Please add support for CryptoTokenKit in macOS
Categories
(NSS :: Libraries, enhancement)
Tracking
(Not tracked)
People
(Reporter: golbiga, Unassigned)
References
Details
|
||
Comment 1•7 years ago
|
||
|
||
Comment 2•7 years ago
|
||
|
|
||
Comment 3•6 years ago
|
||
I'm reopening this separate from the other bug. This is a very specific problem that TokenD was deprecated in 10.7 and the only solution right now is this PKCS#11 solution:
https://github.com/kenh/keychain-pkcs11
which is just a random developer.
For us to be be used in this very important space (govt, dod), we need a solution here.
I don't think it's just client certificates support.
This will impact the entire Mac federal space, as there are so many web apps that were specifically written to use Firefox as the browser. HSPD12 is the requirement to use smartcards (2006) and DHS Continuous Diagnostics and Mitigation - Phase 2 is the mandatory enforcement of HSPD12 (2017), which forced Apple to improve their smartcard services. Recently TokenD has been broken a few times in macOS updates (later fixed), but I'm not entirely sure how much longer Apple will leave it in their operating system. With other vendors supporting CTK, many in the federal space will be forced to remove Firefox from their install base if it cannot support CryptoTokenKit.
|
||
Comment 5•6 years ago
|
||
I do believe keeler was correct in duplicating. This does not appear to be any new request, other than Firefox support something other than PKCS#11 modules (in this case, providing a PKCS#11 module for CryptoTokenKit or support CryptoTokenKit directly)
|
|
||
Comment 6•6 years ago
|
||
Duping to a five year old bug seems ineffective. We need to have a new discussion about this specific problem that wasn't an issue when that bug was opened.
|
|
||
Comment 7•6 years ago
|
||
The best way to do that is to continue discussion on the bug it was duped in to. The functional root cause is the same.
Under tokend, CTK presents items stored in the smartcard in the keychain, but does not store copies of the certificates in the keychain. Public keys can be exported if needed. In CTK, smartcard certificates aren’t exposed in the GUI at all, and are made available for use in the OS via CryptoTokenKit. This is an architectural change in how smartcards are used and presented, that is distinctly different from the old bug report.
|
||
Updated•6 years ago
|
|
|
||
Comment 10•6 years ago
|
||
Apple just released this article regarding Catalina:
|
||
Comment 11•6 years ago
|
||
I like the current FF's way to work with smart card, through a standard cross-platform interface, pkcs#11 lib. It does not have to switch to apple's keychain mechanism, meaning relies on smart card driver extension to read certificate from the card, login and doing a cryptographic operation. This is what Safari and Chrome browser are doing.
It is still fine, even good, for FF to continue with P11. The current problem for FF to work with CTK is that it is not capable to access smart card (list readers, sending APDUs) . To have this capability FF needs to be signed with an entitlement with enabling com.apple.security.smartcard. otherwise, ctkd reports "refusing client pid=firefox_pid: TKSmartCardSlot usage not allowed by entitlement 'com.apple.security.smartcard' ". Once it is enabled, P11 lib which access smart card through CTK, instead of legacy PC/SC, will be able to work with FF.
|
|
||
Comment 12•6 years ago
|
||
I opened bug 1593041 for the entitlement issue.
|
||
Comment 13•6 years ago
|
||
I think the key thing to consider is that Firefox should be able to be used CryptoTokenKit support out of the box. Other apps like Microsoft Outlook, Adobe Acrobat DC, Pulse Secure, Safari, Chrome etc. work that way. Firefox should too.
|
|
||
Comment 14•4 years ago
|
||
dkeeler:
Should this work now with our client certificates support on macOS?
|
|
||
Comment 15•4 years ago
|
||
Yes.
Description
•