CryptoTokenKit

Good afternoon,

I have developed a persistent token extension with xcode. I have loaded the certificates with the application inside the token. The system recognizes my token and the smart card is activated, but at no time when I try to authenticate on a website, does it enter any function of the persistent token app (tokensession, signdata, etc..). I need to do the signature in an external HSM, I understood that it would fall within these functions when something needed to be done with a certificate that is inside the smartcard.

Thanks greetings.

Up vote post of Aekold Down vote post of Aekold
2.0k views
Posted by
Aekold
Reply
Add a Comment

Replies

I have loaded the certificates with the application inside the token.

I presume you mean digital identities in the above. Publishing just a certificate won’t help you much (-:

For more background on this, see TLS for App Developers.

at no time when I try to authenticate on a website, does it enter any function of the persistent token app

There are a bunch of layers between browsing a web site in Safari and the system calling your token. I recommend that you try it isolate the problem by removing these layers.

To start, if you create a small test app that searches your token for a digital identity and then uses the key in that digital identity to sign some data, does that work?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Good morning,

I think I have not explained myself well, what I need to do exactly is:

  1. I need safari, chrome or any application to detect my certificate (without having the private key).

  2. When selecting that certificate for any operation, sign in an external hsm and return the signature.

I have programmed windows CrytoAPI, pkcs11 and I have not had any problem. Since I give him the public part of the certificate and when I go to do the signature, I sign in the HSM and return the signature.

I thought that with CryptoTokenKit I could do it, but I'm not sure anymore.

I think I have to create Smart Card Application Extension.

https://developer.apple.com/documentation/cryptotokenkit/authenticating_users_with_a_cryptographic_token?language=objc

But I'm not going to have a smart card reader or a token. As I said, you would need to create a virtual smart card with the public part of the certificate and then sign into the HSM.

I've tried everything and I can't find any tutorial or flowchart or order of execution either.

Let's see if you can guide me a little.

Thanks greetings

Posted by
Aekold
Up vote reply of Aekold Down vote reply of Aekold
Add a Comment

I thought that with CryptoTokenKit I could do it

Yeah, absolutely, I think the issue is one of terminology. Let’s see if we can sort that out…

Are you targeting iOS or macOS? The story is largely the same for both but I’d still appreciate knowing that bit of context.

I presume you’re working on the latest systems (iOS 15 or macOS 13). If you go back far enough, the story changes. Indeed, this is a case where the platform matters because, as you go back in history, the story diverges quite a bit.

CryptoTokenKit supports two different types of token:

  • Smart card tokens

  • Persistent tokens

A smart card token is backed by hardware; a persistent token may be entirely virtual.

A smart card token subclasses TKSmartCardToken. A persistent token subclasses TKToken directly.

The system’s built-in TLS stack, and hence Safari, will work with either.

For mTLS [1] to work the token must publish a digital identity. A digital identity is made up a certificate and a private key. Both must be published by the token. The difference is that that the token publishes the raw bytes of the certificate while it only publishes a placeholder for the private key. When someone goes to use the digital identity, the system will invoke the token to run the private key operation. It can then hand that work off to other hardware, pass it across the network to a signing service, or whatever.

In the case of a persistent token, the containing app is responsible for setting up this info. Specifically, the app creates a TKToken.Configuration value by calling addTokenConfiguration(for:) and then populates its keychainItems property with TKTokenKeychainCertificate and TKTokenKeychainKey pairs, the first with the certificate and the second with the private key info.

Finally, I want to reiterate this point from my previous response: Test this using a small test app rather than with Safari. There’s a lot of extra complexity between Safari and your token, and you want to get some confidence that your token is working before you deal with that extra complexity.

ps Please drop me a line via email (my address is in my signature), making sure to reference this thread.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Remember that I’m using terms from TLS for App Developers.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Thank you very much for your answer, I'll tell you something in a few days when I'm on other things.

    Aekold
Add a Comment