NAME
KeychainToken, /Library/KeychainToken/keychain_token.dylib
SYNOPSIS
This is the Keychain PKCS#11 Token "driver". Use it with applications
that cannot interact with Keychain but can interact with PKCS#11 devices
(e.g. Mozilla products)
DESCRIPTION
Apple provides a wonderful API for accessing cryptographic functions and
tokens (Smartcards, softcerts, etc) but it does not provide a way to
access these functions via PKCS#11 anymore. This is an attempt to rectify
this in as sane a way as possible. In its first release only the minimal
ammount of PKCS#11 will be implemented to allow basic operation with
Mozilla products, as that suits my needs best. However, future releases
may include additional functionality.
When using the KeychainToken driver, by default all keychains shown in
the Keychain Access application will be visible in different slots, up
to the maximum slots (10). Since this is often not desireable,
KeychainToken can be configured with a properties list file (plist)
found in ~/Library/Preferences/com.apple.KeychainToken.plist . You can
create three different Array entries, titled:
* whitelist
* blacklist
* greylist
In each of these array entries, create simple string entries with the
path name of the keychain you want in the particular list. Some keychains
will show a path that is not on the filesystem (for example, DoD CAC's
show just the serial number of the CAC), and Directory Services shows up
with an empty path. Below is a description of each list.
/whitelist/
When the whitelist is defined at all, all keychains not in the whitelist
or greylist will not show up at all. The blacklist will be ignored.
/blacklist/
When the whitelist is not defined, the blacklist is a list of keychains
you do not wish to appear as PKCS#11 tokens.
/greylist/
Some keychains cannot be logged into from the PKCS#11 interface. The
System keychain is such an example. Adding keychains to will cause the
KeychainToken driver to make a best attempt to tell accessing applications
that these keychains are to be treated as read-only devices that cannnot
be logged into. This is only a best attempt, and some applications may
prompt for a pin to log in. Keychains in the greylist will never use any
login attempt on the actual keychain (to prevent accidental locking)
Examples of preferences setup (name:type:value):
Root:Dictionary:(2 items)
whitelist:Array:(2 items)
Item 1:String:/Users/joe/Library/Keychains/mytoken.keychain
Item 2:String:CAC-1234-5678-9012-3456
greylist:Array:(1 item)
Item 1:String:/Users/joe/Library/Keychains/login.keychain
Root:Dictionary:(2 items)
greylist:Array:(1 item)
Item 1:String:/Users/joe/Library/Keychains/login.Keychain
blacklist:Array:(3 items)
Item 1:String:(empty string)
Item 2:String:/Library/Keychains/System.keychain
Item 3:String/Users/joe/Library/Keychains/expired_token.keychain
Future versions of KeychainToken may provide a graphical tool to configure these preferences.