General:
Apple Platform Security support document
Security Overview
Cryptography:
DevForums tags: Security, Apple CryptoKit
Security framework documentation
Apple CryptoKit framework documentation
Common Crypto man pages — For the full list of pages, run:
% man -k 3cc
For more information about man pages, see Reading UNIX Manual Pages.
On Cryptographic Key Formats DevForums post
SecItem attributes for keys DevForums post
CryptoCompatibility sample code
Keychain:
DevForums tags: Security
Security > Keychain Items documentation
TN3137 On Mac keychain APIs and implementations
SecItem Fundamentals DevForums post
SecItem Pitfalls and Best Practices DevForums post
Investigating hard-to-reproduce keychain problems DevForums post
Smart cards and other secure tokens:
DevForums tag: CryptoTokenKit
CryptoTokenKit framework documentation
Mac-specific frameworks:
DevForums tags: Security Foundation, Security Interface
Security Foundation framework documentation
Security Interface framework documentation
Related:
Networking Resources — This covers high-level network security, including HTTPS and TLS.
Network Extension Resources — This covers low-level network security, including VPN and content filters.
Code Signing Resources
Notarisation Resources
Trusted Execution Resources — This includes Gatekeeper.
App Sandbox Resources
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
CryptoTokenKit
RSS for tagAccess security tokens and the cryptographic assets they store using CryptoTokenKit.
Posts under CryptoTokenKit tag
22 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
On macOS OS updates/reboot, CryptoTokenKit extension doesn't get loaded automatically when the system boots back. It needs another reboot to get the extension loaded and working.
After update:
% security list-smartcards
<No smart cards>
.. and there is a crash for authorizationhosthelper.arm64 in keychain layer
Thread 2 Crashed:: Dispatch queue: com.apple.security.keychain-cache-queue
0 libdispatch.dylib 0x18e2e499c dispatch_channel_cancel + 12
1 Security 0x1914ccfd0 invocation function for block in Security::KeychainCore::StorageManager::tickleKeychain(Security::KeychainCore::KeychainImpl*) + 44
2 libdispatch.dylib 0x18e2ce3e8 _dispatch_client_callout + 20
3 libdispatch.dylib 0x18e2d18ec _dispatch_continuation_pop + 600
4 libdispatch.dylib 0x18e2e57f0 _dispatch_source_latch_and_call + 420
5 libdispatch.dylib 0x18e2e43b4 _dispatch_source_invoke + 832
6 libdispatch.dylib 0x18e2d5898 _dispatch_lane_serial_drain + 368
7 libdispatch.dylib 0x18e2d6544 _dispatch_lane_invoke + 380
8 libdispatch.dylib 0x18e2e12d0 _dispatch_root_queue_drain_deferred_wlh + 288
9 libdispatch.dylib 0x18e2e0b44 _dispatch_workloop_worker_thread + 404
10 libsystem_pthread.dylib 0x18e47b00c _pthread_wqthread + 288
11 libsystem_pthread.dylib 0x18e479d28 start_wqthread + 8
Opening the parent app bundle as a Login item does not help.
A reboot sometimes fixes it but this happens frequently and causes lot of enterprise endpoints not able to authenticate.
After reboot:
% security list-smartcards
com.foo.tech.mac-device-check.SecureEnclaveTokenExtension:700D6B7E8943B529569D9CC81AC6F930
Please provide and prioritize a permanent fix/workaround for this issue. We have already reported this issue with crash and sysdiagnose logs in FB13622281 earlier this year.
Hello,
We have an application which gets our HSM certificates via TKTokenWatcher, there is a snippet:
let tokens = TKTokenWatcher()
for token in tokens.tokenIDs {
// Use our HSM certs
if token.contains("SPECIFIC_IDENTIFIER") {
let tokenQuery = [kSecClass as String: kSecClassIdentity,
kSecAttrTokenID as String: token,
kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
kSecReturnRef as String: true] as CFDictionary
var item: CFTypeRef?
let result = SecItemCopyMatching(tokenQuery as CFDictionary, &item)
if result == noErr....
Normally, result is all right, but problem occurred when we added "App Groups" entitlement. This application has to share some Defaults with other app, so they need to be in the same App Group.
So, when we added this App Group entitlement, result from the code snippet is -34018, which according to OSStatus means errSecMissingEntitlement.
Does anybody know, which entitlement has to be added, so app can be in the App Group, and at the same time it is able to get certificates?
Thank you.
I'm encountering an issue related to PCSC (PC/SC) smart card interactions on macOS 14 that I haven't experienced on earlier versions of macOS.
When sending an APDU command to generate a key pair on a smart card:
On macOS 12: The operation works as expected.
On macOS 14: The card responds with an error 66 02.
Are there any any changes to PCSC implementation in macOS 14 that might affect smart card operations?
I recently discovered that CryptokenKit (TKSmartCard.transmit) throws an ObjC exception, and thus crashes a Swift app using TKSmartCard (absent an ObjC wrapper to handle the Objc exception explicitly).
That was surprising, as there was no documentation indicating that TKSmartCard needs to be wrapped in ObjC instead being used directly from Swift. (See https://developer.apple.com/documentation/cryptotokenkit/tksmartcard/1390161-transmit) - the exception is a NSInternalInconsistencyException, which is thrown when certain codepaths are executed in a certain sequence (which indeed, leaves a TKSmartCard in an inconsistent state).
Is there a list of Frameworks that throw ObjC exceptions (and therefore need special handling by Swift when invoking methods/functions)?
I am using the CryptoTokenKit functionality to be able to perform validations on web pages that use digital certificates to ensure the user's identity, using the digital certificates included in the Spanish national electronic identity document.
I manage to use it correctly in most cases, but sometimes I get an error when trying to retrieve the previously created token. This error is fixed by restarting the phone.
I had create the Feedback Assistant with number FB14095789.
Is it possible to get the process (name, executable location) that triggers CryptoTokenKit extension security operation, such as signData or decryptData?
We are developing smart card middleware, for both Windows (minidriver) and macOS (CryptoTokenKit extension). We would like the possibility to configure various parts of our implementation based on the calling process. For example, we would like to cache PIN code in memory for particular amount of time, that is different for web browser and email client.
On Windows it can be done, since minidriver dll is loaded into the calling application process. By calling GetCurrentProcess() inside our minidriver, we can figure out what application is using it. On macOS, however, there is a single process that handles all requests from the apps, using smart cards. So getting current process info does not help. Is there a way to get calling application somehow?
Hi Team,
I have developed a smartcard driver which is working fine when inserting USB mouse, So here is the process I followed for smartcard driver:
Smartcard driver(IFdHandler) has info.plist which contains vendor Id and product ID attributes
Mentioned vendor Id and product ID of USB mouse which one is going to be connected to device(Mac) in info.plist, Build the IFDdriver and replace it to path - /usr/local/libexec/SmartCardServices/drivers/
Once Inserting USB mouse I am getting smart card pairing notification on Mac
This scenario is working fine and able to achieve following changes on Mac device -
Getting Smart card notification for pairing on Mac device
After Pairing , Password field on Login Screen changes to PIN field
But I want smartcard driver(IFDHandler) to be trigger via bluetooth connection from iPhone or android instead via USB
Is there any way to achieve This?
Reference for USB driver smart card driver - https://github.com/frankmorgner/vsmartcard/blob/master/virtualsmartcard/src/ifd-vpcd/ifd-vpcd.c
Hi Team, I have developed a smartcard driver which is working fine when inserting USB mouse,
So here is the process I followed for smartcard driver
Smartcard driver(IFdHandler) has info.plist which contains vendor Id and product ID attributes
Mentioned vendor Id and product ID of USB mouse which one is going to be connected to device(Mac) in info.plist, Build the IFDdriver and replace it to path - /usr/local/libexec/SmartCardServices/drivers/
Once Inserting USB mouse I am getting smart card pairing notification on Mac
This scenario is working fine and able to achieve following changes on Mac device -
Getting Smart card notification for pairing on Mac device
After Pairing , Password field on Login Screen changes to PIN field
But I want smartcard driver(IFDHandler) to be trigger via bluetooth connection from iPhone or android instead via USB
Is there any way to achieve This?
Reference for USB driver smart card driver - https://github.com/frankmorgner/vsmartcard/blob/master/virtualsmartcard/src/ifd-vpcd/ifd-vpcd.c
I am trying to pass smart card PIN from a custom auth plugin with tag kAuthorizationEnvironmentPassword. I added pam_smartcard.so to login stack (\etc\pam.d\login) but the changes do not take place.
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
What could possible be going wrong in this ? Also is there an API to trigger authorization_ctk from a custom auth plugin to work with smart card ?
Hello All,
I am new to iOS development and would like to detect the smart card readers connected to USB-C port on iOS (16+) devices. The smart card reader is a custom hardware and not MFi certified. So as per my understanding, I cannot use ExternalAccessory.framework without MFi certification. Correct?
How else can I achieve this? Does TKSmartCardSlotManager works for this purpose (or is it only for NFC devices?)? Is there any example for how to use this interface? I couldn't find any example for this as a starting point...
Thanks in advance.
Issue: The screen saver is not shown, and the user is not locked after removing a smart card with a logged in user.
I have tried setting tokenRemovalAction to 1, along with various other com.apple.security.smartcard defaults, and I have also tried setting "turn on screen saver when login token removed." None of this makes the screen locked on card removal.
Is this an issue with MacOS14 or is there a different setting/value that has to be set for this to work correctly?
I've developed a crypto token kit extension using the Xcode template. I've successfully added the certificate and its corresponding private key to the keychain. However, when attempting to sign with this certificate, I need to call a command-line interface (CLI) that I've created.
The CLI is located at ~/Applications/mycli/cli_executable. My issue arises because the extension is sandboxed, prohibiting direct communication with the CLI. I attempted to remove the sandbox, but that didn't resolve the problem (the extension wasn't being registered without the app sandboxed). Additionally, the CLI relies on a database, so simply copying the file to the app container folder isn't a feasible solution (unless it's a symlink – I'm unsure if this is possible).
How can I effectively address this problem and enable communication between the sandboxed extension and my CLI (GoLang app)?
Thank you.
I am working on a macOS application written on Swift 5, where the user can login using a smartcard. When user enters the smartcard and selects this way of authentication, we display the certificates on the card for the user to select. Once selected, the user enters the PIN and logs in.
I am able to show the certificates using the SecItemCopyMatching call mentioned in this answer. But along with the PIN, I need to send the following information for successfully logging in.
Card's name -> for example, Identity Device (NIST SP 800-73 [PIV])
Crypto service provider's name -> for example, Microsoft Base Smart Card Crypto Provider
Container name -> in the format aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
Questions:
I want to understand how to get this information from the certificate present on the smartcard.
(not important) When I run the SecItemCopyMatching call, I get 8 objects in an array but I know that there are only 2 certs on it. Currently, I cast it into a set and see just 2 SecCertificate objects that I need. Is there a better solution to this?
I have verified a PIN in a smart card and I'd like to delete this internal state of the card. Unfortunately, the card doesn't support this with a dedicated command, which is why I'd like to reset the card (cold/warm reset as described in PC/SC, for example).
The CryptoTokenKit documentation doesn't seem to have an API for that.
Does anyone have an idea how to implement this?
Note, that if the smart card is not reset and does not support logout, then the card is permanently in an authenticated state so that related keys can be misused by any other CTK session or even via the PC/SC interface.
Hello,
I am developing a smartcard CTK extension for macOS.
I have trouble to smartcard logon the first time after a reboot or a logout (e.g. when there is the text "Your password is required to enable touch id"). Trouble = I'm not asked for the PIN.
But time to time after a logout (from whatever account), I can login with the smartcard. After a lockscreen I can always login with the smartcard.
Is there an easy way to debug the logon process ?
Regards,
++dom
Hi, I want to support client certifcate authentication for a URL loaded in WKWebView. Certificate is in the smartcard that is connected to iOS device through lightning port smart card reader. For USB-C type reader, iOS supports this out of the box. But for the lightning port reader, I thought of writing a CTK extension to access smartcard and read the certificate. I have a smart card sdk to access the smartcard. Could you please let me know which is the extension that should be used for this purpose. There are 2 types of extensions available in Xcode. Smartcard extension and Persistent Token extension. Which one should be used for this case? When I tried persistent token extension, it seems to hit sign function inside Tokensession class but with smartcard extension it is not getting called when I try to access the URL in WKWebView after certificate selection. Also the smartcard sdk has EAAccessory framework dependency. Is EAAccessory allowed to be used in CTK extension? https://developer.apple.com/forums/thread/111691?answerId=342707022 says EAAccessory is not working inside app extension. Thanks in advance.
Hello,
I am creating CryptotokenKit persistent token extension for macOS using Xcode on Sonoma. The goal is to support external crypto provider over network (with API calls).
I created a bare minimum app and a new target “Persistent Token Extension”. Before I go into specific implementation, I wanted to check if my extension/token initialises correctly. My understanding is that once the host app is started and the extension is registered by the OS, future queries for digital identities should check with it as well.
I tried is accessing mTLS website with Safari and Firefox that require client certificates, as well running custom application using SecItemCopyMatching to query the keychain for identities.
However, Token / TokenDriver seem to not initialize (logging never executes). Am I missing something here?
pluginkit sees the extension:
$ pluginkit -vvvvmi demo.TokenApp.TokenExt
demo.TokenApp.TokenExt(1.0)
Path = /Users/alexander/Library/Developer/Xcode/DerivedData/TokenApp-dzulesgoanwnacguirprimnipibk/Build/Intermediates.noindex/Previews/TokenApp/Products/Debug/TokenApp.app/Contents/PlugIns/TokenExt.appex
UUID = 617526E8-987A-493F-A9E3-6295FF5AB00D
Timestamp = 2024-01-19 13:13:35 +0000
SDK = com.apple.ctk-tokens
Parent Bundle = /Users/alexander/Library/Developer/Xcode/DerivedData/TokenApp-dzulesgoanwnacguirprimnipibk/Build/Intermediates.noindex/Previews/TokenApp/Products/Debug/TokenApp.app
Display Name = TokenExt
Short Name = TokenExt
Parent Name = TokenApp
Platform = macOS
Token.swift:
import CryptoTokenKit
import OSLog
class Token: TKToken, TKTokenDelegate {
private let log = Logger(subsystem: "demo.tokenapp", category: "Token");
func createSession(_ token: TKToken) throws -> TKTokenSession {
log.log(level: .info, "Token.createSession")
return TokenSession(token:self)
}
}
TokenDriver.swift:
import CryptoTokenKit
import OSLog
class TokenDriver: TKTokenDriver, TKTokenDriverDelegate {
private let log = Logger(subsystem: "demo.tokenapp", category: "TokenDriver");
func tokenDriver(_ driver: TKTokenDriver, tokenFor configuration: TKToken.Configuration) throws -> TKToken {
log.log(level: .info, "TokenDriver.tokenDriver")
return Token(tokenDriver: self, instanceID: configuration.instanceID)
}
}
I am having trouble creating a CSR to renew a SecIdentity whose private SecKey is stored in slot 9d of a smartcard.
For slot 9a, I am able to accomplish this by way of SecKeyCreateSignature using CertificateSigningRequest from a gently-modified fork of swift-certificates/swift-crypto to sort out all the details.
But for the SecKey associated with slot 9d, the Security framework instantly returns an "algorithm not supported by the key" error when I call SecKeyCreateSignature, without even prompting for a PIN.
I believe the difference is that kSecAttrCanSign is true for slot 9a but false for slot 9d. The value makes some sense for day-to-day usage because this identity is usually not used for signing, but if we are to occasionally sign a CSR for this key an exception would need to be made.
Is there any way to basically force this exception with the Security framework? Again the actual private key material is not available so the only access as far as I'm aware is via the enumerated SecKey reference. Is there any way to SecKeyCreateWithData a secondary reference to the same underlying (but unexportable!) key but with allowed-usage attributes of my own choosing?
I need an OV certificate to code sign an Electron application. I was used to build in Jenkins the application oth for Windows and macOS using Electron-Forge (https://www.electronforge.io/guides/code-signing/code-signing-macos). To be more specific use XCode and Keychain to store the certificate.
Sadly, new certificate industry requirements will force me to use Azure Key Vaults (or other cloud HSM alternatives) to store the certificate.
I need to find a way to code-sign it for macOS from Azure Key Vaults or equivalent solutions.
Thank you
Hi there,
I could not find any previous post about this so I figured I should open one.
It looks like the use of CryptoTokenKit modules (whether SmartCard or Persistent ones) is hindered on headless environments. This was observed on AWS backed macOS machines, and also on actual physical machines when using CI/CD tools with no GUI access.
My first guess is that this is due to the fact that loading the CTK Extension relies on running the GUI CTK App, which is not possible in pure headless fashion.
The bug report FB12135879 was filled in this regard. Any input on this would be appreciated.
Thanks,