Hi,
Thanks for the inputs. We have already tested the flow using smart card-backed keys, and it has worked well when handling NSURLSession requests.
We are currently using PKCS11 APIs available from third party SDK to handle smart card requests for a Remote Desktop solution, which involves cryptographic operations such as signing data and verifying PINs.
We would appreciate your assistance with the following:
Sign Data Without Sending an APDU Command:
Is there an existing PKCS11 API that allows us to sign data?
Retrieving Key/Certificate Attributes (CK_value, CK_Label):
Can we retrieve attributes such as CK_VALUE (the key or certificate data) and CK_LABEL (the label associated with the key or certificate) for private/public keys or certificates? If so, could you provide the recommended API?
Obtaining Slot ID from the Smart Card:
We need to retrieve the slot ID associated with the smart card, as this ID represents the physical location of the card within the reader. Is there a method to obtain the slot ID for a specific smart card during cryptographic operations?
Post
Replies
Boosts
Views
Activity
Hi,
I’m currently working on an app that uses a third-party SDK to perform smart card authentication via PKCS#11 APIs. Specifically, the app interacts with the smart card to retrieve certificates, detect the card reader, and perform encryption and decryption operations on provided data.
I’m wondering if it's possible to replace the PKCS#11 APIs and the third-party SDK with Apple's CryptoTokenKit framework. Does CryptoTokenKit provide equivalent functionality for smart card authentication, certificate management, and encryption/decryption operations?
Additionally, I’ve come across the following CryptoTokenKit documentation:
CryptoTokenKit API - TKSmartCardSlotManager
Could you provide an example code or any guidance on how to implement this functionality using CryptoTokenKit, particularly for interacting with smart cards, managing certificates, and performing cryptographic operations?
Thank you for your assistance.
As per this documentation - https://developer.apple.com/documentation/security/ksecattraccessgrouptoken?language=objc
kSecAttrAccessGroupToken - Access to this group is granted by default and does not require an explicit entry in your app's Keychain Access Groups Entitlement.
If I try to fetch an item from the keychain by specifying this group, OSStatus is coming as -34018 - errSecMissingEntitlements. However, everything works fine if we have this com.apple.token entry in the entitlements file.
Can someone please provide a snippet to fetch tokens from keychain by just specifying the kSecAttrAccessGroupToken in the search query. Please refer the attached screenshot -
I have tried to debug the issue using **codesign -d --entitlements :- ** command but 'com.apple.token' is not listed in the keychain access groups keys -
Thanks @Macho Man ***** Savage for the reply.
I have tried this option as well -
NSArray *unarchivedArray = [unArchiver decodeArrayOfObjectsOfClass:[TypeA class] forKey:NSKeyedArchiveRootObjectKey];
I got the same error.
"UserInfo={NSDebugDescription=value for key 'root' was of unexpected class 'Class B'. Allowed classes are '{NSMutable Array}"
**
Which doesn't match. Why are you specifying all those classes (NSString, NSNumber, etc.) if the array only contains TypeA? **- As the above solution didn't work, thought of specifying all the Class properties types in the the classes set to check if it works.
Please read my post here - https://developer.apple.com/forums/thread/734157.
Thanks.
**If the smart card supports PIV, the system’s PIV support kicks in. This comes in the form of a CTK appex, which gets you to the same end state.
**
Does this mean through CTK we can detect PIV smart card through any reader(lighting/USB/NFC) without the need of any vendor intervention?
Thanks for the details.
They might actively support third-party access — by publish an interface spec, say — and that would allow you to create your own CTK appex.
So CTK extension app can't be implemented independently by any app who needs to detect any smart card readers and fetch certificates from the smart card? This needs a collaboration with smart card reader vendors who can provide an additional interface which allows app to talk to the token?
Thanks for the details.
**The built-in infrastructure can work the SE and with PIV hardware token. If your hardware token needs custom support, or you want to create a virtual token that’s not backed by directly connected hardware, you create a CTK appex.
**
If we want to fetch the certificates from smart cards connected via Bluetooth/lighting port, Do we have to write an CryptoTokenKitExtension app? I see very limited documentation on how exactly CryptoTokenKit can detect the readers and fetch certificates from smart card.
Can you please assist here? @eskimo
Hi,
I am trying to implement an app which performs cert based authentication through smart card. I have few queries related to the same
I have included com.apple.token in the key chain accessory group. I am able to fetch the certificates from the keychain using Yubi key Type c. But this is not working for Yubi key lighting port. Does Apple support lighting port readers?
What is the need of crypto token kit extension if we are able to list the certificates from key chain just by adding com.apple.token in the entitlements file.