CryptoTokenKit

RSS for tag

Access security tokens and the cryptographic assets they store using CryptoTokenKit.

CryptoTokenKit Documentation

Posts under CryptoTokenKit tag

31 results found
Sort by:
Post not yet marked as solved
57 Views

Mac OS 11.4 Token Sign not working

I'm having a problem accessing a site where I need to use a certificate for identification, where I used some examples to type the pin but none works, I checked an instruction to register a module in firefox as a security device but it doesn't work, it worked on macos 10.15 , but now when adding the security device , the slot does not appear in Firefox. Tank's
Asked Last updated
.
Post not yet marked as solved
55 Views

How to list keychains "created" by persistent extension

Hello, I'm investigating the use of persistent extension to expose certificates and keys to applications. I am investigating on macOS and iOS but I am currently testing on macOS. I'm able to list the exposed certificate. I thought I could restrict the search to my particular token with kSecAttrTokenID (and the ID I provided to addTokenConfiguration(for: ), e.g. the string "COMPANY-macOS-pext"), but it doesn't work. So I tried to list all the tokens available from my app, using the following code adapted from SecurityTool: static func listAllKeychains() {     listKeychains (ofType: SecPreferencesDomain.user)     listKeychains (ofType: SecPreferencesDomain.system)     listKeychains (ofType: SecPreferencesDomain.common)     listKeychains (ofType: SecPreferencesDomain.dynamic)   }     static func listKeychains (ofType type: SecPreferencesDomain) {     var searchList: CFArray?           let status = SecKeychainCopyDomainSearchList(type, &searchList)     if ( status != errSecSuccess) {       logger.debug("error getting Keychains list : \(status).")       return     }     guard let keychains = searchList as? [SecKeychain] else {       logger.debug("Error on retrieved keychains")       return     }           for keychain in keychains {       var pName = Array(repeating: 0 as Int8, count: 1024)       var pLength = UInt32(pName.count)       let oStatus = SecKeychainGetPath(keychain, &pLength, &pName)       if oStatus == errSecSuccess {         let buffer = [UInt8](unsafeBitCast(pName, to: [UInt8].self))         let name: String = String(bytes: buffer, encoding: .ascii) ?? "Unable to get string"         logger.debug("Keychain \(keychain.hashValue) : \(name)")       } else {         logger.debug("Error getting pathname of keychain \(keychain.hashValue)")       }     }   } I just get the user keychain and the system keychain. Am I missing something here ? How can I list the keychain provided by the extension ? Is it possible to restrict a search for the items provided by my extension ? Regards, ++dom
Asked
by dom_.
Last updated
.
Post not yet marked as solved
91 Views

Can Persistent token extension Provide Service only to specific applications.

As I see that it's not possible to provide a prompt for the application password or have any kind of UI apart from biometrics in the persistent token extension from here: https://developer.apple.com/forums/thread/131694?answerId=416382022#416382022. Is there a way to get the details of the consumer application requesting service from the Persistent token extension? Is there a way to whitelist applications as only those applications can access the service from the extension? Also can we block the use of keys hosted by a managed app from an unmanaged app?
Asked Last updated
.
Post marked as solved
338 Views

Unknown CryptoTokenKit error encountered during SecKeyCreateSignature() with Secure Enclave private key

Hello. We have encountered a failure that we haven't seen before regarding use of Secure Enclave private keys and creating cryptographic signatures. We've used this code on thousands of iOS devices (from iOS 11.2 to iOS 14.6) without issue, and recently saw an error that we were not able to find documentation for. We are hoping to find out more details about the failure so that we can avoid it in the future. Steps to Reproduce On an iPhone 11 Pro running iOS 14.4.2, generate a private key in the Secure Enclave via SecKeyCreateRandomKey() with the following parameters. [ kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecPrivateKeyAttrs: [ kSecAttrAccessControl: SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, [.touchIDAny, .privateKeyUsage], nil )!, kSecAttrIsPermanent: true ], kSecAttrApplicationLabel: "unique label" // a customer identifier ] (Note that app is using deployment target of iOS 11.2, thus the use of .touchIDAny). Fetch the aformentioned key with SecItemCopyMatching(…) with the following parameters: [ kSecClass: kSecClassKey, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecReturnRef: true, kSecUseOperationPrompt: "Verify your identity", kSecAttrApplicationLabel: "unique label" // a customer identifier ] Create a signature of a CFData by with the key from step #2: var error: Unmanaged<CFError>? let signature = SecKeyCreateSignature(key, .ecdsaSignatureMessageX962SHA256, data, &error) Expected Result The customer is prompted for Face ID, passes, and SecKeyCreateSignature(…) successfully returns a signature. Note that this method successfully works for us on thousands of devices, from iOS 11.2 to iOS 14.6. Actual Result In a rare isolated case, we are seeing the SecItemCopyMatching(…) succeed and then the SecKeyCreateSignature(…) call fails to display the Face ID prompt. Instead, SecKeyCreateSignature(…) immediately fails and populates an error with the following information: domain: CryptoTokenKit code: -3 localizedDescription: The operation couldn’t be completed. (CryptoTokenKit error -3.) description: "<sepk:p256 kid=1214c04d05261ee3>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256 kid=1214c04d05261ee3>: unable to sign digest, AKSError=-536362999} On this particular iPhone 11 Pro device, the customer did not have any issues with this code around 6 months prior to the failure. The customer has more recently encountered the failure, and we have confirmed the device fail to create signatures 100% of the time with the above error. We have asked the customer to reboot the device to no avail, and we have confirmed that Face ID does indeed successfully work on the device's lock screen. The failure still continues. Additional Notes We are not able to find any information about this specific failure from the documentation or additional research on the web. We were able to deduce that that CryptoTokenKit error -3 maps to TKErrorCodeCorruptedData. In the documentation of TKErrorCodeCorruptedData, it is unclear if the corruption is referring to the private key or or to the dataToSign parameter of SecKeyCreateSignature(). Do you have any insight into why/when this error is returned, and how might we avoid it in the future? Thank you.
Asked
by spindel.
Last updated
.
Post not yet marked as solved
61 Views

Token extension hangs on its own call while signing using P12 certificate /key

In my token extension when I get a call to sign - (nullable NSData *)tokenSession:(TKTokenSession *)session signData:(NSData *)dataToSign and I call SecKeyCreateSignature() func to get signature it again calls above tokenSession function and hangs there. I am dealing with P12 certification/Key for signing. I am stuck here and need some clues to proceed. See code stack Sample of TokenExtension.txt
Asked
by staziz.
Last updated
.
Post not yet marked as solved
262 Views

getting access to a certificate stored in a smartcard

Hi, we have some code in our xcode project that needs to acces keychain's certificate to use them. We use the SecItemCopyMatching method to get a list of SecCertificate like this: var query = [String: Any]() query[String(kSecClass)] = kSecClassCertificate query[String(kSecMatchLimit)] = kSecMatchLimitAll var result: AnyObject? let status = SecItemCopyMatching(query as CFDictionary, &amp;result) and we are now having troubles making this work with smartcards. We use a Gemalto smartcard that contains a certificate. On our terminal application, when we use "security list-smartcard", we get a line with it's ID. com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:XXXXXXXXXXXXXXXX The thing is, in our code, the certificate stored in the smartcard isn't retrieved by our current query. We tried to do a more specific query like this: let getquery: [String: Any] = [kSecClass as String: kSecClassKey, kSecAttrTokenID as String: "com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:XXXXXXXXXXXXXXXX", kSecReturnPersistentRef as String: true] but it seems we can't have access to it. results are nil. We believed at first that it was because we didn't add the entitlement "com.apple.security.smartcard" to our project, but we get the same result enabling it. Can somebody provide us some leads about getting SecCertificate that can be used to sign from a smartcard ? Thank you.
Asked
by Brosini.
Last updated
.
Post not yet marked as solved
204 Views

How to implement an CryptoTokenkit extension by inheriting form TKToken?

Hi, everyone Is there some Sample code or information about implement an CryptoTokenkit extension by inheriting form TKToken and load the extension in the host app? I want to implement an extension with software, but I don't know how to do this. Can anyone give me some help? Thanks very much! Best Regardscd
Asked
by c_d_.
Last updated
.
Post not yet marked as solved
113 Views

Creating signature with the private key from PKCS12 certificate in Token extension.

I want to create signature with the private key from PKCS12 certificate in Smart Card Token extension. (Mac OS) I am importing certificate through SecPKCS12Import() API in my app which adds the key to keychain also. Later when I try to pair identity with user it hangs on calling SecKeyIsAlgorithmSupported() API. The trace from Activity Monitor Sample shows this: Activity Monitor Sample Please suggest where I am doing wrong Or am I following whole process correctly. I tried to find some samples but couldn't.
Asked
by staziz.
Last updated
.
Post not yet marked as solved
139 Views

How to enable tokend in OS X Big Sur?

In OS X Catalina we were able to enable tokend using this command line: sudo defaults write /Library/Preferences/com.apple.security.smartcard Legacy -bool true Do you know if there a way to enable it in Big Sur? or the processes need to be changed to use CryptoTokenKit framework?
Asked
by jluna.
Last updated
.
Post not yet marked as solved
111 Views

TKSmartCardSlotManager iOS

Hi, I'm trying to send commands to an external smart card reader connected to my iOS device. The first step is to get the corresponding smart card slot via TKSmartCardSlotManager. I've added the com.apple.security.smartcard entitlement but still get nil when trying to access the manager object. The console logs an error "The connection to service on pid 0 named com.apple.ctkd.slot-client was invalidated". Has anyone successfully tried this on iOS?
Asked
by oschaefer.
Last updated
.
Post marked as solved
792 Views

Using KeyChain items from CryptoTokenKit

Hi,I'm writing a CryptoTokenKit extension (simular to sample available in CTK documentation).In this extension I'm trying to use SecKeyCreateSignature or SecKeyCreateDecryptedData using private keys I get using SecItemCopyMatching.However the crypto operations fail with errors -25308 :CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION (errKCInteractionNotAllowed / errSecInteractionNotAllowed / Interaction is not allowed with the Security Server)The same code runs fine from the host App.Are there Sec API limitations in CTK ?I've seen some posts in the forum about application whitelising using provisioning profiles but I don't understand which keys should to be used.Here is one of the post I refer to : https://forums.developer.apple.com/thread/128767Any help is welcome,Regards,Jerome T
Asked Last updated
.
Post not yet marked as solved
204 Views

Application with TokenDriver fails to update if smartcard is in card-reader

We have a Smartcard management application that installs a TokenDriver on macOS. The application is published in the Mac Apple Store. When we published a newer version, the Mac App Store proposed to users that they update the application. We have discovered that the application will not update if the TokenDriver is running, ie., if there is a smartcard inserted in the connected card-reader (PC/SC). Does anyone know a workaround ? Code-Level Support - Ask FeedBack Assistant Feedback Assistant - No Response !
Asked
by ArocStar.
Last updated
.
Post not yet marked as solved
177 Views

How can I change SmartCardServices configuration on Big Sur?

I am developing a Java app that integrates with SmartCard reader. One of the features that I try to implement is reading/setting terminal (card reader) configuration without a tag being present on the reader. This can be done by sending so called escape codes. But to enable these escape codes we need to enable them in the driver. In case of macOS this will be SmartCardServices and the file that I should edit is: /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist I need to set ifdDriverOptions property to 0x0001. This procedure was described in this helpful GitHub comment https://github.com/pokusew/nfc-pcsc/issues/13 I tried to follow other instructions provided there but I hit the wall with read-only file system error. I wonder if there is an idiomatic way to change these settings. Why this is important? Sending new configuration via escape command is the only way to un-brick terminal that was (by mistake) wrongly configured.
Asked
by 0xmarcin.
Last updated
.
Post not yet marked as solved
261 Views

Shared defaults between macOS App and Extension

Hi all, TL;DR; All of a sudden we can no longer use shared defaults between a macOS app and an extension. We've got a CTK extension that we are working on for macOS, and we have hit a bit of a stumbling block right in the middle of development. We are a bit atypical as the extension is sandboxed like normal, but the container app isn't. We have a common defaults suite name that we use to hold a few bits of data that both the .app and .appex need. All of a sudden, this data sharing has stopped working. The docs for UserDefaults say that extensions on macOS are exempt from requiring an app group for shared preferences and this has been our experience so far. Now though it doesn't seem to be the case. The extension is refusing to read the shared domain and making its own copy of the settings inside of its sandbox. If I jump into the debugger in the extension I can see that it can't read the shared domain. This is currently baffling us as it has been working just fine throughout development and beta testing. I had the thought that it could be that some change now requires an app group, but the previous builds continue to work fine. I've requested an app group from our dev ops team so that I can try that and see if things improve. Has anyone else run into something like this? Most of the search results on the web are about iOS appex sharing of defaults. Since that is significantly different than macOS I thought I would ask here. Thanks, Josh
Asked
by NoMAD-Dev.
Last updated
.
Post marked as solved
424 Views

TLS certificate authentication using my CryptoTokenKit plugin

I have written a CTK plugin for iOS and Safari can now authenticate with web sites that require client authentication (certificaterequest/certificateverity). However, a WKWebView in my own app never accesses my CTK plugin for authentication. I need WKWebView TLS to be able to use my CTK just like Safari does. Is there a solution for this?
Asked
by pwn.
Last updated
.