CryptoTokenKit not working on Ventura

Hello,

We already submitted a feedback through the assistant about that, but I'm not sure we will ever get an answer, and it might be interesting for other people as well.

On MacOS Ventura, It seems like applications using the KeyChain services are unable to see certificates provided by CryptoTokenKit smart card token drivers.

In order to reproduce, you need a CryptotokenKit smart card driver appex working under Big Sur or Monterey. Install the same appex on Ventura. You'll see that Safari does not see the certificates provided by the appex, and cannot perform SSL/TLS client authentications with them. Similar symptoms can be seen with other apps (Chrome, mail clients, or even custom apps that directly use the Keychain API: token instances cannot be obtained from the app).

We tested with both our own CryptoTokenKit driver (a TKSmartCard driver, which worked well with all previous MacOS versions), and the CryptoTokenKit driver from another company (Yubico). Both work on older MacOS, but not on Ventura.

Has something changed in the security framework between Monterey and Ventura? Do we need to change something in our CryptoTokenKit, or is it a bug from MacOS? If it's a bug, is Apple aware of it, and will it be fixed? This is a functionality that is largely used in enterprise environments.

Post not yet marked as solved Up vote post of idopte Down vote post of idopte
4.3k views
Posted by
idopte
Reply
Add a Comment

Replies

Hello,

We have encountered a similar issue where the CTK extension was not working on Ventura, despite it functioning on older macOS versions. Upon investigation, we discovered that the problem was caused by the main application bundle CTKApp (.app) which included the CTK extension (.appex) having an incorrect bundle identifier.

The bundle identifier for CTKApp was set as: com.MyCompany.MyApp

and the bundle identifier for the CTK extension was set as: com.MyCompany.CTKApp.CTK

To fix this issue, we needed to adjust the bundle identifiers as follows:

CTKApp - com.MyCompany.CTKApp

CTK extension - com.MyCompany.CTKApp.CTK

However, it's worth noting that the correct bundle identifier to use should be based on your provisioning profile. For instance, if your profile is configured differently, you might need to use different identifiers instead. For example:

CTKApp - com.MyCompany.MyApp

CTK extension - com.MyCompany.MyApp.CTK

So it's important to check your provisioning profile and use the appropriate bundle identifiers for your specific configuration.

After making these changes to the bundle identifiers, the CTK extension started working as expected.

It appears that older macOS versions were more tolerant of mismatched bundle identifiers, but it seems that this is no longer the case with newer versions.

Posted by
T_B
Up vote reply of T_B Down vote reply of T_B
Add a Comment

> It appears that older macOS versions were more tolerant of mismatched bundle identifiers

Indeed. Since we introduced app extensions back in the 2014 OS releases it’s always been a requirement that an appex’s bundle ID be an immediate ‘child’ of its container app. Xcode even complains if you get this wrong. I was super surprised to hear that this used to work prior to macOS 13.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

This was our problem indeed. Although not conformant to the Apple specs, it used to work, and it wouldn't since Ventura. Thanks Eskimo for the help on that.

Posted by
idopte
Up vote reply of idopte Down vote reply of idopte
Add a Comment