Friday, October 2, 2015

OS X El Capitan and smart cards status

El Capitan (OS X 10.11) is now out since 30th September, 2015.

As I did with the previous major versions of Mac OS X Yosemite, Mavericks, Mountain Lion (and Lion) I will list changes in El Capitan regarding the smart card world.


API Differences between 10.10 and 10.11

The differences are listed in the developer page OS X El Capitan v10.11. The page only document big changes. The smart card changes are not listed there :-)

A complete list of API changes is at OS X v10.11 API Diffs. Regarding the smart card world we have:
The CryptoTokenKit API has changed. Some methods have been modified, some methods have been added.

I note two sets of new methods: TKSmartCardPIN* and TKSmartCardUserInteractionFor*. It looks like Apple wants to provide a nice User eXperience regarding PIN management.

I hope Apple will provide more documentation than the .h header file and some code samples.
I will try to rebuild my Crypto Token Kit Objective-C and Swift examples on El Capitan to check if they still work.

PC/SC

Since Yosemite (10.10) the PC/SC layer is no more a fork of pcsc-lite. So comparing versions with pcsc-lite is useless.

$ cat /System/Library/Frameworks/PCSC.framework/Versions/A/Resources/version.plist 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
 <key>BuildAliasOf</key>
 <string>CryptoTokenKit</string>
 <key>BuildVersion</key>
 <string>13</string>
 <key>CFBundleShortVersionString</key>
 <string>8.0</string>
 <key>CFBundleVersion</key>
 <string>1</string>
 <key>ProjectName</key>
 <string>SmartCardServices</string>
 <key>SourceVersion</key>
 <string>79001001000000</string>
</dict>
</plist>


The BuildVersion changed from 1 on Yosemite to 13 on El Capitan, and SourceVersion changed from 22020004000000 to 79001001000000. I have no idea what the SourceVersion "number" is.

It looks like Apple made 12 builds of the PC/SC framework since Yosemite 10.10.

Bugs fixed

At least one bug remains: PC/SC functions crash after a fork(2). But this bug may be hard to fix.

I updated my blog article OS X Yosemite and smart cards: known bugs.

Maybe new bugs will be found on El Capitan. But I have not yet found any after just a few hours of tests.

CCID driver

Driver version 1.4.14.
No change since Yosemite.

$ grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist
 <key>CFBundleShortVersionString</key>
 <string>1.4.14</string>

New driver location

The System Integrity Protection (SIP) introduced in El Capitan impose that custom PC/SC drivers are now installed in /usr/local/libexec/SmartCardServices/drivers/.

Only the CCID driver provided by Apple is still in /usr/libexec/SmartCardServices/drivers/.

Tokend

Because of SIP, the tokend needs to be installed in /Library/Security/tokend/ now instead of /System/Library/Security/tokend/.

The tokend and CDSA are still usable. I just fixed the PKCS11.tokend so that it looks for PKCS#11 libraries in /usr/local/lib/pkcs11/ if /usr/lib/pkcs11/ does not exist (as it is the case on El Capitan because of SIP again).

Conclusion

Most of the remaining PC/SC bugs fixed.
tokend still usable.
Some new Crypto Token Kit methods.