I thought that with CryptoTokenKit I could do it
Yeah, absolutely, I think the issue is one of terminology. Let’s see if we can sort that out…
Are you targeting iOS or macOS? The story is largely the same for both but I’d still appreciate knowing that bit of context.
I presume you’re working on the latest systems (iOS 15 or macOS 13). If you go back far enough, the story changes. Indeed, this is a case where the platform matters because, as you go back in history, the story diverges quite a bit.
CryptoTokenKit supports two different types of token:
-
Smart card tokens
-
Persistent tokens
A smart card token is backed by hardware; a persistent token may be entirely virtual.
A smart card token subclasses TKSmartCardToken
. A persistent token subclasses TKToken
directly.
The system’s built-in TLS stack, and hence Safari, will work with either.
For mTLS [1] to work the token must publish a digital identity. A digital identity is made up a certificate and a private key. Both must be published by the token. The difference is that that the token publishes the raw bytes of the certificate while it only publishes a placeholder for the private key. When someone goes to use the digital identity, the system will invoke the token to run the private key operation. It can then hand that work off to other hardware, pass it across the network to a signing service, or whatever.
In the case of a persistent token, the containing app is responsible for setting up this info. Specifically, the app creates a TKToken.Configuration
value by calling addTokenConfiguration(for:)
and then populates its keychainItems
property with TKTokenKeychainCertificate
and TKTokenKeychainKey
pairs, the first with the certificate and the second with the private key info.
Finally, I want to reiterate this point from my previous response: Test this using a small test app rather than with Safari. There’s a lot of extra complexity between Safari and your token, and you want to get some confidence that your token is working before you deal with that extra complexity.
ps Please drop me a line via email (my address is in my signature), making sure to reference this thread.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Remember that I’m using terms from TLS for App Developers.