Context Navigation

Some various infos about SCA

pcscd

This daemons need to be running in order to use your smart card. It is started automagically when a natively supported smartcard reader is installed.

You can check it by

ps ax | grep pcscd | grep -v "grep pcscd"

If it is not running, re-run SCA installer, go to 'Personalize' and select 'Smartcard reader autostart fix'. If pcscd is running, insert a smartcard, and try 'pcsctest' in a Terminal.

You can also check to see if the card reader is recognized:

$ /Library/OpenSC/bin/opensc-tool -l
Readers known about:
Nr.    Driver     Name
0      pcsc       E-Gate 0 0

Then, you can check to see if the smart card is recognized:

$ /Library/OpenSC/bin/opensc-tool -an
3b:95:18:40:ff:62:01:02:01:04
Cryptoflex 32K e-gate

If the smart card is OpenSC formatted, you can verify some details about the card:

$ /Library/OpenSC/bin/pkcs11-tool --module /Library/OpenSC/lib/opensc-pkcs11.so -L
Available slots:
Slot 0           E-Gate 0 0
  token label:   JPS's SmartCard (User PIN)
  token manuf:   OpenSC Project
  token model:   PKCS #15 SCard
  token flags:   rng, login required, PIN initialized, token initialized
  serial num  :  00020671FFFF0200

More details on how to initialize, to use a card can be found on the OpenSC wiki pages.

If you want to un-install the 'autostart fix', do the following in a Terminal:

$ sudo rm -rf /Library/Receipts/pcscd_autostart.pkg
$ sudo launchctl unload -w /Library/LaunchDaemons/org.opensc.pcscd.autostart
$ sudo rm -f /Library/LaunchDaemons/org.opensc.pcscd.autostart

OpenSSH

NB: all executables are prepended with a 'sc' (ssh -> scssh), so there is no conflict with the native executables installed with MacOSX.

You can also add /Library/OpenSC/bin to your $PATH without conflict.

How-to to use it:

read your smartcard content with /Library/OpenSC/bin/scssh-keygen -D0
append the long line beginning with ssh-rsa from the previous command to ~/.ssh/authorized_keys on the server where you want to connect
to connect to remote host: /Library/OpenSC/bin/scssh -I0 login@…

In case you want to use the agent:

eval /Library/OpenSC/bin/scssh-agent -s (you can put this in your ~/.profile)
you need to register your private keys reference in scssh-agent with /Library/OpenSC/bin/scssh-add -s0, you need to put your PIN code
to verify the agent content: /Library/OpenSC/bin/scssh-add -l

engine_pkcs11

To use the engine, you need to load the engine with the following command:

$ /Library/OpenSC/bin/openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so -pre ID:pkcs11 \
-pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/Library/OpenSC/lib/opensc-pkcs11.so

You can then create a certificate request, generate a self signed certificate... Check this page for more details.

For Belgian users only

No, this is not the last belgian joke...

Apple provides a Tokend for the belgian eID, but this driver is broken for recent eID (last version tested: 10.4.6)! OpenSC Tokend is compatible with the belgian eID, but didn't work with the Apple's one installed. The easiest way to resolve this is to increase the score for OpenSC.Tokend to something higher than 100 in the configuration file /Library/OpenSC/etc/opensc.conf. The end of this file must contain something like this:

app tokend {
        # Score for OpenSC.tokend
        framework tokend {
                score = 110;
        }
}

With this modification you can now use your belgian eID for authentication using Safari, you can also check you eID content in KeychainAccess.

When a smartcard is compatible with more than one Tokend, there is an internal mecanism, based on a score, to choose which Tokend will take the effective control of the card. By default, BELPIC Tokend has a score of 100 and OpenSC.Tokend has a score of 50. By increasing the score of OpenSC.Tokend to a value higher than 100, BELPIC Tokend will never take the control of the eID. There is no need anymore to move the BELPIC Tokend to hide it from the system.

Un-installing SCA

To uninstall SCA, do the following in a Terminal:

sudo rm -rf /Library/Receipts/libusb.pkg
sudo rm -rf /Library/Receipts/ifd-egate.pkg
sudo rm -rf /Library/Receipts/libp11.pkg
sudo rm -rf /Library/Receipts/engine_pkcs11.pkg
sudo rm -rf /Library/Receipts/openssl.pkg
sudo rm -rf /Library/Receipts/OpenSC.pkg
sudo rm -rf /Library/Receipts/openssh.pkg
sudo rm -rf /Library/Receipts/opensc_tokend.pkg
sudo rm -rf /Library/OpenSC
sudo rm -rf /System/Library/Security/tokend/OpenSC.tokend
sudo rm -rf /usr/libexec/SmartCardServices/drivers/ifd-egate.bundle

Download in other formats:

Plain Text