Mac OS X El Capitan Smart Card Services PKCS#11 Tokend compilation and installation

3
votes

I would like to install PKCS#11 Tokend to my Mac OS X El Capitan (10.11.2) so I can access PKCS#11 enabled devices from Safari.

I downloaded and install Smart Card Services for El Capitan from https://smartcardservices.macosforge.org/trac/wiki/installers.

Now I have Tokend installed in /Library/Security/tokend but there is no PKCS11.tokend, there are the following:

  • BELPIC.tokend
  • CAC.tokend
  • CACNG.tokend
  • JPKI.tokend
  • PIV.tokend

So I read on the following site that it should be included, or it can be built and copied to tokend directory to access PKCS#11 libraries stored in /usr/lib/pkcs11 or /usr/local/lib/pkcs11: http://ludovicrousseau.blogspot.cz/2010/04/free-software-tokend-above-pkcs11-for.html.

But I am not even able to successfully install darwinbuild. Also I don't want to build the whole Smart Card Services solution, I would like to build just PKCS#11.tokend and use it with KeyChain.

The building steps are not very clear for me.

How to do it for El Capitan? Or is there any version that is already built and can be used?

2
keychainsmartcardosx-elcapitanpkcs#11tokend

2 Answers

1
votes

El Capitan is tricky because Apple has implemented SIP (System Integrity Protection) which prevents write access to various system folders... (\system\library\security\ , \library\security, etc)

If you want to move forward with installing SCS or if you want to try manually adding/removing tokend files... you'll have to disable SIP first.

  • Reboot into Recovery Mode (hold down Command+R)
  • Open Utilites > Terminal
  • Type 'csrutil disable' and hit enter
  • Reboot, and you'll be able to edit system files and/or install SCS.

Some extra advice regarding PKCS... If you know what type of card you have, contact the manufacturer to get the appropriate PKCS tokend file. One size does not fit all unfortunately.

If you want to determine what type of card you have, plug in your reader, plug in the card, open Terminal and type pcsctest. When it asks for reader number type 01 and hit enter.

On that page, you'll find an ATR code. Grab that code and paste it here:

You should then have a manufacturer result. Search specifically for that smartcard manufacturer's PKCS libraries online (typically a .tokend file)

Good luck!!

0
votes

In my experience, you'd be better off using OpenSC with tokend fork. It builds OK on Mac OS X 10.10 and 10.11, and supports RSA and ECC tokens (and SHA-2).