CTK Authentication failed repeatedly

Hi there!

I am developing a PersistentToken Extension to work in iOS > 14.0. The goal is to bring Digital Certificates (Personal identities to authenticate and digital sign) to the iPhone from external HSM.

I Have created an iOS app that recover certificates from the device, insert them into the keychain

  let tokenDriverConfiguration = TKTokenDriver.Configuration.driverConfigurations[TokenConfigurationName]
  let tokenConfiguration:TKToken.Configuration! = tokenDriverConfiguration!.addTokenConfiguration(for: TokenName)
  let elems: NSMutableArray = []
  for (certid,certdata) in certs {
    let certificate:SecCertificate = CreateCert(str: certdata.b64)!
    let tokenKeychainCertificate:TKTokenKeychainCertificate! = TKTokenKeychainCertificate(certificate:certificate, objectID:certid)
    tokenKeychainCertificate.setName(name: certdata.descr)
    tokenKeychainCertificate.label=certdata.certname
    elems.add(tokenKeychainCertificate!)
     
    let tokenKeychainKey:TKTokenKeychainKey! = TKTokenKeychainKey(certificate:certificate, objectID:certid)
    tokenKeychainKey.setName(name: certdata.descr)
    tokenKeychainKey.canSign = true
    tokenKeychainKey.label=certdata.certname
    tokenKeychainKey.isSuitableForLogin = true
    tokenKeychainKey.keyType = kSecAttrKeyTypeRSA as String
    tokenKeychainKey.canDecrypt = true
    tokenKeychainKey.canPerformKeyExchange = false
    elems.add(tokenKeychainKey!)
  }
  tokenConfiguration.keychainItems = elems as! [TKTokenKeychainItem];
}

That present the certificates to other applications.

I also have created the Persistent Token Extension, but when trying to use the certificates to authenticate (in a webpage por example) the breakpoints set in xcode do not work.

I have set a logger that works in the application, but no log in the token section

In the entitlements, I have this:

<dict>
	<key>keychain-access-groups</key>
	<array>
		<string>com.apple.token</string>
		<string>com.company.test.Token</string>
	</array>
</dict>
</plist>

When I try to debug with Safari, I get this error multiple times:

2022-08-12 13:14:50.616916+0200 MobileSafari[4092:8702247] [client] authentication failed repeatedly: tkid=com.company.test.Token:Token:Token, ac=<SecAccessControlRef: tkid(com.company.test.Token:Token);od(true);osgn(true)>, op=osgn

I also have readed the post https://developer.apple.com/forums/thread/705433 where you tells Aekold to use a test app, but I cannot find any example or guide on the web about how to do it, may be, you can guide me.

Thanks for all!

Up vote post of Ivnosys Down vote post of Ivnosys
1.3k views
Posted by
Ivnosys
Reply
Add a Comment

Replies

CTK Authentication failed repeatedly

Please drop me a line via email. My address is in my signature. Make sure to reference this thread, ’cause I get a lot of email |-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Quinn! (and all comunity)

The issue may be solved as CTK cannot be "debugged" with Xcode, only with log.

Thanks for helping!

Posted by
Pablo_
Post not yet marked as solved Up vote reply of Pablo_ Down vote reply of Pablo_
Add a Comment

The issue may be solved as CTK cannot be "debugged" with Xcode, only with log.

My experience is that Xcode’s debugger works fine with CTK app extensions. However, I do recall a gotcha that I encountered the last time I played around with this. Pasted in below is some notes I took at the time.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I’ve seen problems with CryptoTokenKit and debugging myself. Here’s a typical sequence that causes the problem:

  1. In Xcode, I run the container app on a device for the first time.

  2. In the container app on the device, I set up my virtual token.

  3. I then run my test and it works.

  4. In Xcode, I stop the container app.

  5. I run the container app again. The configuration is still present but the test operation fails.

I found that I can work around this by attaching to and manually stopping the app extension. So:

  1. In Xcode, I run the container app on a device for the first time.

  2. In the container app on the device, I set up my virtual token.

  3. I then run my test and it works.

  4. In Xcode, I choose Debug > Attach to Process > MyCTKAppExtension.

  5. The Stop button now changes to a menu. I click it and stop the extension.

  6. I then click it again and stop the app.

  7. I run the container app again. The configuration is still present and now the test now works as expected.

In short, manually stopping the CTK app extension seems to avoid the issue I’m seeing.

Please try this out and let me know if you see the same behaviour. If you do, file a bug about it and then post your bug number, just for the record.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment