{"id":17271548,"url":"https://github.com/frankmorgner/opensctoken","last_synced_at":"2025-04-14T08:22:42.221Z","repository":{"id":29151000,"uuid":"107414968","full_name":"frankmorgner/OpenSCToken","owner":"frankmorgner","description":"Use OpenSC in macOS CryptoTokenKit.","archived":false,"fork":false,"pushed_at":"2024-02-01T15:39:48.000Z","size":85,"stargazers_count":76,"open_issues_count":3,"forks_count":14,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-03-27T22:01:47.464Z","etag":null,"topics":["macos","opensc","security","smartcard"],"latest_commit_sha":null,"homepage":"","language":"Objective-C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/frankmorgner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2017-10-18T13:52:06.000Z","updated_at":"2024-11-08T22:28:47.000Z","dependencies_parsed_at":"2024-02-01T17:38:55.364Z","dependency_job_id":null,"html_url":"https://github.com/frankmorgner/OpenSCToken","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frankmorgner%2FOpenSCToken","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frankmorgner%2FOpenSCToken/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frankmorgner%2FOpenSCToken/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/frankmorgner%2FOpenSCToken/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/frankmorgner","download_url":"https://codeload.github.com/frankmorgner/OpenSCToken/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248844213,"owners_count":21170534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["macos","opensc","security","smartcard"],"created_at":"2024-10-15T08:45:08.209Z","updated_at":"2025-04-14T08:22:42.184Z","avatar_url":"https://github.com/frankmorgner.png","language":"Objective-C","readme":"# OpenSCToken: Use OpenSC in CryptoTokenKit\n\nCryptoTokenKit is Apple's take on programmatic access to smart cards and other tokens. It provides both low level access to tokens (comparable with PC/SC) and high level access for system wide integration of a token (comparable with Windows Smart Card Minidriver).\n\nFor further information about smart cards in macOS please read the following ressources:\n\n- [Apple's guide on smart card integration](https://support.apple.com/guide/deployment/depd0b888248) (open the table of contents to access the pages on smart card logon, FileVault usage and more extended options)\n- [`man 8 security`](http://www.manpagez.com/man/1/security/)\n- [`man 8 sc_auth`](http://www.manpagez.com/man/8/sc_auth/)\n- [`man 8 SmartCardServices`](http://www.manpagez.com/man/7/SmartCardServices/)\n\nOpenSCToken aims at providing the existing functionality of OpenSC through CryptoTokenKit.\n\n## Quickstart\n\n1. Download [the latest release of OpenSCToken](https://github.com/frankmorgner/OpenSCToken/releases/latest)\n2. Open the image (`.dmg` file) and drag *OpenSCTokenApp* to your *Applications*\n3. Launching *OpenSCTokenApp* shows an empty application and registers the token driver.\n\nNow your're ready to use the smart card even if the application is not running (as long as your card is supported by OpenSC).\n\n### Useful Commands\n\n- Show location of the registered OpenSCToken\n```\npluginkit -v -m -D -i org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken\n```\n- List available smart cards and paired/unpaired identities:\n```\nsc_auth identities\n```\n- Pair a smart card with your account:\n```\nsc_auth pair ${HASH}\n```\n- Remove paired smart card from your account:\n```\nsc_auth unpair ${HASH}\n```\n- Disable dialog for pairing a smart card with the current account:\n```\nsc_auth pairing_ui -s disable\n```\n- Disable macOS' built-in token driver for the PIV card (Yubikey) to use use OpenSC instead:\n```\nsudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken\n```\n- Enable macOS' built-in token driver for the PIV card (Yubikey):\n```\nsudo defaults delete /Library/Preferences/com.apple.security.smartcard DisabledTokens\n```\n- Unregister OpenSCToken\n```\npluginkit -r -i org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken\n```\n\n## Comparison with [OpenSC.tokend](https://github.com/OpenSC/OpenSC.tokend)\n\n- [x] OpenSCToken supports multiple certificates, keys and PINs\n- [x] OpenSCToken has propper support for PIN pad on reader or token\n- [x] OpenSCToken offers easy login with smart card and automatically unlocks the *login keychain*\n- [ ] Tokens are not visible in *Keychain Access* anymore (use `sc_auth`/`security` from command line instead)\n\n## Building OpenSCToken\n\nRequirements:\n\n- Xcode 8.0 or later; macOS 10.12 SDK or later\n- help2man, gengetopt\n- Code signing credentials\n\n```\n# Install dependencies\nbrew install help2man\nbrew install gengetopt\nbrew install automake \n\n# Checkout OpenSCToken\ngit clone http://github.com/frankmorgner/OpenSCToken.git\n\n# Checkout and build all dependencies (i.e. OpenSSL, OpenPACE and OpenSC)\ncd OpenSCToken\n./bootstrap\n\n# Now build OpenSCTokenApp\nxcodebuild -target OpenSCTokenApp -configuration Release -project OpenSCTokenApp.xcodeproj install DSTROOT=${PWD}/build\n```\n\nOnce all dependencies are built, the project can be executed and debugged from Xcode. Running the application, adds OpenSCToken to the system's plug-in registry. After insterting a token, attach to the process `OpenSCToken` for debugging with Xcode.\n\n## Running OpenSCToken\n\nOpenSCToken requires macOS 10.12 or later. For registering the token driver, you have two options:\n\n1. Run *OpenSCTokenApp* or execute `pluginkit -a /Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex`:\nRegisters OpenSC in the PlugInKit subsystem for the current user. Your token will be **available after login**. Note that database clean-ups may eventually remove the plug-in.\n\n2. Run *OpenSCTokenApp* as SecurityAgent `sudo -u _securityagent /Applications/Utilities/OpenSCTokenApp.app/Contents/MacOS/OpenSCTokenApp` or execute `sudo -u _securityagent pluginkit -a /Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex`:\nRegisters OpenSC globally. Your token **will always be available**.\n\n## Configuring OpenSCToken\n\nOpenSCToken supports all configuration options from OpenSC. However, you need to make sure that files to be read or written are available from the token driver's sandbox.\n\nFor example, `opensc.conf`, which is read by OpenSC, is available in `/Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex/Contents/Resources`. When using configuration options that need to write a file (e.g. `debug_file` or `file_cache_dir`), you need to make sure this is done in the token driver's `Documents` directory (e.g. something like `~/Library/Containers/org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken/Data/Documents`). For your convenience, these locations are written to the system log when OpenSCToken is started with a smart card. Use the following commands to view the log:\n\n```\nsudo log config --mode \"private_data:on\"\nlog stream --predicate 'senderImagePath contains[cd] \"OpenSCToken\"'\n```\n\nOn macOS Catalina and later, the mode \"private_data:on\" is not available anymore and instead you to [create and import a logging profile](https://superuser.com/a/1532052).\n\n## Test Results\n\nTested applications:\n\n- [x] Login to macOS\n- [x] Unlock screen saver\n- [x] Unlock *login keychain*\n- [x] Safari, Chrome, Firefox (TLS client authentication)\n- [x] Unlock *sudo*\n\nTested Mechanisms:\n\n- [x] `kSecKeyAlgorithmRSASignatureRaw`\n- [ ] `kSecKeyAlgorithmRSAEncryptionRaw`\n- [ ] `kSecKeyAlgorithmECDSASignatureRFC4754`\n- [ ] `kSecKeyAlgorithmECDSASignatureDigestX962`\n- [x] `kSecKeyAlgorithmECDSASignatureDigestX962SHA1`\n- [x] `kSecKeyAlgorithmECDSASignatureDigestX962SHA224`\n- [x] `kSecKeyAlgorithmECDSASignatureDigestX962SHA256`\n- [x] `kSecKeyAlgorithmECDSASignatureDigestX962SHA384`\n- [x] `kSecKeyAlgorithmECDSASignatureDigestX962SHA512`\n\nThe unchecked mechanisms are implemented, but currently untested.\n\n---\n\nCopyright (C) 2017-2019 Frank Morgner \u003cfrankmorgner@gmail.com\u003e\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffrankmorgner%2Fopensctoken","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffrankmorgner%2Fopensctoken","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffrankmorgner%2Fopensctoken/lists"}