Getting OpenSCToken

OpenSCToken: Use OpenSC in CryptoTokenKit by Frank Morgner is a CryptoTokenKit plugin that works with OpenSC.

Fetch OpenSCToken-1.1.dmg, open the .dmg image, copy the application OpenSCTokenApp.app in your /Applications/ directory.
You need to start the OpenSCTokenApp application at least one time to register the CryptoTokenKit plugin provided by the application. The application does nothing and you can quit it now.

OpenSCToken Comparison with OpenSC.tokend

From the website project:

  • OpenSCToken supports multiple certificates, keys and PINs
  • OpenSCToken has proper support for PIN pad on reader or token
  • OpenSCToken offers easy login with smart card and automatically unlocks the login keychain
  • Tokens are not visible in Keychain Access any more (use sc_auth/security from command line instead)
  • Most non-Apple applications do not yet support CryptoTokenKit. If OpenSCToken is used together with OpenSC.tokend, your token will appear twice in Safari and other Apple-apps.

Check OpenSCToken installation

To check if the plugin is installed you can use the pluginkit command line tool.

Before installation:

Before installation
$ pluginkit -vv -m -p com.apple.ctk-tokens
     com.apple.CryptoTokenKit.setoken(1.0)
             Path = /System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex
             UUID = 4D0E5BB3-D45E-42A1-A0AE-24E0D71A6149
        Timestamp = 2018-07-12 16:37:44 +0000
              SDK = com.apple.ctk-tokens
     Display Name = Secure Enclave Private Key Storage
       Short Name = setoken

     com.apple.CryptoTokenKit.pivtoken(1.0)
             Path = /System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex
             UUID = A0B7E31C-443B-4B89-9D57-98D6A3736B86
        Timestamp = 2018-07-12 16:37:44 +0000
              SDK = com.apple.ctk-tokens
     Display Name = Personal Identity Verification token driver
       Short Name = pivtoken
 (2 plug-ins)


After installation:

After installation
$ pluginkit -vv -m -p com.apple.ctk-tokens
     org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken(1.0)
             Path = /Applications/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex
             UUID = 327C0A2C-4A43-4BB6-B858-73594115DCFA
        Timestamp = 2018-09-09 14:58:30 +0000
              SDK = com.apple.ctk-tokens
    Parent Bundle = /Applications/OpenSCTokenApp.app
     Display Name = OpenSC token driver
       Short Name = OpenSCToken
      Parent Name = OpenSCTokenApp

     com.apple.CryptoTokenKit.pivtoken(1.0)
             Path = /System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex
             UUID = A0B7E31C-443B-4B89-9D57-98D6A3736B86
        Timestamp = 2018-07-12 16:37:44 +0000
              SDK = com.apple.ctk-tokens
     Display Name = Personal Identity Verification token driver
       Short Name = pivtoken

     com.apple.CryptoTokenKit.setoken(1.0)
             Path = /System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex
             UUID = 4D0E5BB3-D45E-42A1-A0AE-24E0D71A6149
        Timestamp = 2018-07-12 16:37:44 +0000
              SDK = com.apple.ctk-tokens
     Display Name = Secure Enclave Private Key Storage
       Short Name = setoken

 (3 plug-ins)


This more verbose output allows you to know where on disk the plugin is found.
To remove/uninstall the plugin you just have to delete the application containing/providing the plugin.

List inserted token / Smart Cards

If your smart card is supported by one of the installed CryptoTokenKit plugin you will see it using the command "security list-smartcards".

List inserted token / Smart Cards
$ security list-smartcards
org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:3015061316010310

Displaying the Smart Card content

There is different ways to display the content of the card.

system_profiler SPSmartCardsDataType

system_profiler SPSmartCardsDataType
$ system_profiler SPSmartCardsDataType
SmartCards:

    Readers:

      #01: certgate AirID AID21918200007 via BLE (ATR:<3bd21802 ..... ......>)

    Reader Drivers:

      #01: org.debian.alioth.pcsclite.smartcardccid:1.4.27 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)
      #02: com.certgate.macos.ifd-airid-ble:0.1.0 (/usr/local/libexec/SmartCardServices/drivers/ifd-airid-ble.bundle)
      #03: com.certgate.macos.airid.smartcardccid:1.4.30 (/usr/local/libexec/SmartCardServices/drivers/ifd-airid-ccid.bundle)

    Tokend Drivers:

      #01: com.apple.tokend.opensc:1.0 (/Library/Security/tokend/OpenSC.tokend)

    SmartCard Drivers:

      #01: org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:1.1 (/Applications/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex)
      #02: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)

    Available SmartCards (keychain):

        org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:16910E24C8C6071028:

          #01: Kind: private RSA 2048-bit, Certificate: <20105e07 9019fdcc 8c1e4208 ded27e52 e327f56d>, Usage: Sign Decrypt Unwrap
Valid from: 2019-06-25 13:15:49 +0000 to: 2020-06-25 13:15:49 +0000, SSL trust: NO, X509 trust: YES

-----BEGIN CERTIFICATE-----
MIIGFzCCBP+gAwIBA .....
-----END CERTIFICATE-----


    Available SmartCards (token):

        org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:16910E24C8C6071028:

          #01: Kind: private RSA 2048-bit, Certificate: <20105e07 9019fdcc 8c1e4208 ded27e52 e327f56d>, Usage: Sign Decrypt Unwrap
Valid from: 2019-06-25 13:15:49 +0000 to: 2020-06-25 13:15:49 +0000, SSL trust: NO, X509 trust: YES

-----BEGIN CERTIFICATE-----
MIIGFzCCBP+gAwIBA .....
-----END CERTIFICATE-----


Pairing an AirID via Bluetooth for the first time (BLE Pairing)

To be able to use an AirID device for the first time, it needs to be paired via macOS System Bluetooth.

Bluetooth pairing will be initiated after selecting your AirID in AirID Central software from the list "Scan for new AirID".

After AirID has been selected you should see a pop up dialog windows like the one below:

After confirming by pushing the "Connection/Verbinden" Button it looks similar to 

Pairing a card to a user account (CTK Pairing)


After inserting the card you should see a dialog window like the one below.



Click on "Pair" to associate the card private key to the user account.

You will need to enter your account password:

Now enter your user account password


Then enter the card PIN code:

And the user account again:

Finally the pairing of your certificate to your user account id is done

Using an untrusted Certification Authority

Note that you can pair a card certificate to a user even if the certificate is not trusted. In my case the certificate is issued and signed by CAcert. This Certification Authority is not trusted by macOS (you can see that in the Keychain Access screen copy) but you can still use the untrusted certificate to login.

Check CTK pairing

You can now check that your account is paired to card

$ sc_auth list
Hash: 0B1BEA814EE563AAD70C33D5C7F82472AB26C4C8


Unparing a user / Certificate from CTK

You can unpair a user

$ sc_auth unpair -u <userid> -h <hash>
Check again paired certificates to your user id

$ $ sc_auth list


You will get the pairing dialog again after removing and inserting the card again. So it is easy to play with the pairing process.

CTK Pairing dialog status

Show Status of CTK pairing

You can display the status of the CTK pairing by issuing

$ sc_auth pairing_ui -s status
SmartCard Pairing dialog is enabled.

Disable CTK pairing

If you click on the "Do not show again" on the pairing dialog box the dialog will not be displayed again.

You can check the pairing dialog status using:

$ sc_auth pairing_ui -s disable
SmartCard Pairing dialog is disabled.

Enable CTK pairing

You can re-enable the pairing dialog using:

$ sc_auth pairing_ui -s enable



Was this answer helpful?

Please rate & help us to improve our FAQ.

Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 2 rates