OS X El Capitan and smart cards status
El Capitan (OS X 10.11) is now out since 30th September, 2015.
As I did with the previous major versions of Mac OS X Yosemite, Mavericks, Mountain Lion (and Lion) I will list changes in El Capitan regarding the smart card world.
API Differences between 10.10 and 10.11
The differences are listed in the developer page OS X El Capitan v10.11. The page only document big changes. The smart card changes are not listed there :-)A complete list of API changes is at OS X v10.11 API Diffs. Regarding the smart card world we have:
The CryptoTokenKit API has changed. Some methods have been modified, some methods have been added.
I note two sets of new methods:
TKSmartCardPIN*
and TKSmartCardUserInteractionFor*
. It looks like Apple wants to provide a nice User eXperience regarding PIN management.I hope Apple will provide more documentation than the .h header file and some code samples.
I will try to rebuild my Crypto Token Kit Objective-C and Swift examples on El Capitan to check if they still work.
PC/SC
Since Yosemite (10.10) the PC/SC layer is no more a fork of pcsc-lite. So comparing versions with pcsc-lite is useless.$ cat /System/Library/Frameworks/PCSC.framework/Versions/A/Resources/version.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BuildAliasOf</key> <string>CryptoTokenKit</string> <key>BuildVersion</key> <string>13</string> <key>CFBundleShortVersionString</key> <string>8.0</string> <key>CFBundleVersion</key> <string>1</string> <key>ProjectName</key> <string>SmartCardServices</string> <key>SourceVersion</key> <string>79001001000000</string> </dict> </plist>
The BuildVersion changed from 1 on Yosemite to 13 on El Capitan, and SourceVersion changed from 22020004000000 to 79001001000000. I have no idea what the SourceVersion "number" is.
It looks like Apple made 12 builds of the PC/SC framework since Yosemite 10.10.
Bugs fixed
- SCardGetAttrib
- SCardTransmit (pioSendPci not checked)
- SCardGetStatusChange blocks forever
- OS X Yosemite bug: SCardConnect blocks in SCARD_SHARE_SHARED mode
I updated my blog article OS X Yosemite and smart cards: known bugs.
Maybe new bugs will be found on El Capitan. But I have not yet found any after just a few hours of tests.
CCID driver
Driver version 1.4.14.No change since Yosemite.
$ grep -A 1 CFBundleShortVersionString /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist <key>CFBundleShortVersionString</key> <string>1.4.14</string>
New driver location
The System Integrity Protection (SIP) introduced in El Capitan impose that custom PC/SC drivers are now installed in /usr/local/libexec/SmartCardServices/drivers/.Only the CCID driver provided by Apple is still in /usr/libexec/SmartCardServices/drivers/.
Tokend
Because of SIP, the tokend needs to be installed in /Library/Security/tokend/ now instead of /System/Library/Security/tokend/.The tokend and CDSA are still usable. I just fixed the PKCS11.tokend so that it looks for PKCS#11 libraries in /usr/local/lib/pkcs11/ if /usr/lib/pkcs11/ does not exist (as it is the case on El Capitan because of SIP again).
Conclusion
Most of the remaining PC/SC bugs fixed.tokend still usable.
Some new Crypto Token Kit methods.