Token authentication Problem on Mac OS Sonoma

matsimoto · 6 October 2023 12:30

Hi,

I use a Nitro Key as PKCS#11 device with viscosity. The Token works without any issue in a Debian 11 VM on UTM.
The token worked flawless until I update my M1 MacBook Pro from Ventura to Sonoma.

When using Viscosity a dialog comes up saying that the card was not detected. I tried opens-tool to get more info on this.

When I am using the token from the command line I get this:

xxx@rocketeer:~ $ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Nitrokey Nitrokey Pro
xxx@rocketeer:~ $ opensc-tool --list-algorithms
Using reader with a card: Nitrokey Nitrokey Pro
Failed to connect to card: Unresponsive card (correctly inserted?)
xxx@rocketeer:~ $ 

With pkcs11 tool I get this:
xxx@rocketeer:~ $ pkcs11-tool -O
error: PKCS11 function C_GetSlotInfo failed: rv = CKR_DEVICE_ERROR (0x30)
Aborting.
xxx@rocketeer:~ $

When I issue the same commands in the Linux VM the token works as expected:

root@bullseye:/home/local# opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Nitrokey Nitrokey Pro (000000000000000000009961) 00 00
root@bullseye:/home/local# opensc-tool --list-algorithms
Using reader with a card: Nitrokey Nitrokey Pro (000000000000000000009961) 00 00
Algorithm: rsa
Key length: 2048
Flags: onboard key generation padding ( pkcs1 ) hashes ( none )

Algorithm: rsa
Key length: 2048
Flags: onboard key generation padding ( pkcs1 ) hashes ( none )

Algorithm: rsa
Key length: 2048
Flags: onboard key generation padding ( pkcs1 ) hashes ( none )

root@bullseye:/home/local#

Is there any thing I can do to make it work ?

James · 6 October 2023 13:35

Hi matsimoto,

It looks likely to be a bug in Sonoma, but it could also be an OpenSC issue. You can find some information over at:
https://github.com/OpenSC/OpenSC/issues/2887
https://developer.apple.com/forums/thread/732091

Sadly it sounds likely you’ll need to wait for an updated version of Sonoma or an updated version of OpenSC.

In the meantime, if macOS natively recognises your token you can use Viscosity’s “System Identity” feature instead. This allows you to use a token or smart card without needing a PKCS#11 driver. To use this, duplicate your connection in Viscosity (or create a new one), edit it, and set the Authentication Type to “SSL/TLS Client (System Identity)”. Then click the small “+” button in the System Identity section and see whether macOS lists the certificate on your token. If it does, select it, Save the changes, and try connecting.

Cheers,
James

matsimoto · 6 October 2023 15:40

Hi James,

unfortunately the Nitro Key is not recognized.
I will wait … hopefully the update will come soon.

Thanks for the information.

Ciao
matsimoto