Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Monday, October 14, 2019

macOS Catalina and smart cards status

macOS Catalina (macOS 10.15) is now available since 7th October, 2019.


API Differences between 10.14 and 10.15

The differences should be listed in the "What's New in macOS" developer page for macOS Catalina 10.15.

The changes for Mojave are still not yet available. So maybe the changes for Catalina will also not be listed. The latest macOS version listed is 10.13.

tokend

A tokend is a piece of software used to bridge a cryptographic device (like a smart card) and the CDSA (Common Data Security Architecture) architecture.

Since macOS Lion (10.7 in 2011) the CDSA/tokend technology is deprecated. See "Mac OS X Lion and tokend".

Tokend are now disabled by default in macOS Catalina. See the Apple page "Prepare for smart card changes in macOS Catalina":
macOS includes a modern architecture that supports smart cards. This architecture is based on the CryptoTokenKit framework, which supports authentication, encryption, and signing functions, plus MDM controls for managing smart cards within Enterprise environments. Starting with macOS Catalina, legacy smart card support that uses TokenD will be disabled by default.

It is still possible to enable support of tokend. See SmartCardServices-legacy(7) manpage:

sudo defaults write /Library/Preferences/com.apple.security.smartcard Legacy -bool true

My guess is that tokend support will be completely removed in the next major macOS version (10.16 released in 2020).
It is really time to move away from tokend and migrate to CryptoTokenKit.

PC/SC

Since Yosemite (macOS 10.10 in 2014) the PC/SC layer is no more a fork of pcsc-lite. So comparing versions with pcsc-lite is useless.

% cat /System/Library/Frameworks/PCSC.framework/Versions/A/Resources/version.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
 <key>BuildAliasOf</key>
 <string>CryptoTokenKit</string>
 <key>BuildVersion</key>
 <string>2</string>
 <key>CFBundleShortVersionString</key>
 <string>8.0</string>
 <key>CFBundleVersion</key>
 <string>1</string>
 <key>ProjectName</key>
 <string>SmartCardServices</string>
 <key>SourceVersion</key>
 <string>408011002000000</string>
</dict>
</plist>

The CFBundleShortVersionString is still 8.0 as for Mojave.
The SourceVersion changed from 281200021000000 to 408011002000000. But I have no idea what that means :-).

I know Apple made changes in the PC/SC layer in Catalina because I identified and reported a bug in PC/SC during the beta. The bug has been fixed.

Crypto Token Kit

CryptoTokenKit is the native smart card API since the complete rewrite in macOS Yosemite 10.10 (OS X Yosemite BETA and smart cards status).

% strings /System/Library/Frameworks/CryptoTokenKit.framework/CryptoTokenKit | grep BuildRoot
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKToken.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKSmartCard.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKTokenConfiguration.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKClientToken.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKTokenKeychainItem.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKTokenConnection.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit/CryptoTokenKit-408.11.2/CryptoTokenKit/TKTokenSession.m
/BuildRoot/Library/Caches/com.apple.xbs/Sources/CryptoTokenKit_Client/CryptoTokenKit-408.11.2/ctkclient/ctkclient.m

In Catalina CryptoTokenKit source code is at version 408.11.2.
It was at version 281.200.21 in Mojave 10.14.0, 281.1.1 in High Sierra 10.13.0 and 281.50.22 in High Sierra 10.13.6.

Since the source code is not available I can't write much more than that.

CCID


% grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist
 <key>CFBundleShortVersionString</key>
 <string>1.4.31</string>

Apple updated the CCID driver from version 1.4.27 in Mojave to 1.4.31 in Catalina.

Version 1.4.31 is the latest version available. I released this version on August 10th 2019.

Conclusion

The smart card integration changed in macOS Catalina.

I may write about more specific details in other articles.