Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Friday, August 26, 2011

Mac OS X Lion and tokend

This article is not very technical. This is part of my view of the tokend situation.

It follows the two previous articles about Lion: Mac OS X Lion and smart cards status and Mac OS X Lion and OpenSSL.

Tokend

A tokend is a piece of software used to bridge a cryptographic device (like a smart card) and the CDSA (Common Data Security Architecture) architecture. CDSA and tokend are now deprecated by Apple: [Fed-Talk] [Announcement] OS X Lion - Smart Card Services (emphasis is mine):
" The foundational components for Smart Card Services in OS X have been based on an architecture (CDSA) that has been deprecated in the released version of OS X Lion.

This indicates CDSA's use and support has stopped and will be removed completely in a future release of OS X.

Any solution for OS X still leveraging the deprecated CDSA can continue to function for now, but the CDSA infrastructure would no longer receive enhancements or bug fixes.

CDSA will no longer ship in future releases of OS X. "
This email is written by Shawn Geddis, Security Consulting Engineer. Shawn works at Apple.

Tokend from Apple

So in Mac OS X 10.7 Lion no tokend are provided any more. The directory /System/Library/Security/tokend/ is now empty in a Lion fresh installation.

Tokend from other sources

In the same email Shawn gives some options to replace the tokend no more provided by Apple:

  • Open Source Options (from "Apple")

    The source code of the tokend provided by Apple (in Tiger, Leopard and Snow Leopard) were already available as Free Software from the Smart Card Services project. It is now the official source to get them.
  • Open Source Options (from the rest of the world)

    The OpenSC project provides a tokend to be used with OpenSC. The tokend in included in the installer for Mac OS X.
  • Commercial Options

    Commercial tokend from third parties should still be available and usable on Lion.

Since installing a tokend from source code is not a trivial task "Apple" provides an installer. It is not really Apple that provides the installer but the Smart Card services project. So bugs should be reported to the project bug tracker.

Note that these tokend are (still) signed by Apple:
$ codesign --display --verbose=4 /System/Library/Security/tokend/CACNG.tokend
Executable=/System/Library/Security/tokend/CACNG.tokend/Contents/MacOS/CACNG
Identifier=com.apple.tokend.cacng
Format=bundle with Mach-O universal (i386 ppc7400 x86_64)
CodeDirectory v=20100 size=1351 flags=0x0(none) hashes=61+3 location=embedded
Hash type=sha1 size=20
CDHash=b41a98c192eb5196353926288ff208b5d2415a3e
Signature size=4064
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=9
Sealed Resources rules=10 files=6
Internal requirements count=1 size=148

Smart Card Services project

This project has been started by Shawn Geddis in January 2009. The members of the project are listed in this page.

I was invited to join the team to work on the pcsc-lite and CCID parts. These parts are still provided by Apple in Lion.

I am not an Apple employee so know no Apple secret plans. For example I do not know why Lion provides the CCID driver version 1.3.11 and not a more recent version (the latest is 1.4.4). See Mac OS X Lion and smart cards status for more information.

You can see from the project bug tracker that a lot of bugs are open and some are quiet old now (like this one requesting help about a tokend for Mac OS X 10.4 Tiger on a G4 processor). It is hard to get people working for free on a project. So if Apple does not invest some manpower into fixing bugs and answering bug reports the bugs will not be fixed.

After tokend

I guess Apple is working on something to replace tokend when CDSA will be removed. But I have no idea what it will be.

Conclusion

My interpretation is that Apple is doing with tokend what they also do with Java and Flash: they let other people/companies provide and maintain the software.

[update] Add a "Open Source Options (from the rest of the world)"