epass2003 tokend MacOS 10.12

[bmwt]

The tokend driver doesn't appear to be working for us under 10.12 or 10.12.1. The token (epass2003) does appear in keychain access, but attempts to use the certificate on the device seem to fail. Our use case is a vpn client (globalprotect), but we're unable to get the certificate to work even in stock safari when connecting to a certificate authenticated website (eliminating the vpn client as the culprit). The same setup works just fine with 10.11. WIth a working 10.11 setup, upgrading to 10.12 makes it stop working. We've tried both the binary version of OpenSC with the driver (0.16), as well as a package compiled from git source (b1aa790).

non-tokend (ssh with opensc-pkcs11.so) works just fine.

[mouse07410]

Try https://github.com/mouse07410/OpenSC.tokend.git - you're likely to have better success. I'm using this tokend on 10.11.6 and 10.12.1 with 100% success. ;-)

I must add that the tokend I'm using has been extensively tested and enhanced for PIV cards, but I conjecture that it would work with epass2003.

[bmwt]

wow- after fighting with openssl a bit, i did get a copy to build, and it seems to work using our tokens under 10.12.1. Very nice- thanks for the pointer! (edit removing the bit about contributing back to mainline: I see the pull request, thanks! )

[mouse07410]

I don't suppose there will be code committed back to this project so we can eventually go back to the mainline package?

@bmwt, this tokend is maintained as a parallel fork. It tracks the mainline fixes if and when they appear (which nowadays isn't highly likely). The owners of the mainline package decided not to merge it back then. I was disappointed at first, couldn't care less now.

(or is it dead given apple's deprecation of tokend?)

Tokend is not deprecated (unless you mean CDSA-based tokend, like these :).

Apple, starting with Sierra, returned to providing its own tokend - based on their new CTK (named pivtoken). It contains a few nice enhancements (like the ability to pair smart card with the account, e.g., to unlock FileVault and Keychains with it). But it also lacks some crucial capabilities, like visualizing the token in Keychain Access (so if there are any problems with certs on it, or with the issuing CA - good luck! You'll need it). Coincidentally, cutting off the "old" interface made it impossible for the 3rd-party apps such as MS Office, Adobe Acrobat, Firefox, etc. to utilize smart cards on Sierra. Currently (AFAIK) only Apple Mail and Safari can use hardware tokens, and you can't actually see what's on those tokens, or even what those tokens are (unless you count hash of something on the token presented in hex as a useful identifier :)). Until all those apps are re-written by their corresponding vendors to move to the CTK interface, they won't work with tokens.

Luckily, Sierra allows operations in Legacy mode: you disable pivtoken, install your working tokend in /Library/Security/tokend, and use your smart cards and apps on Sierra as on El Capitan (especially if your main need for smart cards is to use it with applications rather than for logging in). The only disadvantage I see is that you lose the pairing ability - but it's only useful at login anyway.

And of course, we never know - perhaps with 10.13 or 10.14 pivtoken would go the way SmartCardServices went in Lion? Apple giveth, and Apple taketh away. :) So it makes sense to keep this tokend for a while longer until there's more certainty. :-)

[bmwt]

ahh, i thought CTK was a replacement for tokend, and that tokend was going away. This clarifies quite a bit- all the information i was looking for, but couldn't find. Much, much appreciated- we'll just continue to follow your fork until apple decides to throw something else our way.