Can CTKToken framework handle mixed RSA / EC certificate chains?
When using a CTKToken implementation to use certificates on a smartcard, the CTK Framework comes with strange “”supportsOperation Requests when the certificate contains an RSA key, but is signed by the EC key of the parent certificate. It basically asks if the CTKToken implementation can sign using some ECC algorithms, while using an RSA key. (No RSA algo’s are checked, so in the end no supported algorithm is found).
The CTK function that is being called: (BOOL)tokenSession:(TKTokenSession *)session supportsOperation:(TKTokenOperation)operation usingKey:(TKTokenObjectID)keyObjectID algorithm:(TKTokenKeyAlgorithm *)algorithm { Shows during debugging that keyItem.keyType isEqual:(id)kSecAttrKeyTypeRSA, but only asks if we support some EC algorithm.
When using a pkcs#11 implementation in stead of a CTKToken implementation with the same card, we are able to create a digital signature with Acrobat reader, with the CTKToken we are not able.
We expected the CTK Framework to ask us if we can sign with the RSA key, while using some RSA algorithms. This behaviour is followed when using a certificate with RSA key that is signed by a parent certificate with RSA key
This has been tested while using Belgian eID testcards with mixed RSA/EC keychain. https://github.com/Fedict/eid-mw/blob/master/cardcomm/ctkToken/BEIDToken/TokenSession.m
