CryptoTokenKit accessible through a network

Question

Created Oct ’24

Replies 4

Boosts 0

Participants 3

Hi, team. I am exploring and learning about CryptoTokenKit's capabilities. I would like to understand better what it means when the documentation says hardware tokens can be accessible through a network.

How would that work? Is there an example? Is there more documentation about it available?

What is the flow? Do we make a regular network request to fetch the keys, then create a Certificate or Password object, then store it with the regular persistence extension of CTK? So, it would be like using CryptoKit and the keychain but using hardware's security layer?

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’24

Recommended

A typical workflow runs like this:

The container app for your CTK appex (CryptoTokenKit app extension) creates credentials (certificates and private key stubs, which together form a digital identity) for the virtual token.
These appear in the keychain, in a special keychain access group (kSecAttrAccessGroupToken).
All apps have access to that keychain access group, subject to user approval.
An app on the system, like Safari, looks in the keychain for appropriate digital identities. It finds the identities from step 1.
When it goes to use the identity — in this case, let’s imagine it tries to sign a digest — the system launches your CTK appex.
And passes it a signing request.
Your appex in then responsible for that signature operation. It can use internal resources for this, or talk to a directly connected hardware accessory, or reach across the network. It’s up to you.
Once it’s done, it returns the signature to the system, which returns it to the signing app.

If you want to build an app that using a token-based credential, that’s something I’ve discussed a bunch here on DevForums. See this post and this post. You can test this code with, say, a YubiKey.

If you want to build a CTK appex, reply back here and I’ll try to dig up some references.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

mruiznavejas OP

Oct ’24

Hi, Quinn. Thanks for replying.

I have tested fetching credentials from a YubiKey already. In this case I am trying to understand the use case of "fetching a hardware token" from the network.

0

Answer 3

mruiznavejas OP

Oct ’24

Also, now that you mention the CTK appex, Please share with me the docs you have.

What is the difference between using the extension versus just using the built-in methods for storing credentials?

0

Answer 4

DTS Engineer OP

Apple

Oct ’24

Please share with me the docs you have.

The official docs are here: CryptoTokenKit. Before we go further than that, I wanna understand make sure I understand your requirements…

What is the difference between using the extension versus just using the built-in methods for storing credentials?

A CTK appex makes the credentials available via the keychain for all apps. If you were to talk to your HSM directly, or over the network, then only your app would have access to those credentials. So, yeah, whether you want to create a CTK appex very much depends on whether the first goal is important to you.

For example, if you build a CTK appex then your customers could sign code using a digital identity vended by your appex. I talk more about that setup in Signing code with a hardware-based code-signing identity. That specific example using the built-in PIV CTK appex to talk to the YubiKey, but the same general process works for third-party CTK appexes.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1