Getting data from SmartCard certificates

I am working on a macOS application written on Swift 5, where the user can login using a smartcard. When user enters the smartcard and selects this way of authentication, we display the certificates on the card for the user to select. Once selected, the user enters the PIN and logs in.

I am able to show the certificates using the SecItemCopyMatching call mentioned in this answer. But along with the PIN, I need to send the following information for successfully logging in.

  1. Card's name -> for example, Identity Device (NIST SP 800-73 [PIV])
  2. Crypto service provider's name -> for example, Microsoft Base Smart Card Crypto Provider
  3. Container name -> in the format aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

Questions:

  • I want to understand how to get this information from the certificate present on the smartcard.
  • (not important) When I run the SecItemCopyMatching call, I get 8 objects in an array but I know that there are only 2 certs on it. Currently, I cast it into a set and see just 2 SecCertificate objects that I need. Is there a better solution to this?
Up vote post of nithyaveerati Down vote post of nithyaveerati
338 views
Posted by
nithyaveerati
Reply
Add a Comment

Replies

But along with the PIN, I need to send the following information for successfully logging in.

I’m not sure I understand that. The smart card PIN is used to ‘unlock’ the card, not to log in, so I can’t see any situation where you’d get the PIN and use it for logging in to a service.

A smart card typically stores a digital identity, which is comprised of a certificate and a private key that matches the public key in that certificate. Assuming that, it sounds like you just want to get info from the certificate and then:

  • Pass that info on to the service as part of the log-in process.

  • Additionally, perform a crypto operation with the private key, like signing some data, which requires the user to enter the PIN.

Is that correct?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Pass that info on to the service as part of the log-in process.

Yes, all the information that I need help with and mentioned above. is to pass on to a service that does the actual authentication/login. Having said that, I see that the CardName (1) is from the smart card and csp name and container name (2&3) are from the certificate.

Posted by
nithyaveerati
Up vote reply of nithyaveerati Down vote reply of nithyaveerati
Add a Comment