OpenSCToken
OpenSCToken copied to clipboard
frankmorgner
Private keys and smart card stuck in security after token removed
I'm having an unusual issue where after a token is removed or even OpenSC uninstalled and machine restarted the security command still lists private keys for a removed token and it still shows up as a smart card in list-smartcards. Any idea what could be causing this or how to solve?
My situation seems to be identical the problem described in OpenSC/OpenSC#1862.
I have reinstalled/uninstalled opensc and disabled/enabled the OpenSCToken using security and nothing seems to remove this cached token reference.
@frankmorgner Any ideas what could be going on? I'm even ok with clearing out caches etc if you know places I should be trying to reset.
I'm not sure.
After uninstallation the process for the token driver may still be running, because it's loaded into the memory. In this case you could manually kill the process or reboot.
Does it cause any problems to have the token in the smartcard list?
I've restarted multiple times and no OpenSC related processes running and it looks like all of the OpenSC related pieces have been cleaned up from what I can see. I also ran the commands you listed in the OpenSC issue I mentioned above and it looks like the driver was already deleted from pluginkit.
system_profiler SPSmartCardsDataType no longer lists the drivers and doesn't show any details about the token. It seems like for some reason the private keys are getting cached and stuck in the Apple plumbing. I don't have any token paired with sc_auth so I don't think it will be lingering for a reason like that. The security command seems to be the only location I can see the token & keys still listed, but I'm unsure if they are still hanging about and being returned but the CTK API's themselves.
The only issue I've noticed is signing documents in Adobe Reader seems wonky, I believe it used to work with the CryptoTokenKit API's but I'm not sure if its because of these stuck private keys or an unrelated Adobe reader update things aren't working right. I can work around it by using a PKCS#11 module so its not a huge deal.
Saw other posts mentioning the issue only went away if they created a new user account, which made me believe it was tied something within the users directory. I decided to grep the ~/Library directory for the stuck token id. As a results I found a keychain DB that still had references to it. Once I removed those references within the tables the security command no longer returns the stuck token from list-smartcards or export-smartcard.
Now for the fix. Beware, this could break your keychain. So do at your own risk and backup the keychain files before attempting. Hopefully this can help anyone who happens to encounter the same issue.
Obtain stuck token id from security list-smartcards will be something like this
org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:5A3030315357335536345A4755574344
Find DB with stuck token $ cd ~/Library/Keychains/ $ grep -ri 'stuck token id from above'
Get the result, In my case ~/Library/Keychains/{SOME UUID}/keychain-2.db. Ignore the db-wal matches.
Clear token from DB $ cd ~/Library/Keychains/{SOME UUID}/ $ sqlite3 keychain-2.db -- or whatever db file grep returned the reference in sqlite> delete from cert where tkid='stuck token id from above'; sqlite> delete from keys where tkid='stuck token id from above'; sqlite> .quit
Now your security commands shouldn't return old stale disconnected tokens. No idea why these references got left around in the keychain but this at least clears them out.