[uiplugins] CACViewerPlugin lacks support for ActivIdentity Tokens

[macosforgebot]

briggr1@… originally submitted this as ticket:99

• Keywords: ActivIdentity, CACViewerPlugin
• Cc: briggr1@…, @DewSecGitHub

---

Former Title: Keychain Access crashes when unlocking CAC (ActivIdentity? commercial)

On a fresh copy of Mountain Lion, I installed Smart Card Services Update v2.0.b2-MtLion?. When I insert my CAC card and open Keychain Access, I see the card just fine. When I go to unlock it, I'm prompted for the pin, I enter it, and Keychain Access crashes.

Also, if I do NOT open Keychain access but simply unlock the CAC keychain using the menu, my VPN is still not able to access the certs on the card.

[macosforgebot]

briggr1@… originally submitted this as attachment:Keychain%20Access_2012-09-22-203930_Russells-MacBook-Pro.crash:⁠ticket:99

• Attachment Keychain Access_2012-09-22-203930_Russells-MacBook-Pro.crash (44.1 KB) added

[macosforgebot]

briggr1@… originally submitted this as comment:1:⁠ticket:99

---

watched the logs while I performed the second set up steps above (not opening keychain access) and saw this:

9/24/12 7:33:50.600 PM com.apple.SecurityServer[15]: Token reader Activkey Sim 00 00 inserted into system
9/24/12 7:33:53.042 PM com.apple.SecurityServer[15]: reader Activkey Sim 00 00 inserted token "CAC-4295430144" (CAC-4295430144) subservice 2 using driver com.apple.tokend.cac
9/24/12 7:34:14.515 PM coreservicesd[26]: Application App:"Console" [ 0x0/0x7007]  @ 0x0x7f902cd05740 tried to be brought forward, but isn't in fPermittedFrontASNs ( ( ASN:0x0-0x1c01c:) ), so denying.
9/24/12 7:34:14.515 PM WindowServer[79]: [cps/setfront] Failed setting the front application to Console, psn 0x0-0x7007, securitySessionID=0x186a6, err=-13066
9/24/12 7:34:15.000 PM kernel[0]: Sandbox: mDNSResponder(51) deny file-read-data /
9/24/12 7:34:15.000 PM kernel[0]: Sandbox: mDNSResponder(51) deny file-read-data /
9/24/12 7:34:15.000 PM kernel[0]: Sandbox: mDNSResponder(51) deny file-read-data /
9/24/12 7:34:15.000 PM kernel[0]: Sandbox: mDNSResponder(51) deny file-read-data /
9/24/12 7:34:15.000 PM kernel[0]: Sandbox: mDNSResponder(51) deny file-read-data /

[macosforgebot]

briggr1@… originally submitted this as comment:2:⁠ticket:99

• Cc briggr1@… added

[macosforgebot]

@DewSecGitHub originally submitted this as comment:3:⁠ticket:99

• Cc @DewSecGitHub added

[macosforgebot]

@DewSecGitHub originally submitted this as comment:4:⁠ticket:99

• Status changed from new to accepted
• Summary changed from Keychain Access crashes when unlocking CAC (ActivIdentiy commercial) to [uiplugins] CACViewerPlugin lacks support for ActivIdentity Tokens
• Keywords CACViewerPlugin added
• Priority changed from P5 - Not Set to P2 - Expected
• Severity changed from S1 - Crash / Data Loss to S4 - Usability
• Component changed from SmartCardServices to UIPlugins
• Milestone changed from Unassigned to Screening
• Description modified

---

former Title: Keychain Access crashes when unlocking CAC (ActivIdentity? commercial)
New Title: [uiplugins] CACViewerPlugin lacks support for ActivIdentity? Tokens

What you are hitting is when you double-click on the keychain name, the uiplugin for the CAC (CACViewerPlugin) is invoked and it currently has issues with the commercial version of the ActivIdentity? tokens. Double-clicking on the Keychain Name is not the intended method to "unlock" the keychain, but rather clicking on the "lock" icon in the upper left corner of keychain Access when you have the Smart Card Keychain name "selected" in the list. Clicking on the Lock/Unlock? Icon will simply allow you to manually lock or unlock the Smart Card (cache the PIN in Securityd). Also, on first request by the OS to the card for use of PIN protected data (ie. private key), the PIN request dialog will always appear so that you do not have to invoke the manual unlock sequence.

[macosforgebot]

alvaro.picapau@… originally submitted this as comment:5:⁠ticket:99