Unable to read certificates from PIV card

I'd been having problems using a Personal Identity Verification (PIV) card with my MacBook Pro laptop running OS X El Capitan (10.10.5). I need the system to be able to access certificates on the PIV card in order to be able to decrypt email from some individuals. I have an SCR331 card reader, which attaches to the system via a Universal Serial Bus (USB) port.

Introduction to Encryption - Terminology and Technology
Introduction to Encryption
Terminology and Technology
1x1 px

SCR331 PIV card reader

If I attached the PIV card reader and clicked on the Apple icon at the top, left-hand corner of the screen and selected About This Mac then clicked on System Report, if I clicked on USB under Hardware, I would see the system recognized the card reader was attached. E.g., I saw "SCRx31 USB Smart Card Reader" for an SCR331 (that is a number on the underside of the device which appears to be its model number with a part number of 904875 listed there, also) PIV card reader I attached to the system via a USB port.

MacBook Pro SCRx31 attached

But the system didn't seem to be able to read the PIV card when I inserted it into the reader. The green LED on the reader is a solid green before I insert the card. Once I insert the card, it blinks green repeatedly. I thought a driver might be missing for the card reader.

At MilitaryCAC's Help Installing drivers / Firmware update / check Smart Card service for your CAC reader, I found the note below:

NOTE: We are hearing more and more Mac users having problems with the SCR-331 reader. A recommendation is to get a Mac compatible reader.

The page linked to by the link for "Mac compatible reader" mentioned that Identiv, formerly SCM Micrososystems Inc., the manufacturer listed for the SCRx31 USB Smart Card Reader in the Mac's hardware list, is now the manufacturer for the SCR Readers.

Anonymous Online: The Ultimate Guide to Online Privacy
Anonymous Online
The Ultimate Guide to Online Privacy
1x1 px

SCM Micro SCR331

So I visited Identiv's site at www.identiv.com. On the SCR331/SCR3310 Contact Smart Card Reader page, I found drivers available for download for Mac, Linux, and Windows systems. The part numbers listed on that page were 904334 and 905185, which didn't match the one I saw on the underside of the device, but I thought the Mac driver might still work, so I downloaded the uTrust_MAC_Driver.zip file. The version number for the software was v5.0.36 with a date of February 2017.

When I extracted the contents of the ZIP file, there were two files within it.

$ ls ~/Downloads/uTrust_MAC_Driver
scmccid_5.0.36_mac.pkg	uninstall.sh
$

Learning Network Technology and Security
Learning Network Technology and Security
1x1 px

When I double-clicked on the .pkg file to install the software, I saw the message below:

OS X house warning image "scmccid_5.0.36_mac.pkg" can't be opened
because it is from an unidentified developer.


Your security preferences allow installation of only
apps from the Mac App Store and identified developers.

Firefox.app downloaded this file today at 2:58 PM.

Mac Question Mark

I clicked on OK to close that window then right-clicked on the .pkg file and chose Open With. I then chose installer.app (default). That resulted in the following window opening:

How to be an Independent security researcher Ethical Hacker
How to be an independent
security researcher / ethical hacker
1x1 px

OS X house warning image "scmccid_5.0.36_mac.pkg" is from an
unidentified developer. Are you sure you
want to open it?


Opening "scmmcccid_5.0.36_mac.pkg" will always allow
it to run on this Mac.

Firefox.app downloaded this file today at 2:58 PM.

Mac Question Mark
 

I clicked on Open to proceed, which opened a "Welcome to the scmccid release driver version 5.0.36 installer" window.

scmccid release driver install welcome

I clicked on Continue to proceed. The ReadMe information that followed informed me that:

The installer will install the driver bundle(s) in /usr/ local/ libexec/ SmartCardServices/ drivers directory. Symbolic link(s) will be created in / usr/ local/ pcsc/ drivers and in / usr/ libexec/ SmartCardServices/ drivers. The scmccid.ini file is copied to /usr/local/identiv/ini.

scmccid release driver ReadMe

The next screen presented the Software License Agreement. After I agreed to the Software License Agreement, the Installation Type screen that followed informed me that the installation would take 492 KB of space on the computer. There was a "Change Install Location" button, but I just clicked on the Install button to perform a standard installation of the software on the disk "Macintosh HD". I was then prompted to provide account credentials for an account with administrative privileges on the system. When I did so, the installation compleed with the message "The installation was successful." I closed the window, then removed the PIV card from the reader and reinserted it. But the device went back to blinking green repeatedly when I reinserted the PIV card into it.

I still could not decrypt email from an individual who had sent me encrypted email previously that was in my inbox in Outlook, but which I couldn't read. However, whereas before I had seen a "smime.p7m" attachment instead of the text in the body of the message and had also see a message that "This message can't be decrypted because your private key is not valid or is missing from this computer", I now was informed that Microsoft Outlook.app wants to use my keychain and prompted for my keychain password when I attempted to view email from him and while I still saw the smime.p7m attachment rather than the text of his message, the error message was now "The security of this message cannot be verified because of an error." And I could now log into a website that requires a login using the PIV card by entering my PIN for the PIV card when prompted to "enter the master password for the ActivID ActivClient 0."

Password-Required

And when I visited another work-related website that allows logins using either a username and password, RSA token authentication, or PIV authentication, I saw the message "You logged in with a smartcard or equivalent and have full access to authorized applications."

When I clicked on Firefox from the Firefox browser menu bar and selected Preferences, then Advanced, and then Security Devices from beneath Certificates, I could see the SCR331 card reader.

Udemy Generic Category (English)120x600

Firefox Advanced options

The PIV card reader was shown when I clicked on ActivID ActivClient 0 beneath ActivClient PKCS #11.

Firefox ActivID ActivClient 0

The serial number shown there was not the one on the bottom of the SCR331 reader.

PKCS 11 is one of the Public Key Cryptography Standards (PKCS). The PKCS #11 standard defines a platform-independent application programming interface (API) to cryptograhic tokens, such as hardware security modules (HSM) and smart cards . The PIV card is a contact-type smart card.

But I still was not able to decrypt all of the encrypted email in my inbox. I use Microsoft Outlook 2016, which is a component of Microsoft Office 2016, on the MacBook Pro laptop for email. Within Outlook, I clicked on Tools from the menu bar at the top of its window then selected Accounts. I then clicked on the Advanced button in the Accounts window. When I clicked on the security tab, I saw that no certificate was selected for digital signing, encryption, or certificate authentication.

Aiseesoft DVD Creator for Mac

Outlook 2016 Accounts Security

I clicked on the double-headed arrow buttons to the right of "encryption" and "certification" and selected a certificate from the list I saw available, but still had the same problem with decrypting the email messages from certain individuals. Before installing the driver for the PIV card, I had been able to view encrypted email from some individuals in Outlook, but not others and I still couldn't decrypt the email from the same individuals whose encrpyted email I hadn't been able to view prior to installing the driver. I then found that I also couldn't view a PKI-encrypted email message from someone who had sent me the message the prior day when I was able to view it. I reset the certificate values in Outlook to "none selected" again, disconnected the PIV card reader, and restarted Outlook. I was then able to read his email message again. I found, though, if I plugged the PIV card reader back into the system and then closed and reopened Outlook, that I again could not decrypt his email.

I finally found the source of my problem when I returned to the office on Monday and inserted my PIV card into the card reader slot on the keyboard for my Windows desktop system. I received a message that my smart card was locked out. I got the lockout removed and was able to use the PIV card on the Windows system. I then plugged the SCR331 into the MacBook Pro laptop and attempted to read the encrypted email. I saw the message I had seen previously stating that Microsoft Outlook.app wants to use my keychain prompting me to enter the keychain password. But this time, instead of entering my OS X keychain password as I had been doing previously, I entered the PIN associated with my PIV card. I was then able to read all of the encrypted email I had received and realized that, because I had entered the keychain password several times on the Mac system rather than entering the PIV card PIN that I had triggered a lockout of my PIV card.

Now, if I don't have the PIV card inserted in the reader, I will see the message "This message can't be decrypted because your private key is not valid or is missing from this computer." But if I insert the card and click on another encrypted message from the same person, I can read that second message, but still see the "this message can't be decrypted" message for the first email. But I can close Outlook and reopen it and then view all encrypted email from the person and from others without being prompted for a password.

References:

  1. Making Mozilla Firefox work with ActivClient
    External Certificate Authority (ECA)