From Emre´s Wiki

Contents 1 eToken and Mac OS 2 Usage Scenarios 2.1 Notes on Filevault Encryption 2.2 Notes on IPSec VPN 2.3 Notes on Credential Encryption for Mozilla 2.4 Notes on GPG Support 2.5 Notes on S/Mime Support 3 Generating a Certificate 4 Installing Software 5 Initializing the Token 6 Configuring Local Login 7 Configuring SSH Authentication 8 Configuring Mozilla Software 9 Further Reading

eToken and Mac OS

Using an Aladdin eToken Pro on Mac OS X (10.5.X) is not an easy task, as Aladdin obviously does not concentrate on software development for Mac.

I have dones some tests with my eToken Pro 64 and got most of my preferred usage scenarios covered by combining the official Aladdin PKI software and software from the OpenSC Project.

This page describes the usage scenarios I have looked into and what software components and configuration was used.

Many thanks to Joao Pedro for providing help on combining OpenSC with Aladdin middleware! :)

Usage Scenarios

Feature	Description	Status
Local Login	You want to insert your token and enter a PIN to login to you Mac locally
SSH Authentication	You want to use a key on your token to login remotely to some other server via SSH
SSL Authentication	You want to use a certificate stored on the token to login to remote websites that support client side SSL authentication
Filevault Encryption	You want to use a key on your token to encrypt your home directory with Filevault
IPSec VPN Authentication	You want to use a certificate stored on the token to login to a remote IPSec VPN concentrator
Credential Encryption Thunderbird & Firefox	You want to encrypt your credentials saved in Mozilla Thunderbird and Mozilla Firefox with a key on the token
Token Compatibility with Windows	You want to use your token on Mac and on Windows
Support for Keysize of 2048	There are patches available that let you use keys with a size of 2048. However I did not follow this path
Support for GPG	You want to use a key on your token to sign and decrypt mail with GPG
Support for S/Mime	You want to use a key on your token to sign and decrypt mail with S/Mime

Notes on Filevault Encryption

This one does not work. Strange enough, Apple announced exactly this feature for Leopard in the "300+" feature list:

Enhanced Smart Card Capabilities: "Let your smart card do more. Now you can use a smart card to unlock FileVault volumes and your keychain, and configure your Mac to lock the screen when a smart card is removed."

Either a misunderstanding on my side or a blatant lie ;-)

Update: there has been mention lately that indeed some way exists to use a key on a token for FileVault: http://osdir.com/ml/apple-cdsa/2009-05/msg00027.html

I am currently *guessing* that this way might involve putting the master filevault recovery key on a token. I´d love to test it :)

Notes on IPSec VPN

There are two IPSec VPN clients for Mac out there that I know of:

• IPSecuritas as free software and
• VPNTracker as a commercial alternative

IPSecuritas does not support certificate based authentication to VPN endpoints.

VPNTracker seems to support certificate based authentication. A quick peek at the demo showed a configuration option for certificates. After inserting the token, the identities showed up as possible cert. I guess this one works.

Notes on Credential Encryption for Mozilla

Generally this feature works, however I have noticed strange behaviour of Firefox since adding the pkcs11 library as a crpyto engine: pages I visited were sometimes displayed only half (bottom part is empty) and the list of downloaded files was suddenly empty at some point.

Removing the library resolved all the issues so I guess usage of OpenSC with Mozilla software is not to be considered stable at this moment.

Notes on GPG Support

Presumably this feature works. I have not tested it but some documentation is available at http://www.rainerkeller.de/etoken.html.

If you get this working on a Mac, please drop me a line so I can add the info to the Wiki.

Better yet, add it yourself to the Wiki :)

Notes on S/Mime Support

I have no idea if this feature works. I thought it would be good idea to list it though, for sake of completeness.

If you have details on this, feel free to contact me and share your knowledge.

Generating a Certificate

This one assumes that you will be creating your certificate on some trusted system that is running Mac OS X. Of course you can use any other Unixoid OS that has the required tools available. Please be sure adjust the path infos when not using Mac OS X.

Preparing everything

mkdir ~/cert-stuff
cd ˜/cert-stuff
mkdir demoCA
mkdir demoCA/certs
mkdir demoCA/crl
mkdir democA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo 01 > demoCA/serial

Create CA Cert

/usr/bin/openssl req -new -x509 -newkey rsa:1024 -sha1 
 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem -days 3650  

Create User Cert Request

/usr/bin/openssl req -new -newkey rsa:1024 -sha1 -keyout newkey.pem -out newreq.pem -days 3650

Sign Request

/usr/bin/openssl ca -md sha1 -policy policy_anything -out newcert.pem -infiles newreq.pem

Convert to P12

/usr/bin/openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out newcert.p12 -export -name "My P12 File"

Installing Software

You need two software components:

• Aladdin PKI Client for Mac version 4.55: this software comes in three flavours (full, limited and minimal). Minimal is just fine as we only need the USB recognition layer of the software. A new version 5.0 is announced for Q2 2009. I will adjust this Howto as soon as it is available.

• OpenSC Mac OS X Installer SCA package: to make the command line binaries from this package easily available, you might want to add /Library/OpenSC/bin to your PATH variable in /etc/profile.

Further steps:

• if it exists, remove the token cache with "sudo rm -rf /var/db/TokenCache/tokens"
• Move the Aladdin PKI tokend out of the way, so it will not mess around "sudo mv /System/Library/Security/tokend/ETOKEND.tokend /to/some/place"
• Reboot

Initializing the Token

Format the token to contain a PKCS15 data structure (as opposed to the Aladdin proprietary structure) and import you certs/keys.

Please note that you will lose any data on that token! You have been warned!

• "pkcs15-init -EC -P --label "eToken-Name" -a01 --no-so-pin"
• "pkcs15-init -S etoken.p12 -f PKCS12 --key-usage sign -a 01" - Do not use option "--split-keys" or you might run into problems
• See if you can list your key with "sc_auth hash"

Configuring Local Login

• Associate the key on your token with a user account for login: sc_auth accept -u yourname -h yourhash

Logout, remove the token and insert the token.

You should be prompted for a PIN.

Configuring SSH Authentication

Credit where credit is due: the following information was taken from http://www.rocketnews.de/wiki/eTokenMac.

List your keys on the token and retrieve the ID of the key you want to use:

# pkcs15-tool -k

Private RSA Key [Private Key]
       Com. Flags  : 3
       Usage       : [0x20], unwrap
       Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
       ModLength   : 1024
       Key ref     : 16
       Native      : yes
       Path        : 3f005015
       Auth ID     : 01
       ID          : 45

Private RSA Key [Private Key]
       Com. Flags  : 3
       Usage       : [0xC], sign, signRecover
       Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
       ModLength   : 1024
       Key ref     : 17
       Native      : yes
       Path        : 3f005015
       Auth ID     : 01
       ID          : 45

The entry "ID" is the one we are looking for.

Extract it: pkcs15-tool --read-ssh-key 45 | grep ssh-rsa > sshpublic.key

Copy the key over to your server and append it to the appropriate file ("/home/you/.ssh/authorized_keys").

Login to your server with public key authentication: scssh -I 0 hostname

Configuring Mozilla Software

You can add the OpenSC PKCS11 library to Mozilla Firefox and Mozilla Thunderbird as cryptographic provider (names of menu items might be wrong due to my translation - I am using the German version).

• Mozilla Firefox:
  • Goto "Firefox" -> "Settings" -> "Extended" (?) -> "Encryption" (?) -> "Cryptography Modules" -> "Load"
  • Specify a name for the module
  • Specify /Library/OpenSC/lib/pkcs11/opensc-pkcs11.so as path to library

• Mozilla Thunderbird:
  • Goto "Thunderbird" -> "Settings" -> "Extended" (?) -> "Encryption" (?) -> "Cryptography Modules" -> "Load"
  • Specify a name for the module
  • Specify /Library/OpenSC/lib/pkcs11/opensc-pkcs11.so as path to library

For Mozilla Firefox the path to the relevant settings windows should look like this:

After having inserted the token, the list of crypto modules should look like this:

Further Reading

Here are some links that provide similar or further info on the subject:

• Mac OS & Token usage for FileVault (discussion why it does not work): http://lists.apple.com/archives/Fed-talk/2005/May/msg00048.html
• Lots of info on OpenSC and eToken: https://twiki.cern.ch/twiki/bin/view/Main/ITGD-eToken
• Even more info on OpenSC and eToken: http://www.rocketnews.de/wiki/eToken