-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MacOS S/MIME Outlook or Mail.app no certificates on Yubikey smartcard detected #3160
Comments
Are you sure that the yubikey is used through OpenSC? Typically, it would load the macOS' built-in driver for PIV cards... |
Thanks for the reply. I will troubleshoot further with the PIV driver. |
The mail and S/MIME signing / encryption would use the "Certificate for Digital Signature" and "Certificate for Key Management" where as the auth commands would use the "Certificate for PIV Authentication" Do you have all 3 certificates and 3 keys with proper keyUsage bits in the certificates? What does "pkcs11-tool -O" show?
|
Yes, this is something I was thinking before and want to check with a spare Yubikey once I get home. "Certificate for Digital Signature" and "Certificate for Key Management" are both signed certificates from a known CA. The "Certificate for PIV Authentication" (which should not get used for S/MIME) is another (self signed) certificate I use for SSH and other authentication. Perhaps the Apple implementation expects all three of these to be the same, so I will try this at home and report back. |
Just tested with all the same keys and certs in the 3 slots, but unfortunately it still does not detect the certificates on it. PKCS11-tool test seems to work fine, so probably not an issue with OpenSC |
The 3 keys and certificates should not be the same. The keyUsage bits in the certificate are different. " MacOS Outlook or Mail.app for S/MIME signing / encryption." maybe look at the certificates and and reject them as not usable. I don't have a MAC. |
Yes, normally only signing and encryption slot need to be populated, then it should work. The signing certificate is the same as the encryption (it is a S/MIME certificate from a public CA). It also worked fine on Linux this way. Bits are set correctly (subject DN wildcards are of course not there in the actual output).
|
As @frankmorgner said, you may not be using OpenSC drivers. You can get a debug log and PKCS11 SPY log See: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC You may also need to add the CA certificates to some trusted list of certificates. |
AFAIK, the only way Apple Mail on a recent MacOS would use OpenSC is if you install OpenSCToken.app - which never worked for me. If that's the case, I'd recommend removing that app and making sure it did not leave stale registration somewhere, like .plist file in LaunchDaemons directory or such. Normally, Mail would use For the fun of it, try signing and verifying signature some short file using |
@mouse07410 , thanks for reminding us of the good old times, but I think by now OpenSCToken should work as expected. @onno182 , what exactly is the output of |
Thanks for the suggestion. sc_auth identities lists driver com.apple.pivtoken Deactivating OpenSCToken.app does not solve the problem Importing the certificate in keychain directly (as PKCS12 format) works as expected. However, the same certificate on the smartcard does not. Also the command security list-smartcards does not list any smartcards. But im not sure if this is correct functionality |
Then your problem is with Apple's built-in token driver. Please contact the Apple support for help with this.
If you want to try OpenSC, then you should install OpenSC and deactivate Apple's pivtoken (see https://github.com/frankmorgner/OpenSCToken/?tab=readme-ov-file#useful-commands) |
I was using OpenSC driver before deactivating as @mouse07410 suggested. After deactivation, Apples driver takes over. The problem however is also there when OpenSC driver is used. I have reinstalled the OpenSCDriver, and now it says org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:1c9f99c35e5f4b3db55b387879282909 for instance |
So the Apple driver works as expected with Outlook? 🤔 |
No, neither driver works. |
How did you initialize the token? Maybe the certificates are not linked to your private keys. What does |
I tried two ways. One was through the ykman command, and another via the GUI from Yubikey. It is the same certificate and private key that work just fine in keychain (without the Yubikey). `onno@Onnos-MacBook-Air ~ % pkcs15-tool -D PIN [PIN] PIN [PIV PUK] Private RSA Key [PIV AUTH key] Private RSA Key [SIGN key] Private RSA Key [KEY MAN key] Public RSA Key [PIV AUTH pubkey] Public RSA Key [SIGN pubkey] Public RSA Key [KEY MAN pubkey] X.509 Certificate [Certificate for PIV Authentication] X.509 Certificate [Certificate for Digital Signature] X.509 Certificate [Certificate for Key Management] Data object 'Card Capability Container' Data object 'Unsigned Card Holder Unique Identifier' Data object 'Cardholder Fingerprints' Data object 'Printed Information' Data object 'Cardholder Facial Image' Data object 'X.509 Certificate for Digital Signature' Data object 'X.509 Certificate for Key Management' Data object 'X.509 Certificate for Card Authentication' Data object 'Cardholder Iris Image' |
Smartcard (Yubikey) is not visible in MacOS Outlook or Mail.app for S/MIME signing / encryption. However, smartcard seems to work fine everywhere else, including SSH, login etc.
I am not sure if I am doing something wrong, as I have returned to MacOS after a long period of not using is, so not sure what has changed.
sc_auth command detects the smartcard and works as expected
security list-smartcards is however empty and shows no smart cards detected
Also the app Smart Card Utility detects the smartcard just fine.
I have searched all over, but have not found a solution for this. Any ideas?.
Thanks
The text was updated successfully, but these errors were encountered: