1 introduction, 1 apple keychain services, 2 tokenlounge – HID Crescendo Mac OSX User Manual

Crescendo Integration Guide

MAC OS X

47A3-904, A.0

1

Introduction

1.1 Apple Keychain Services

Keychain Services provides secure storage of passwords, keys, certificates, and notes for one or
more users. A user can unlock a keychain with a single password, and any Keychain Services–
aware application can then use that keychain to store and retrieve passwords.

Using Keychain Services is the preferred means to work with hardware tokens on MAC OS X v10.4
and later. In order to do so, MAC OS X v10.4 and later implement the TokenD interface that allows
smart card developers to make their cards appear to be key chains.

1.1.1 Use of PKCS #11

The use of PKCS #11 is not in all cases or applications possible, because:

Apple® does not provide any integration for PKCS#11 based applications.

PKCS #11 requires the user to specify a PKCS #11 library to be dynamically loaded for the token in
question. For example, in order to be able to use a token supported by SafeSign Identity Client in
Mozilla Navigator, you need to install the SafeSign IC PKCS #11 Library as a security device in
Mozilla (and for every other application you want to use a SafeSign IC token with).

1.1.2 TokenD

TokenD is a component added to the security architecture from MAC OS X 10.4 (Tiger) onwards, to
handle hardware tokens. It is used to handle hardware tokens and an OpenDarwin project is
available to let anyone define (program) their own TokenD.

1.2 TokenLounge

TokenLounge is the TokenD implementation for the MAC OS X Keychain.

It can be found (like any other TokenD implementations) in: System/Library/Security/Tokend:

Figure 1: Tokend packages: SafeSign.tokend

Page 4 of 16

March 23, 2009