Posted  by  admin

Opensc Installer For Mac

Interested in using a smartcard for secure two-factor authentication on OS X? What about E-mail signing and encryption, SSH key authentication, and more? All of these applications are possible, using the built-in smartcard support in OS X and open source software. What follows is the first part of a guide to using smartcards on OS X, using software from the. You’ll need:.

The from OpenSC. A blank smartcard supported by OpenSC (see ). A card reader with Mac OS X support (The best choice is a CCID compliant USB device, see ) I’m using a Feitian PKI card from which is supported by the entersafe driver in OpenSC.

Other good choices are the card, or a blank JavaCard which can be loaded with the. Please note that I’ve only tested this with the Feitian PKI card and an ACR-38U CCID compatible reader – YMMV with other combinations of cards and readers!

The provides useful information on initialising many different types of cards. Install OpenSC Download the Mac Installer package mentioned above, and install the package contained within. This will install OpenSC to /Library/OpenSC, and also install a few other components which integrate OpenSC with Mac OS X.

The most important of these is the Tokend (Token Daemon), a component which integrates your smartcard with the Keychain framework in OS X. Testing OpenSC Open a Terminal window. Plug the card reader into your Mac, and enter the command opensc-tool -list-readers You should see your card reader shown in the list, like this: Readers known about: Nr. Driver Name 0 pcsc CASTLES EZ100PU 00 00 Then, insert your blank smartcard into the reader, and enter the command (assuming you are using reader 0): opensc-tool -reader 0 -atr You should see a string of hex digits which identifies your card. Now, check that OpenSC recognises the card and can match it to a driver: opensc-tool -reader 0 -name should print a human-readable name for the card.

For my Feitian PKI card it just prints “entersafe”. Initialising the PKCS#15 structure If all these tests succeed, you can proceed to initialising the PKCS#15 structure on the card.

Openssl Installer For Mac

For this we use the pkcs15-init command from OpenSC: pkcs15-init -CT -p pkcs15+onepin -no-so-pin -pin yourpin -puk yourpuk -label 'YourName' The options here are:.C creates the PKCS#15 files.T uses the default Transport Key (a key needed to access the card).p pkcs15+onepin sets the card to use a single PIN for all operations. —no-so-pin tells the command we don’t want a Security Officer PIN.

Dlp support for mac windows 10

—pin yourpin specifies the PIN. Replace yourpin with whatever you want to use. —puk yourpuk specifies the PUK (Unblock code).

Replace yourpuk with whatever you want to use. —label “YourName” gives the card a name which it’ll be displayed under in the Keychain and other applications.

We are only using one PIN here as the card will just be for personal use. We also don’t define a Security Officer PIN.

PIN is like an administrator password – it is used to protect the meta-data on the card including the PKCS#15 structure, in a situation where the person provisioning and issuing the card is not the same as the card’s end-user. The PUK (Pin Unlock Key) is used to unblock the card if you have locked it due to too many incorrect PIN attempts.

Make sure to define one as secure as possible and keep it safe in case you ever forget the PIN. To check that the command ran successfully, we can list the contents of the PKCS#15 structure on the card. This is done with the command: pkcs15-tool -dump This should show output something like this: Using reader with a card: CASTLES EZ100PU 00 00 PKCS#15 Card OpenSC Card: Version: 1 Serial number: 543568 Manufacturer ID: EnterSafe Last update: 3625Z Flags: EID compliant PIN User PIN Com. Flags: 0x3 ID: 01 Flags: 0x30, initialized, needs-padding Length: minlen:4, maxlen:16, storedlen:16 Pad char: 0x00 Reference: 1 Type: ascii-numeric Path: 3f005015 You can see that one PIN has been created, with an ID of 01. Adding keys To actually use the card for authentication, there must exist keys for encryption and digital signature on the card.

Pairs of RSA public/private keys are the most commonly used form. Both the private and public keys are generated or loaded onto the card. The public key may be read from the card, but the private key may not be read – it stays on the card.

Opensc Installer For Mac Os X

Opensc installer for mac os x 10.9

The private key can only be used to encrypt / sign data by sending the card the PIN and the data to be signed. By this mechanism, it is ensured that only the person holding the card, and knowing the PIN, can make use of the private key. Option 1 – Generate a key pair on the card This is one of the most secure options, as the private key is generated on the card and never leaves it. To generate a 2048bit RSA key pair, use the command: pkcs15-init -G rsa/2048 -a 01 -u sign,decrypt The options used here are:.G rsa/2048 to generate a 2048-bit RSA keypair.a 01 to protect the key with auth ID 01 (the ID of the PIN you previously defined).u sign,decrypt to allow both signing and decryption with the key.

Mac

A 2048-bit key is recommended, however some cards may only support 1024 bit keys. You may be asked for your PIN several times during the process, which could take some time. Once it is over, the output of pkcs15-tool –dump should show a “Private RSA Key” and “Public RSA Key”. To make use of the key with Mac OS X, it needs to be associated with a X.509 certificate stored on the card.

Openssl installer for mac

The certificate must be signed with the private key on the card. To accomplish this, we will use OpenSSL with the enginepkcs11 component from OpenSC to generate a self-signed certificate.