OpenSCToken: Use OpenSC in CryptoTokenKit by Frank Morgner is a CryptoTokenKit plugin that works with OpenSC.
Fetch OpenSCToken-1.1.dmg, open the .dmg image, copy the application OpenSCTokenApp.app in your /Applications/ directory.
You need to start the OpenSCTokenApp application at least one time to register the CryptoTokenKit plugin provided by the application. The application does nothing and you can quit it now.
OpenSCToken Comparison with OpenSC.tokend
From the website project:
- OpenSCToken supports multiple certificates, keys and PINs
- OpenSCToken has proper support for PIN pad on reader or token
- OpenSCToken offers easy login with smart card and automatically unlocks the login keychain
- Tokens are not visible in Keychain Access any more (use sc_auth/security from command line instead)
- Most non-Apple applications do not yet support CryptoTokenKit. If OpenSCToken is used together with OpenSC.tokend, your token will appear twice in Safari and other Apple-apps.
Check OpenSCToken installation
To check if the plugin is installed you can use the pluginkit command line tool.
This more verbose output allows you to know where on disk the plugin is found.
To remove/uninstall the plugin you just have to delete the application containing/providing the plugin.
List inserted token / Smart Cards
If your smart card is supported by one of the installed CryptoTokenKit plugin you will see it using the command "security list-smartcards".
Displaying the Smart Card content
There is different ways to display the content of the card.
Pairing an AirID via Bluetooth for the first time (BLE Pairing)
To be able to use an AirID device for the first time, it needs to be paired via macOS System Bluetooth. This process happens automatically after configuring the serial number for the AirID, updating /etc/reader.conf and rebooting the system.
After serial number configuration is done and the macOS PC/SC daemon picks up the changes you should see a dialog windows like the one below
After confirming by pushing the "Connection/Verbinden" Button it looks similar to
Pairing a card to a user account (CTK Pairing)
Now enter your user account password
Then enter the card PIN code:
And the user account again:
Finally the pairing of your certificate to your user account id is done
Using an untrusted Certification Authority
Note that you can pair a card certificate to a user even if the certificate is not trusted. In my case the certificate is issued and signed by CAcert. This Certification Authority is not trusted by macOS (you can see that in the Keychain Access screen copy) but you can still use the untrusted certificate to login.
Check CTK pairing
You can now check that your account is paired to card
Unparing a user / Certificate from CTK
You can unpair a user
Check again paired certificates to your user id
You will get the pairing dialog again after removing and inserting the card again. So it is easy to play with the pairing process.
CTK Pairing dialog status
Show Status of CTK pairing
You can display the status of the CTK pairing by issuing
Disable CTK pairing
If you click on the "Do not show again" on the pairing dialog box the dialog will not be displayed again.
You can check the pairing dialog status using:
Enable CTK pairing
You can re-enable the pairing dialog using: