Cryptokit pivtoken does not translate card certificates to keychain items

Originator:John.E.Lamb
Number:rdar://31506336 Date Originated:07-Apr-2017
Status:Open Resolved:
Product:macOS Product Version:10.12.4
Classification:Bug/Request Reproducible:Yes
 
Summary:
The previous method of using smart cards on OS X via tokens (either via smartcardservices or OpenSC) would translate smartcard certificates into keychain items.

This allowed applications such as: Microsoft Outlook (2011/2016), Cisco AnyConnect VPN, and Adobe Acrobat to access the certificates on the card for the purpose of email signing encryption / vpn login / and PDF signing.

Steps to Reproduce:
1. Set up a mac with OS X 10.12.4
2. Configure an /etc/Smartcardconfig.plist appropriate for your directory service & card configuration
3. Connect a support smartcard reader and insert card.


Expected Results:
1. Smartcard account login should function at loginwindow.app
2. Login to card-aware websites via Safari.app should work
3. A keychain corresponding to the smart card should appear in keychain access.app
4. Authentication should function in AnyConnect/Email Encryption in Outlook 2016

Actual Results:
1. Smartcard login DOES work at loginwindow.app (thank you, that's awesome.)
2. Login to card-aware websites via Safari.app DOES work (thank you, that's awesome.)
3. No Keychain corresponding to the smart card appears in Keychain Access.app
4. Due to #3, no certificates are available for AnyConnect/Outlook 2016

Version:
10.12.4/16E195

Notes:
Thank you for considering this bug report/feature request. I understand that "the right way" for our vendors to handle the change to crypto kit is to update their apps to utilize this new method (and I anticipate at least Microsoft will as they've been good about keeping up with OS changes recently.) 

However, i might ask that it be considered to provide the expected behavior in the interim.

It appears at https://developer.apple.com/reference/cryptotokenkit/tktokenkeychaincertificate that the keychain translation is included in cryptokit but not implemented currently in pivtoken - so it may be possible to implement this without needing to fall back to pcscd/CDSA?

This request, while coming from an individual developer account is intended for support of [Redacted], of which there are approximately 5000-8000 at [Redacted] alone.


Configuration:
macOS 10.12.4 bound properly to active directory. Smartcards verified to function by installing OpenSC (then uninstall OpenSC for test)

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!