CryptoTokenKit

RSS for tag

Access security tokens and the cryptographic assets they store using CryptoTokenKit.

CryptoTokenKit Documentation

Pinned Posts

Posts under CryptoTokenKit tag

25 Posts
Sort by:
Post not yet marked as solved
18 Replies
2k Views
Hello, We already submitted a feedback through the assistant about that, but I'm not sure we will ever get an answer, and it might be interesting for other people as well. On MacOS Ventura, It seems like applications using the KeyChain services are unable to see certificates provided by CryptoTokenKit smart card token drivers. In order to reproduce, you need a CryptotokenKit smart card driver appex working under Big Sur or Monterey. Install the same appex on Ventura. You'll see that Safari does not see the certificates provided by the appex, and cannot perform SSL/TLS client authentications with them. Similar symptoms can be seen with other apps (Chrome, mail clients, or even custom apps that directly use the Keychain API: token instances cannot be obtained from the app). We tested with both our own CryptoTokenKit driver (a TKSmartCard driver, which worked well with all previous MacOS versions), and the CryptoTokenKit driver from another company (Yubico). Both work on older MacOS, but not on Ventura. Has something changed in the security framework between Monterey and Ventura? Do we need to change something in our CryptoTokenKit, or is it a bug from MacOS? If it's a bug, is Apple aware of it, and will it be fixed? This is a functionality that is largely used in enterprise environments.
Posted
by idopte.
Last updated
.
Post not yet marked as solved
1 Replies
148 Views
Hello, I recently wanted to change the GUI of the TKTokenSmartCardPINAuthOperation to use my own GUI. from the documentation available on the Apple website nothing tells me that it's forbiden to create your own TKTokenAuthOperation in order to login on a card. [https://developer.apple.com/documentation/cryptotokenkit/tktokenauthoperation] I thought that making a class inherit the TKTokenAuthOperation where I could create my own Workflow and GUI would help. unfortunatly as soon as we exsit the init() function (and the calling function of a tokenSession(_:beginAuthFor:constraint:)) the operation I was doing( in my case a signature) start all over again, without waiting for the end of the authentication. I would love to use this solution since the workflow of a signature inside the tokenSession(_:sign:)) function is non blocking, therfore if I want to display my own PIN dialog since the one provoded does not enable facial recognition, or bio template aquisition. TLDR: class MyAuth : TKTokenAuthOperation { override init() { Display_My_PINDialog(completionHandler: { pin in self.finish() }) } } does not work.
Posted
by leocity.
Last updated
.
Post not yet marked as solved
0 Replies
243 Views
Hello, I'm an iOS and macOS developer. It is unclear to me if the "Smart Card Token Extension" on iOS can address Smart Card using NFC or CCID or both. Please tell us what is the current status. When creating the extension, you can provision an AID, what this information is used for ? Can't I use multiple application (hence multiple AIDs, let say one normal and one for qualified signature) on the SmartCard with the same scext ? It is worth asking the questions before diving into useless coding. Regards, ++dom
Posted
by dom_.
Last updated
.
Post marked as solved
2 Replies
297 Views
Please excuse my lack of understanding of what are probably fundamental concepts in iOS/iPadOS development but I have searched far and wide for documentation and haven't had much luck so far. I am not sure that what I want to do is even possible with an iPad iPadOS app. Goals: Develop a Swift iPadOS app that can digitally sign a file using a PIV SmartCard/Token (Personal Identity Verification Card): Insert a PIV SmartCard/Token (such as a Yubikey 5Ci) into the lightning port of an iPadOS device iPad (NOT MacOS) Interface with the SmartCard/Token to access the user's PIV certificate/signature and "use it" to sign a file Question 1: How to get the PIV Certificate from SmartCard/Token/Yubikey into iPadOS keychain?   * Do we need to get the PIV certificate into the iOS keychain? Is there another way to interact with a SmartCard directly?   * This should prompt the user for their PIN? Question 2: How to get our Swift app to hook into the event that the SmartCard/Token is inserted into the device and then interface with the user's certificate?   * When is the user prompted to enter their PIN for SmartCard/Token/Yubikey?   * Do we need to use CyrptoTokenKit to interface with a smartcard inserted into the lightning port of an iOS device?
Posted Last updated
.
Post not yet marked as solved
0 Replies
1.1k Views
General: Apple Platform Security support document Security Overview Cryptography: DevForums tags: Security, Apple CryptoKit Security framework documentation Apple CryptoKit framework documentation Common Crypto man pages — For the full list of pages, run: % man -k 3cc For more information about man pages, see Reading UNIX Manual Pages. On Cryptographic Key Formats DevForums post SecItem attributes for keys DevForums post CryptoCompatibility sample code Keychain: DevForums tags: Security Security > Keychain Items documentation TN3137 On Mac keychain APIs and implementations SecItem Fundamentals DevForums post SecItem Pitfalls and Best Practices DevForums post Smart cards and other secure tokens: DevForums tag: CryptoTokenKit CryptoTokenKit framework documentation Mac-specific frameworks: DevForums tags: Security Foundation, Security Interface Security Foundation framework documentation Security Interface framework documentation Related: Networking Resources — This covers high-level network security, including HTTPS and TLS. Network Extension Resources — This covers low-level network security, including VPN and content filters. Code Signing Resources Notarisation Resources Trusted Execution Resources — This includes Gatekeeper. App Sandbox Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"
Posted
by eskimo.
Last updated
.
Post marked as solved
3 Replies
756 Views
I am working on Token extension on iOS. Apple documentation say if We throw error with error code "TKError.Code.authenticationNeeded.rawValue" will trigger user authentication. In my TKTokenSessionDelegate class in sign dataToSign function i am throwing this error but my extension is not showing authentication screen. Any Idea what i am missing.
Posted
by mjza.
Last updated
.
Post not yet marked as solved
1 Replies
751 Views
I'm writing an application which is using a custom right to require that a user authenticate as an admin to access a specific part of my app, and I'm struggling with cases where smart card usage is enforced. The simplest way is to use a custom right, but the dialog presented to the user gives no feedback that smartcard is required should they try to authenticate with password when the token isn't connected (i.e. a yubikey for example isn't plugged in to the USB bus) Instead, in this case, the authentication dialog simply wobbles as though they hadn't entered the correct password. It looks like the same is true of default macOS dialogs too such as unlocking a preference pane. I've looked around the API docks to see if there's any other way I can do this, but I don't seem to find any API methods that explicitly state I want the user to authenticate with a PIV token? Do I need to use CryptoTokenKit to send raw ADPU commands to a connected token to achieve this? I was hoping I could use LAContext from LocalAuthentication to do this as it supports watch/fingerprint auth, but again I couldn't see any obvious sign of support for smartcards.
Posted Last updated
.
Post not yet marked as solved
1 Replies
624 Views
Hello everyone. iOS 16 added ability to connect usb devices. TKSmartCard works well with just a fast command, but if it takes more than 600ms TKSmartCard.transmit fails with communication error -2. Is there a workaround or am I use it wrong? Usage looks like that: import CryptoTokenKit func foo() { guard let manager = TKSmartCardSlotManager.default else { return } let names = manager.slotNames let smartCards = names.compactMap { manager.slotNamed($0) } .filter { $0.state == .validCard } .compactMap { $0.makeSmartCard() } guard let card = smartCards.first else { return } let apdu = Data([/*command that lasts longer than 600 ms*/]) Task { do { guard try await card.beginSession() else { print("beginSession failed") return } let res = try await card.transmit(apdu) print(res.map { String(format: "0x%02X", $0) }.joined(separator: ", ")) } catch { print(error) } } }
Posted
by kamenov.
Last updated
.
Post not yet marked as solved
1 Replies
287 Views
Hello, It is mentioned in CryptoTokenKit documentation: You use the CryptoTokenKit framework to easily access cryptographic tokens. Tokens are physical devices built in to the system, located on attached hardware (like a smart card), or accessible through a network connection. However, it looks like there is lack of documentation with simple example, how to access network token. I have a certificates in HSM (hardware secure module), which is accessible on network, and I'd like to access certificates on HSM on my Mac. Does anybody know, where to start with implementation? Thank you.
Posted
by OShv.
Last updated
.
Post marked as solved
1 Replies
340 Views
Hi! I want to open the containing app from ctk extension because i need to ask for parameters related to the signature operation. The beginAuthFor: method is not enough, because i need more input than just the password. I can do this on MacOS with NSWorkspace.shared.open(url), but on iOS UIApplication.shared.open " is unavailable in application extensions for iOS" Any Suggestions?
Posted
by sultgalu.
Last updated
.
Post not yet marked as solved
3 Replies
520 Views
I am building a CryptoTokenKit based persistent token extension where : the private key is generated in Secure Enclave (the idea is not to store the private key on disk) CSR is sent to a server signed OpenSSH cert is received and is on the disk along with the public key i.e id_foo-cert.pub, id_foo.pub the private key ref is stored in the token driver  // Mac keychain can't store OpenSSH certificate so set as nil   let tokenKey = TKTokenKeychainKey(certificate: certificate, objectID: tag) .... // Add to the keychain for future access by SSH   tokenConfig.keychainItems.append(tokenKey) My extension is loaded : % system_profiler SPSmartCardsDataType                       SmartCards:   Readers:   Reader Drivers:    #01: fr.apdu.ccid.smartcardccid:1.5.0 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)   SmartCard Drivers:    #01: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)    #02: com.foo.mac-device-check.SecureEnclaveTokenExtension:1.0 (/Applications/mac_device_check.app/Contents/PlugIns/SecureEnclaveTokenExtension.appex)   Available SmartCards (keychain):     com.apple.setoken:     com.apple.setoken:aks:     com.foo.mac-device-check.SecureEnclaveTokenExtension:700D6B7E8943B529569D9CC81AC6F930:      #01: Kind: private ECDSA 256-bit, Certificate: no, Usage: Sign Derive  Valid from: N/A to: N/A, SSL trust: N/A, X509 trust: N/A   Available SmartCards (token):     com.apple.setoken:     com.apple.setoken:aks:     com.foo.mac-device-check.SecureEnclaveTokenExtension:700D6B7E8943B529569D9CC81AC6F930:      #01: Kind: private ECDSA 256-bit, Certificate: no, Usage: Sign Derive  Valid from: N/A to: N/A, SSL trust: N/A, X509 trust: N/A % security list-smartcard No smartcards found. When I SSH to a remote with this ssh_config below it doesn't load the CTK app extension at all: Host test  HostName abc.foo.com  User foo_user  AddKeysToAgent yes  UseKeychain yes  CertificateFile ~/.ssh_certificates/id_foo-cert.pub  PKCS11Provider /usr/lib/ssh-keychain.dylib Debug logs : debug1: Connecting to abc.foo.com port 22. debug1: Connection established. debug1: provider /usr/lib/ssh-keychain.dylib: manufacturerID <Apple, Inc.> cryptokiVersion 2.20 libraryDescription <Keychain emulation PKCS#11 API> libraryVersion 0.0 debug1: pkcs11_register_provider: provider /usr/lib/ssh-keychain.dylib returned no slots debug1: Next authentication method: publickey debug1: Offering public key: /Users/local/.ssh_certificates/id_foo-cert.pub ECDSA-CERT SHA256:c4uVaMJpVaAWg8gtAxMHtJIpNnZ67P/G9Dw2wx44Kgs explicit debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: /Users/local/.ssh_certificates/id_foo-cert.pub ECDSA-CERT SHA256:c4uVaMJpVaAWg8gtAxMHtJIpNnZ67P/G9Dw2wx44Kgs explicit debug1: sign_and_send_pubkey: no separate private key for certificate "/Users/local/.ssh_certificates/id_foo-cert.pub" debug2: Passphrase not found in the keychain. Load key "/Users/local/.ssh_certificates/id_foo-cert.pub": invalid format Since pkcs11 returned no slots, the private key ref cannot be accessed for signing. I have tested this on Monterey 12.5 and Ventura 13.1 with the same failure. Anyone knows if pkcs11 provider can launch a CTK app extension ? Is there anything wrong in my code/config ? Is there any sample settings/code for persistent token extension handling SSH keys ? Any help is highly appreciated.
Posted Last updated
.
Post not yet marked as solved
0 Replies
1.4k Views
Hello, I came on this forum to ask if there were any other developers or teams currently working on the Swift Based Blockchain protocol for Apple to make "Dapples"? I was hoping that someone would guide me in the right direction as far as exporting my solidity based smart contract application into swift / into Xcode. I cannot find out how to connect solidity and Xcode to make Dapps, and I was wondering if anyone was working on making the official smart contract for Swift IOS? thank you, Dylan Kawalec DYLANKAWALEC@GMAIL.COM 9284990093
Posted Last updated
.
Post marked as solved
1 Replies
456 Views
Call to endSession() after smartcard was physically removed from device leads to application crash: terminating with uncaught exception of type NSException *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'bad endSession' I think you could reproduce this with any smartCard: card.beginSession { [unowned self] isStarted, err in card.transmit(apdu) { [unowned self] response, err in card.endSession() // <- set breakpoint here } } steps to reproduce: - start application - set the breakpoint - remove device - continue
Posted
by kamenov.
Last updated
.
Post not yet marked as solved
2 Replies
1.6k Views
Hi, I'm trying to send commands to an external smart card reader connected to my iOS device. The first step is to get the corresponding smart card slot via TKSmartCardSlotManager. I've added the com.apple.security.smartcard entitlement but still get nil when trying to access the manager object. The console logs an error "The connection to service on pid 0 named com.apple.ctkd.slot-client was invalidated". Has anyone successfully tried this on iOS?
Posted
by oschaefer.
Last updated
.
Post not yet marked as solved
9 Replies
3.9k Views
Hi, allAccessing USB device on MAC OSX platform, the “App Sandbox”=YES and”com.apple.security.device.usb”=YES Must be increased to entitlents file.How to Implement USB Access in iOS Platform?
Posted Last updated
.
Post not yet marked as solved
1 Replies
1.5k Views
I am developing a Java app that integrates with SmartCard reader. One of the features that I try to implement is reading/setting terminal (card reader) configuration without a tag being present on the reader. This can be done by sending so called escape codes. But to enable these escape codes we need to enable them in the driver. In case of macOS this will be SmartCardServices and the file that I should edit is: /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist I need to set ifdDriverOptions property to 0x0001. This procedure was described in this helpful GitHub comment https://github.com/pokusew/nfc-pcsc/issues/13 I tried to follow other instructions provided there but I hit the wall with read-only file system error. I wonder if there is an idiomatic way to change these settings. Why this is important? Sending new configuration via escape command is the only way to un-brick terminal that was (by mistake) wrongly configured.
Posted
by 0xmarcin.
Last updated
.
Post not yet marked as solved
5 Replies
1.7k Views
Hi all, I have try to use CryptoTokenKit library to use my private key in Smartcard to sign data. I can find Smartcard's tokenId by using class CryptoTokenKit But I don't know how to list all items in the SmartCard and use private key in the Smartcard to sign data. And I have try use command line interface: "security". I can list smartcards by command: security list-smartcard I can list all items in smartcard by command: security export-smartcard OR command: system_profiler SPSmartCardsDataType BUT I don't know how to use private key in the smartcard to sign data by the command interface "security" Very difficult to find document about interact with SmartCard on MacOS, so please help me! Can you share document to find items in SmartCard, use private key to sign data. Thanks all!
Posted
by tuantag.
Last updated
.
Post not yet marked as solved
3 Replies
910 Views
Hi there! I am developing a PersistentToken Extension to work in iOS > 14.0. The goal is to bring Digital Certificates (Personal identities to authenticate and digital sign) to the iPhone from external HSM. I Have created an iOS app that recover certificates from the device, insert them into the keychain   let tokenDriverConfiguration = TKTokenDriver.Configuration.driverConfigurations[TokenConfigurationName]   let tokenConfiguration:TKToken.Configuration! = tokenDriverConfiguration!.addTokenConfiguration(for: TokenName)   let elems: NSMutableArray = []   for (certid,certdata) in certs {     let certificate:SecCertificate = CreateCert(str: certdata.b64)!     let tokenKeychainCertificate:TKTokenKeychainCertificate! = TKTokenKeychainCertificate(certificate:certificate, objectID:certid)     tokenKeychainCertificate.setName(name: certdata.descr)     tokenKeychainCertificate.label=certdata.certname     elems.add(tokenKeychainCertificate!)           let tokenKeychainKey:TKTokenKeychainKey! = TKTokenKeychainKey(certificate:certificate, objectID:certid)     tokenKeychainKey.setName(name: certdata.descr)     tokenKeychainKey.canSign = true     tokenKeychainKey.label=certdata.certname     tokenKeychainKey.isSuitableForLogin = true     tokenKeychainKey.keyType = kSecAttrKeyTypeRSA as String     tokenKeychainKey.canDecrypt = true     tokenKeychainKey.canPerformKeyExchange = false     elems.add(tokenKeychainKey!)   }   tokenConfiguration.keychainItems = elems as! [TKTokenKeychainItem]; } That present the certificates to other applications. I also have created the Persistent Token Extension, but when trying to use the certificates to authenticate (in a webpage por example) the breakpoints set in xcode do not work. I have set a logger that works in the application, but no log in the token section In the entitlements, I have this: <dict> <key>keychain-access-groups</key> <array> <string>com.apple.token</string> <string>com.company.test.Token</string> </array> </dict> </plist> When I try to debug with Safari, I get this error multiple times: 2022-08-12 13:14:50.616916+0200 MobileSafari[4092:8702247] [client] authentication failed repeatedly: tkid=com.company.test.Token:Token:Token, ac=<SecAccessControlRef: tkid(com.company.test.Token:Token);od(true);osgn(true)>, op=osgn I also have readed the post https://developer.apple.com/forums/thread/705433 where you tells Aekold to use a test app, but I cannot find any example or guide on the web about how to do it, may be, you can guide me. Thanks for all!
Posted
by Ivnosys.
Last updated
.
Post not yet marked as solved
3 Replies
623 Views
Good morning, I have a problem when packaging the application, the CTK (crypto token kit) is not detected by the system. If I compile in debug, it works perfectly. That could be happening? Thanks greetings
Posted
by Aekold.
Last updated
.
Post not yet marked as solved
0 Replies
665 Views
Can CTKToken framework handle mixed RSA / EC certificate chains? When using a CTKToken implementation to use certificates on a smartcard, the CTK Framework comes with strange “”supportsOperation Requests when the certificate contains an RSA key, but is signed by the EC key of the parent certificate. It basically asks if the CTKToken implementation can sign using some ECC algorithms, while using an RSA key. (No RSA algo’s are checked, so in the end no supported algorithm is found). The CTK function that is being called: (BOOL)tokenSession:(TKTokenSession *)session supportsOperation:(TKTokenOperation)operation usingKey:(TKTokenObjectID)keyObjectID algorithm:(TKTokenKeyAlgorithm *)algorithm { Shows during debugging that keyItem.keyType isEqual:(id)kSecAttrKeyTypeRSA, but only asks if we support some EC algorithm. When using a pkcs#11 implementation in stead of a CTKToken implementation with the same card, we are able to create a digital signature with Acrobat reader, with the CTKToken we are not able. We expected the CTK Framework to ask us if we can sign with the RSA key, while using some RSA algorithms. This behaviour is followed when using a certificate with RSA key that is signed by a parent certificate with RSA key This has been tested while using Belgian eID testcards with mixed RSA/EC keychain. https://github.com/Fedict/eid-mw/blob/master/cardcomm/ctkToken/BEIDToken/TokenSession.m
Posted Last updated
.