CryptoTokenKit Network Cryptographic Tokens

Hello,

It is mentioned in CryptoTokenKit documentation:

You use the CryptoTokenKit framework to easily access cryptographic tokens. Tokens are physical devices built in to the system, located on attached hardware (like a smart card), or accessible through a network connection.

However, it looks like there is lack of documentation with simple example, how to access network token.

I have a certificates in HSM (hardware secure module), which is accessible on network, and I'd like to access certificates on HSM on my Mac.

Does anybody know, where to start with implementation?

Thank you.

Up vote post of OShv Down vote post of OShv
928 views
Posted by
OShv
Reply
Add a Comment

Replies

There are two parts to this:

  • Integrating the HSM token with your Mac

  • Accessing its credentials from your code

For the first part, you need a CryptoTokenKit (CTK) app extension that acts as a driver for your HSM. Normally that’d be created by the HSM vendor. Presumably that’s not you, so you should ask your HSM vendor if they have CTK support.

If they don’t have CTK support but they do publish their network protocol, you could implement your own CTK app extension. This is a bunch of work, but there’s nothing stopping you.

Once you have the CTK app and you’ve configured it to publish your HSM’s credentials to the system, it’s time to use those credentials from your code. You do this in two steps:

  1. Call the SecItem API to find the credential. Typically you want to sign or encrypt something, so the credential is a digital identity (SecIdentity) or private key (SecKey).

  2. Use standard Security framework APIs to do your crypto operations. For example, if you have a digital identity you might call:

    • SecIdentityCopyCertificate to get its certificate

    • SecIdentityCopyPrivateKey to get its private key

    and then SecKeyCreateSignature to sign with that private key.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo

  • Hi,

    Thank your for the reply. I was able to create CTK extension for HSM tokens. I have one last problem.

    Apple documentation says if We throw error with error code "TKError.Code.authenticationNeeded.rawValue" will trigger user authentication (in tokenSession for data signing). However, passwords window does not appear. I found out, that I have to set TKTokenOperationConstraint. Where should I set it? Thank you.

    OShv

  • Thank you, I was able to create CTK extension and display my HSM certificates. However, I am unable to get pin window displayed, when I try to sign something with my HSM certificate. Documentation says: responding with TKErrorCodeAuthenticationNeeded will trigger user authentication after which the current operation will be re-attempted. I respond with this code, and still nothing. There is also mentioned TKTokenOperationConstraint. How do I set that? Thank you.

    OShv
Add a Comment