Under CryptoTokenKit framework in macOS Big Sur which command I should use to make a smartcard "Persistent Token" always available? I tried the following command but I am getting connection interrupted error sudo -u _securityagent pluginkit -a /Applications/SmartCardApp.app/Contents/PlugIns/CssToken.appex If there other way to do it?

Curious if anyone has any insight into the caching behavior or Smart Card PINs, and if there are options available to set to always prompt for PIN. Example of the current challenge is that users can authenticate to an application using their smart card and entering their PIN, however it appears the PIN is cached until the user logs out of their laptop or restarts. Any insight into modifying this behavior or suggested solutions is greatly appreciated. Thank you. CD

We are a company that produces SmartCard readers and cryptographic tokens. When we started testing our devices on macOS, we realized that it is necessary to add our products to the macOS ICCD driver, so that the operating system will recognize our devices natively. We believe there is a list with information about manufacturers (name, VendorID, ProductID) and we would like to add data from our company so that our devices are recognized as trusted by the macOS operating system. If anyone knows the correct process for this, please let us know.

Hello, I'm investigating the use of persistent extension to expose certificates and keys to applications. I am investigating on macOS and iOS but I am currently testing on macOS. I'm able to list the exposed certificate. I thought I could restrict the search to my particular token with kSecAttrTokenID (and the ID I provided to addTokenConfiguration(for: ), e.g. the string "COMPANY-macOS-pext"), but it doesn't work. So I tried to list all the tokens available from my app, using the following code adapted from SecurityTool: static func listAllKeychains() {     listKeychains (ofType: SecPreferencesDomain.user)     listKeychains (ofType: SecPreferencesDomain.system)     listKeychains (ofType: SecPreferencesDomain.common)     listKeychains (ofType: SecPreferencesDomain.dynamic)   }     static func listKeychains (ofType type: SecPreferencesDomain) {     var searchList: CFArray?           let status = SecKeychainCopyDomainSearchList(type, &searchList)     if ( status != errSecSuccess) {       logger.debug("error getting Keychains list : \(status).")       return     }     guard let keychains = searchList as? [SecKeychain] else {       logger.debug("Error on retrieved keychains")       return     }           for keychain in keychains {       var pName = Array(repeating: 0 as Int8, count: 1024)       var pLength = UInt32(pName.count)       let oStatus = SecKeychainGetPath(keychain, &pLength, &pName)       if oStatus == errSecSuccess {         let buffer = [UInt8](unsafeBitCast(pName, to: [UInt8].self))         let name: String = String(bytes: buffer, encoding: .ascii) ?? "Unable to get string"         logger.debug("Keychain \(keychain.hashValue) : \(name)")       } else {         logger.debug("Error getting pathname of keychain \(keychain.hashValue)")       }     }   } I just get the user keychain and the system keychain. Am I missing something here ? How can I list the keychain provided by the extension ? Is it possible to restrict a search for the items provided by my extension ? Regards, ++dom

I am trying to use the HMAC function in a swift package but it does not work it only works in standard view controller style packages. let hash = HMAC<Insecure.SHA1>.authenticationCode(for: counterData, using: SymmetricKey(data: secret))

Hi, I was reading Storing Keys in the Secure Enclave and was thinking, "that's great if you're writing new code from scratch, or updating an iOS-only code base...", but how do people integrate this functionality into well-worn packages, such as Openssl? What's the best practice for representing the Secure Enclave keystore in software? Is it closest to an HSM (hardware security module)? Or to a PKCS11 crypto-token like a smart card? Or maybe it's sufficiently unlike anything else. We have some management scripting that uses Openssl and I'd like to be able to make it "just work" with Secure Enclave keystore, but don't see any guidance on how best to do that. What is the developer community's collective experience and wisdom here? Thanks, -Philip

I'm having a problem accessing a site where I need to use a certificate for identification, where I used some examples to type the pin but none works, I checked an instruction to register a module in firefox as a security device but it doesn't work, it worked on macos 10.15 , but now when adding the security device , the slot does not appear in Firefox. Tank's

As I see that it's not possible to provide a prompt for the application password or have any kind of UI apart from biometrics in the persistent token extension from here: https://developer.apple.com/forums/thread/131694?answerId=416382022#416382022. Is there a way to get the details of the consumer application requesting service from the Persistent token extension? Is there a way to whitelist applications as only those applications can access the service from the extension? Also can we block the use of keys hosted by a managed app from an unmanaged app?

In my token extension when I get a call to sign - (nullable NSData *)tokenSession:(TKTokenSession *)session signData:(NSData *)dataToSign and I call SecKeyCreateSignature() func to get signature it again calls above tokenSession function and hangs there. I am dealing with P12 certification/Key for signing. I am stuck here and need some clues to proceed. See code stack Sample of TokenExtension.txt

Hi, we have some code in our xcode project that needs to acces keychain's certificate to use them. We use the SecItemCopyMatching method to get a list of SecCertificate like this: var query = [String: Any]() query[String(kSecClass)] = kSecClassCertificate query[String(kSecMatchLimit)] = kSecMatchLimitAll var result: AnyObject? let status = SecItemCopyMatching(query as CFDictionary, &amp;result) and we are now having troubles making this work with smartcards. We use a Gemalto smartcard that contains a certificate. On our terminal application, when we use "security list-smartcard", we get a line with it's ID. com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:XXXXXXXXXXXXXXXX The thing is, in our code, the certificate stored in the smartcard isn't retrieved by our current query. We tried to do a more specific query like this: let getquery: [String: Any] = [kSecClass as String: kSecClassKey, kSecAttrTokenID as String: "com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:XXXXXXXXXXXXXXXX", kSecReturnPersistentRef as String: true] but it seems we can't have access to it. results are nil. We believed at first that it was because we didn't add the entitlement "com.apple.security.smartcard" to our project, but we get the same result enabling it. Can somebody provide us some leads about getting SecCertificate that can be used to sign from a smartcard ? Thank you.

Hi, everyone Is there some Sample code or information about implement an CryptoTokenkit extension by inheriting form TKToken and load the extension in the host app? I want to implement an extension with software, but I don't know how to do this. Can anyone give me some help? Thanks very much! Best Regardscd

I want to create signature with the private key from PKCS12 certificate in Smart Card Token extension. (Mac OS) I am importing certificate through SecPKCS12Import() API in my app which adds the key to keychain also. Later when I try to pair identity with user it hangs on calling SecKeyIsAlgorithmSupported() API. The trace from Activity Monitor Sample shows this: Activity Monitor Sample Please suggest where I am doing wrong Or am I following whole process correctly. I tried to find some samples but couldn't.