<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>MacOsXTokend - OpenSC - Trac</title><style type="text/css">
           @import url(trac.css);
          </style></head><body><div class="wikipage">
    <div id="searchable"><h2>Overview</h2>
<p>
Mac OS X 10.4 has a native support for smart cards, called Tokend.
</p>
<p>
Native Mac applications (Safari browser, Mail client) will be able
to automatically use the keys on the card that are supported by
the Tokend.
</p>
<p>
There is an OpenSC tokend as part of OpenSC's sca package for Mac OS X.
It uses the OpenSC library (the PKCS15 layer, not the pkcs11 lib) and should therefore support the same cards.
It can be use together with other OpenSC lib/apps such as the pkcs11 lib for the Mozilla family of browsers and mail clients.
</p>
<p>
Currently supported are
</p>
<ul><li>Keychain Access (to view the contents of the smart card)
</li><li>Safari browser (SSL client authentication)
</li><li>Mail client (sign and decrypt emails) -- Note: the account's mail address must be present in the cert
</li></ul><p>
For more info:
</p>
<ul><li>Max OS X: [<a class="ext-link" title="http://developer.apple.com/documentation/MacOSX/Conceptual/OSX_Technology_Overview/" href="http://developer.apple.com/documentation/MacOSX/Conceptual/OSX_Technology_Overview/" shape="rect">http://developer.apple.com/documentation/MacOSX/Conceptual/OSX_Technology_Overview/</a>] (OSX_Technology_Overview.pdf)
</li><li>Mac OS X for UNIX Users: [<a class="ext-link" title="http://images.apple.com/macosx/pdf/MacOSX_UNIX_TB.pdf" href="http://images.apple.com/macosx/pdf/MacOSX_UNIX_TB.pdf" shape="rect">http://images.apple.com/macosx/pdf/MacOSX_UNIX_TB.pdf</a>]
</li><li>Apple-cdsa mailing list: [<a class="ext-link" title="http://lists.apple.com/mailman/listinfo/apple-cdsa" href="http://lists.apple.com/mailman/listinfo/apple-cdsa" shape="rect">http://lists.apple.com/mailman/listinfo/apple-cdsa</a>]
</li></ul><h2>How to build the OpenSC tokend</h2>
<p>
This is pretty complicated, most is based on the doc "Building Tokend Using the Darwin Build Scripts"
that can be requested on the apple-cdsa mailing list.
</p>
<p>
Make sure you have Mac OS 10.4.
</p>
<p>
If you want SVN (subversion): download and install fink [<a class="ext-link" title="http://fink.sourceforge.net/" href="http://fink.sourceforge.net/" shape="rect">http://fink.sourceforge.net/</a>]
and use fink to obtain svn: "sudo fink install svn-client" in a Terminal window.
</p>
<p>
1. download and install Xcode 2.2 or later from [<a class="ext-link" title="http://developer.apple.com/tools/" href="http://developer.apple.com/tools/" shape="rect">http://developer.apple.com/tools/</a>]
</p>
<p>
2. Download, build and install darwinbuild 0.7.2 or later from [<a class="ext-link" title="http://opendarwin.org/projects/darwinbuild/" href="http://opendarwin.org/projects/darwinbuild/" shape="rect">http://opendarwin.org/projects/darwinbuild/</a>]
</p>
<p>
3. Create a disk image to contain the build environment
</p>
<blockquote>
<p>
(This way your regular system won't be modified when all frameworks etc. are downloaded)
</p>
</blockquote>
<ul><li>hdiutil create -size 2g -type UDIF -fs HFSX -volname Builds -uid 0 -gid -0 -attach Builds.dmg
</li></ul><ul><li>Become root (su or sudo /bin/bash)
</li></ul><ul><li>vsdbutil -a /Volumes/Builds
</li></ul><blockquote>
<p>
(/Volumes/ is where all filesystems like disks, USB sticks and disk images are mounted)
</p>
</blockquote>
<blockquote>
<p>
Note: next time you start your Mac, you need to re-open the builds.dmg disk image again
before you can work with it: double-click on it in Finder or do "hdiutil attach Builds.dmg
in a Terminal window.
</p>
</blockquote>
<p>
4. Download and build the Tokend code from opendarwin
</p>
<blockquote>
<p>
This is done in a subdirectory of /Volumes/Builds/. It's name depends on the 10.4.x
version that you have. For example:
</p>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>
** For 10.4.2: Build8C46
</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>
** For 10.4.3: Build8F46
</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>
** For 10.4.4: Build8G32
</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>
** For 10.4.5: Build8H14
</p>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<p>
(See [<a class="ext-link" title="http://darwinsource.opendarwin.org/plists/" href="http://darwinsource.opendarwin.org/plists/" shape="rect">http://darwinsource.opendarwin.org/plists/</a>])
</p>
</blockquote>
<blockquote>
<p>
In what follows, we assume we are building on 10.4.3.
</p>
</blockquote>
<ul><li>cd /Volumes/Builds
</li></ul><ul><li>mkdir Build8F46
</li></ul><ul><li>cd Build8F46
</li></ul><ul><li>/usr/local/bin/darwinbuild -init 8F46
</li></ul><ul><li>Disable the i386 build (only ppc):
</li></ul><blockquote>
<blockquote>
<p>
/usr/local/bin/darwinxref -b 8A428 edit
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
This opens vi or vim (yes:-) where you have to remove 'i386' from RC_ARCHS (use the arrow keys to go to
'i386', then hit x to delete it, then use the ESC button to go back to normal mode and type :wq or :wq!)
</p>
</blockquote>
</blockquote>
<ul><li>/usr/local/bin/darwinbuild Tokend
</li></ul><blockquote>
<p>
This command will download the Tokend-11 code and all required libs,frameworks,...
and build the tokend's as Apple did. It will take a while.
</p>
</blockquote>
<blockquote>
<p>
You could try them (first backup the original ones):
</p>
</blockquote>
<blockquote>
<blockquote>
<p>
** mkdir /System/Library/Security/tokend/backups
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** mv /System/Library/Security/tokend/* /System/Library/Security/tokend/backups
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** sudo ditto BuildRoot/var/tmp/Tokend/Tokend-11.root / }
</p>
</blockquote>
</blockquote>
<blockquote>
<p>
The Tokend-11 sources are compressed in Sources/Tokend-11.tar.gz. If you would like
to modify them, e.g. to add logging, you can do the following:
</p>
</blockquote>
<blockquote>
<blockquote>
<p>
** extract them ("cd Sources" and "tar xfz Tokend-11.tar.gz");
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** make them writable: chown -R &lt;yourusername&gt; Tokend-11
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** then open the project with XCode ("open Tokend-11/Token.xcodproject") and change and save them;
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** then run "/usr/local/bin/darwinbuild Tokend". Since the sources already exist, darwinbuild won't download them again but use the existing onces instead.
</p>
</blockquote>
</blockquote>
<blockquote>
<p>
NOTE: the building seems to go fail somehow sometimes. However, once the libtokend.a has been build, you are far enough.
So just check if the file "/Volumes/Builds/Build8F46/BuildRoot/private/var/tmp/Tokend/Tokend-11.obj/UninstalledProducts/libtokend.a" exists.
</p>
</blockquote>
<blockquote>
<p>
WARNING: don't run "/usr/local/bin/darwinbuild Tokend" again after you installed and
build the OpenSC sources (they will be overwritten)!
</p>
</blockquote>
<p>
5. Obtain and install sca.
</p>
<blockquote>
<p>
Download the installer from <a class="ext-link" title="http://www.opensc-project.org/sca/" href="http://www.opensc-project.org/sca/" shape="rect">http://www.opensc-project.org/sca/</a>,
or look at this site for info on how to get the sources and build it yourself
</p>
</blockquote>
<blockquote>
<p>
After installation, everything should be in /Library/OpenSC/.
</p>
</blockquote>
<p>
6. Obtain and build the OpenSC tokend code.
</p>
<blockquote>
<p>
This is part of sca, just search for the opensc.tokend/ directory.
</p>
</blockquote>
<blockquote>
<p>
Note: if you should use the OpenSC version was used for building sca.
E.g. if you used sca-0.1.8, you should use OpenSC 0.10.1.
And if you used the sca code from SVN, use the OpenSC code from SVN
</p>
</blockquote>
<ul><li>copy the contents of opensc.tokend/ to /Volumes/Builds/Build8F46/Sources/Tokend-11/
</li></ul><ul><li>cd /Volumes/Builds/Build8F46/Sources/Tokend-11/
</li></ul><blockquote>
<p>
Now you can build the OpenSC tokend, there's no need to be root anymore.
You can either build directly from the command prompt:
</p>
</blockquote>
<blockquote>
<blockquote>
<p>
** xcodebuild -configuration Deployment
</p>
</blockquote>
</blockquote>
<blockquote>
<p>
or from within Xcode:
</p>
</blockquote>
<blockquote>
<blockquote>
<p>
** "open Tokend.xcodeproject" or double-click on it in Finder
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** Project -&gt; Set Activate Build Configuration -&gt; Deployment
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** Build -&gt; Build
</p>
</blockquote>
</blockquote>
<blockquote>
<p>
NOTE: if the build fails with error "can't locate file for: -ltokend", this means that the libtoken.a
library has moved.
E.g. before Mac OS 10.4.5, the lib was located at
$(BuildRoot$/private/var/tmp/Tokend/Tokend-11.obj/UninstalledProducts/libtokend.a
but if you build with Mac OS 10.4.5 (build 8H14), it's located at
$(BuildRoot$/private/var/tmp/Tokend/Tokend-25868.obj/UninstalledProducts/libtokend.a
So you should do an "ls ../../BuildRoot/private/var/tmp/Tokend/" to find out the name of the
dir containing the libtokend.a; and modify the Tokend.xcodeproj/project.pbxproj accordingly
by means of a text editor (perhaps it's also possible to do so with Xcode).
</p>
</blockquote>
<blockquote>
<p>
The result should be an OpenSC.tokend bundle in build/Deployment/.
</p>
</blockquote>
<blockquote>
<p>
To 'deploy' it:
</p>
</blockquote>
<blockquote>
<blockquote>
<p>
sudo cp -r build/Deployment/OpenSC.tokend /System/Library/Security/tokend/OpenSC.tokend
</p>
</blockquote>
</blockquote>
<blockquote>
<p>
FYI: The Tokend-11/ directory is based on the one from opendarwin:
</p>
</blockquote>
<blockquote>
<blockquote>
<p>
** The BELPIC, CAC, <a class="missing" href="/opensc/wiki/MuscleCard" shape="rect">MuscleCard?</a> and Tokend targets/products were removed from the project
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** The BELPIC, CAC and <a class="missing" href="/opensc/wiki/MuscleCard" shape="rect">MuscleCard?</a> directories were removed
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** The cpp files (not the .h files) from the Tokend dir were removed
</p>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<blockquote>
<blockquote>
<p>
(it uses the libtokend.a lib that was made with /usr/local/bin/darwinbuild)
</p>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<blockquote>
<blockquote>
<p>
** The project has been modified to build with Xcode instead of with /usr/local/bin/darwinbuild
</p>
</blockquote>
</blockquote>
<blockquote>
<p>
The opensc.tokend dir contains an optional tokend.conf config file; see this file for more info.
</p>
</blockquote>
</div>
   </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>