How to sign data with SmartCard use CryptoTokenKit?

Hi all,

I have try to use CryptoTokenKit library to use my private key in Smartcard to sign data.
I can find Smartcard's tokenId by using class CryptoTokenKit But I don't know how to list all items in the SmartCard and use private key in the Smartcard to sign data.
And I have try use command line interface: "security".

  • I can list smartcards by command: security list-smartcard

  • I can list all items in smartcard by command: security export-smartcard OR command: system_profiler SPSmartCardsDataType

BUT I don't know how to use private key in the smartcard to sign data by the command interface "security"
Very difficult to find document about interact with SmartCard on MacOS, so please help me!
Can you share document to find items in SmartCard, use private key to sign data.
Thanks all!
Up vote post of tuantag Down vote post of tuantag
2.3k views
Posted by
tuantag
Reply
Add a Comment

Replies

If I understand you correctly, you’re not implementing a smart card but just trying to use one that’s already integrated into the system. If so, CryptoTokenKit is not the droid you’re looking for. On Apple platforms smart cards show up in the keychain. You can use keychain APIs to find the key, getting back a SecKey object. You can then sign data using SecKeyCreateSignature.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
hi,

I can sign data by command line
security cms -S -Z "cert subject key id" -i Desktop/input.txt -o Desktop/output.txt -k com.gemalto.Gemalto-Smart-Card-Token.PKCS11-Token:028a7356

the result of command line is a CMS signed message But I only need sign a hash.
Do you have any command line to sign a hash?

Posted by
tuantag
Up vote reply of tuantag Down vote reply of tuantag
Add a Comment

Do you have any command line to sign a hash?

Not that I’m aware of (well, you have openssl but that’s unlikely to work with token-based keys).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi, I would like to open this topic again and ask about private key export.

If I have a local certificate with private key in Mac Keychain, I am able to export private key by SecExportItem method.

However, now I have USB token which should require PIN with certificate and private key and I want to export private key from this USB token.

I used TKTokenWatcher.tokenIDs to get name of my token which can be used in query to get private key.

How should I proceed? How can I export private key from USB token with PIN security ?

thank you :)

Posted by
JackRussel
Up vote reply of JackRussel Down vote reply of JackRussel
Add a Comment

How can I export private key from USB token with PIN security ?

I don’t think you can. That’s kinda the point of having a hardware token. The hardware allows you to use the private key on the token while guaranteeing that it never leaves the token.

There may be some hardware-specific ways of doing this, but I’m pretty sure there’s no standard API for this. Oh, and the Secure Enclave, which acts like a hardware token, certainly has no way to do this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment