Post

Replies

Boosts

Views

Activity

Reply to Network token with CryptoTokenKit
Hi,With multiple tests I figured that :com.apple.ctk.token-type can include any identifier (e.g 'token')com.apple.ctk.aid can be avoided if the token isn't a smartcardMost of the CryptoTokenKit sample code is fine by using a generic Token (not inheriting from SmartCard variants). This includes loading the extention by invoking the Keychain from host App, using TKConfigurationData to fetch context from host or replying to TKTokenSession callbacks.However TKTokenKeychainContents seems to be missing if the TKToken doesn't inherit from TKSmartCardToken. token.keychainContents remains nil forbiding use of [keychainContents fillWithItems:]. This is a blocking point to perform crypto operations that usualy rely on [keychainContents keyForObjectID].Any idea on why keychainContents remains nil ?Regards,Jerome T
Apr ’20
Reply to Using KeyChain items from CryptoTokenKit
Yes effectively it occurs during operations that rely on private key, typically displaying authentification dialogs.Succeeds with both TouchID or user password.I had in mind that CKT plugins can do UI, should TKTokenAuthOperation be the only place where UI occurs ?Is UI limited to default dialogs (e.g TKTokenPasswordAuthOperation) ?Regards,Jerome T
Apr ’20
Reply to Using KeyChain items from CryptoTokenKit
Effectively I tried using LocalAuthentication from a TKTokenAuthOperation and it runs fine.I can get an authentified context (at least for decrypt and key exchange operations - strangely it fails for signing).I cannot go further then because LocalAuthentication doesn't seems usable as a pre-authentification for SecKeyCreateSignature or SecKeyCreatedDecryptedData.
Apr ’20
Reply to Sharing NSUserDefaults between XPCService, Network Extension and container app
Hi Quinn, I confirm this is a System Extension (content filter used as Firewall). OSSystemExtensionErrorValidationFailed disappears if bundle ID and AppGroup are synchronized. It’s not yet clear to me if the ‘group.’ prefix need to be used for AppGroup. Looking at Group Containers folder some apps use the prefix some others do not (including Apple’s). Based on your explanation, I moved the XPC Service from daemon to agent so that it runs in user context. However KVO observation isn’t triggered between container app and XPC Service. Yet defaults values are up-to-date if I use XPC communication as notification.
Mar ’22
Reply to Using SCNetworkReachability from XPC Service
I used the default SCNetworkReachabilityScheduleWithRunLoop from main source code during launch. As the service is based on MachService name the resume method returns and I did setup a main run loop. I tried also postponing SCNetworkReachabilityScheduleWithRunLoop using GCD (dispatch to main queue) and both solutions are running fine. I’ll try SCNetworkReachabilitySetDispatchQueue As well to see potential benefits.
Mar ’22
Reply to Captive portal from Network Filtering Extension (Mac)
Hi an update on this topic. Using SNI using handleOutboundDataFromFlow fails because near all traffic is encrypted and no headers or metadata can be fetched for that purpose. I tried as B-plan to replicate capture.apple.com behaviour to detect redirects and allow them. This is a tricky job because the Firewall rules need to be updated live to follow redirects but on the paper (i.e simulating with Safari) it works. However in captive-portal tests I face another problem: Captive Portal Assistant seems to block all traffic out if his own session (not sure how this is done). For Example Safari or curl won't get a response while the CPA is opened, as they do under the same SSID if CPA is closed. Is some way this could be an helpful solution for my use-case if I was able to confirm that CPA session is ongoing. CNCopySupportedInterfaces seems to be dedicated to that and is available on Mac. However it always returns null. I know that some (obsolete) CN API require some specific entitlements on iOS but I've found nothing about Mac requirements. Any hint ?
Apr ’22