Post

Replies

Boosts

Views

Activity

Reply to Can't generate keypair through SecKeyCreateRandomKey() on macOS Sequoia - internal error
We had to use sudo to be able to store the corresponding certificate and its keys in the system keychain for MDM access. Since the certificate is for the device, login keychain was not suitable. I guess this is using legacy keychain. The code works if I use kSecUseDataProtectionKeychain as true in the attributes parameter which is using modern iOS style keychain. I wish the error is message from the API is clear whats not supported / incorrect. I have attached sysdiagnose to the FB15634465.
2w
Reply to [FB13622281]Sonoma: On any OS update, CryptoTokenKit extension doesn't get loaded automatically at login
Hello Quinn (from Apple DTS), if you are reading this please help with in resolving this crash in authorizationhosthelper.arm64 in Security::KeychainCore::StorageManager::tickleKeychain(Security::KeychainCore::KeychainImpl*) + 44 . We are already following the CryptoTokenKit best practices as per https://developer.apple.com/documentation/cryptotokenkit/authenticating_users_with_a_cryptographic_token#2937138 to launch the extension.
Aug ’24
Reply to CryptoTokenKit persistent token extension + SSH PKCS#11 authentication doesn't work
Edit: certificate is nil above i.e let tokenKey = TKTokenKeychainKey(certificate: nil, objectID: tag). I manually set all other properties as per the headerdocs. More debug info : % pluginkit -m -p com.apple.ctk-tokens    com.apple.CryptoTokenKit.pivtoken(1.0)    com.foo.mac-device-check.SecureEnclaveTokenExtension(1.0)  % sudo security smartcards token -e com.foo.mac-device-check.SecureEnclaveTokenExtension Token is already enabled. Still no luck with pkcs11_register_provider: /usr/lib/ssh-keychain.dylib.
Jan ’23