CryptoTokenKit

RSS for tag

Access security tokens and the cryptographic assets they store using CryptoTokenKit.

Posts under CryptoTokenKit tag

26 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

Security Resources
General: Apple Platform Security support document Security Overview Cryptography: DevForums tags: Security, Apple CryptoKit Security framework documentation Apple CryptoKit framework documentation Common Crypto man pages — For the full list of pages, run: % man -k 3cc For more information about man pages, see Reading UNIX Manual Pages. On Cryptographic Key Formats DevForums post SecItem attributes for keys DevForums post CryptoCompatibility sample code Keychain: DevForums tags: Security Security > Keychain Items documentation TN3137 On Mac keychain APIs and implementations SecItem Fundamentals DevForums post SecItem Pitfalls and Best Practices DevForums post Investigating hard-to-reproduce keychain problems DevForums post Smart cards and other secure tokens: DevForums tag: CryptoTokenKit CryptoTokenKit framework documentation Mac-specific frameworks: DevForums tags: Security Foundation, Security Interface Security Foundation framework documentation Security Interface framework documentation Related: Networking Resources — This covers high-level network security, including HTTPS and TLS. Network Extension Resources — This covers low-level network security, including VPN and content filters. Code Signing Resources Notarisation Resources Trusted Execution Resources — This includes Gatekeeper. App Sandbox Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"
0
0
2.5k
Mar ’24
slot refused to allocate exclusive session for the card
I try to send apdu command via smartcard with Cryptotokenkit on IOS application but got some error in debug log [smartcard] slot refused to allocate exclusive session for the card "error domain=cryptotokenkit code=-2 "(null)"" for my code please see below code // connect to the card mngr?.getSlot(withName: slotName, reply: { (slot:TKSmartCardSlot?) in let card = slot?.makeSmartCard() if card != nil { // begin session card?.beginSession{ ( success:Bool,error:Error?) in if success { // Send 1st APDU card?.send(ins: 0x84, p1: 0x00, p2: 0x00,le:8){ (data:Data?,sw:UInt16,error:Error?) in if error != nil { print("sendIns error:",error!) }else{ print("Response:",data!,String(sw,radix: 16)) //String(format: "%02X", data! as CVarArg) } } }else{ print("Session error:",error!) } } }else{ print("No card found") } }) So i'm not sure what i do wrong on this
1
0
206
1w
slot refused to allocate exclusive session for the card
Hi Guys I try to use smart card reader with my ipad project and after trying to make init session with the card got error from cryptotokenkit Message from debug log : [smartcard] slot refused to allocate exclusive session for the card "Session error: Error Domain=CryptoTokenKit Code=-2 "(null)"" // connect to the card mngr?.getSlot(withName: slotName, reply: { (slot:TKSmartCardSlot?) in let card = slot?.makeSmartCard() if card != nil { // begin session card?.beginSession{ ( success:Bool,error:Error?) in if success { // Send 1st APDU card?.send(ins: 0x84, p1: 0x00, p2: 0x00,le:8){ (data:Data?,sw:UInt16,error:Error?) in if error != nil { print("sendIns error:",error!) }else{ print("Response:",data!,String(sw,radix: 16)) //String(format: "%02X", data! as CVarArg) } } }else{ print("Session error:",error!) } } }else{ print("No card found") } })
1
0
106
1w
CryptoTokenKit framework usage
Hi, I’m currently working on an app that uses a third-party SDK to perform smart card authentication via PKCS#11 APIs. Specifically, the app interacts with the smart card to retrieve certificates, detect the card reader, and perform encryption and decryption operations on provided data. I’m wondering if it's possible to replace the PKCS#11 APIs and the third-party SDK with Apple's CryptoTokenKit framework. Does CryptoTokenKit provide equivalent functionality for smart card authentication, certificate management, and encryption/decryption operations? Additionally, I’ve come across the following CryptoTokenKit documentation: CryptoTokenKit API - TKSmartCardSlotManager Could you provide an example code or any guidance on how to implement this functionality using CryptoTokenKit, particularly for interacting with smart cards, managing certificates, and performing cryptographic operations? Thank you for your assistance.
3
0
223
1w
CryptoTokenKit accessible through a network
Hi, team. I am exploring and learning about CryptoTokenKit's capabilities. I would like to understand better what it means when the documentation says hardware tokens can be accessible through a network. How would that work? Is there an example? Is there more documentation about it available? What is the flow? Do we make a regular network request to fetch the keys, then create a Certificate or Password object, then store it with the regular persistence extension of CTK? So, it would be like using CryptoKit and the keychain but using hardware's security layer?
4
0
241
3w
Use of Auth-plugin and certificate-based persistent token for User login
I'm currently exploring Apple's Auth-Plugin extension and have modified the authdb to log in to a Mac device without using the default login password. Specifically,I am replacing builtin:authenticate,privileged with a custom privileged mechanism that authenticates the user and grants desktop access based on our custom logic. However, this approach does not unlock the user's Keychain. Since I'm bypassing the login password, the Keychain remains locked. I'm considering whether a certificate-based persistent token could be used to unlock the Keychain. Is this approach recommended, or is there a more suitable solution, such as using CryptoTokenKit or another available API?
1
0
343
Sep ’24
[FB13622281]Sonoma: On any OS update, CryptoTokenKit extension doesn't get loaded automatically at login
On macOS OS updates/reboot, CryptoTokenKit extension doesn't get loaded automatically when the system boots back. It needs another reboot to get the extension loaded and working. After update: % security list-smartcards <No smart cards> .. and there is a crash for authorizationhosthelper.arm64 in keychain layer Thread 2 Crashed:: Dispatch queue: com.apple.security.keychain-cache-queue 0 libdispatch.dylib 0x18e2e499c dispatch_channel_cancel + 12 1 Security 0x1914ccfd0 invocation function for block in Security::KeychainCore::StorageManager::tickleKeychain(Security::KeychainCore::KeychainImpl*) + 44 2 libdispatch.dylib 0x18e2ce3e8 _dispatch_client_callout + 20 3 libdispatch.dylib 0x18e2d18ec _dispatch_continuation_pop + 600 4 libdispatch.dylib 0x18e2e57f0 _dispatch_source_latch_and_call + 420 5 libdispatch.dylib 0x18e2e43b4 _dispatch_source_invoke + 832 6 libdispatch.dylib 0x18e2d5898 _dispatch_lane_serial_drain + 368 7 libdispatch.dylib 0x18e2d6544 _dispatch_lane_invoke + 380 8 libdispatch.dylib 0x18e2e12d0 _dispatch_root_queue_drain_deferred_wlh + 288 9 libdispatch.dylib 0x18e2e0b44 _dispatch_workloop_worker_thread + 404 10 libsystem_pthread.dylib 0x18e47b00c _pthread_wqthread + 288 11 libsystem_pthread.dylib 0x18e479d28 start_wqthread + 8 Opening the parent app bundle as a Login item does not help. A reboot sometimes fixes it but this happens frequently and causes lot of enterprise endpoints not able to authenticate. After reboot: % security list-smartcards com.foo.tech.mac-device-check.SecureEnclaveTokenExtension:700D6B7E8943B529569D9CC81AC6F930 Please provide and prioritize a permanent fix/workaround for this issue. We have already reported this issue with crash and sysdiagnose logs in FB13622281 earlier this year.
1
0
464
Aug ’24
Unable to get certificates via TKTokenWatcher
Hello, We have an application which gets our HSM certificates via TKTokenWatcher, there is a snippet: let tokens = TKTokenWatcher() for token in tokens.tokenIDs { // Use our HSM certs if token.contains("SPECIFIC_IDENTIFIER") { let tokenQuery = [kSecClass as String: kSecClassIdentity, kSecAttrTokenID as String: token, kSecAttrKeyType as String: kSecAttrKeyTypeRSA, kSecReturnRef as String: true] as CFDictionary var item: CFTypeRef? let result = SecItemCopyMatching(tokenQuery as CFDictionary, &item) if result == noErr.... Normally, result is all right, but problem occurred when we added "App Groups" entitlement. This application has to share some Defaults with other app, so they need to be in the same App Group. So, when we added this App Group entitlement, result from the code snippet is -34018, which according to OSStatus means errSecMissingEntitlement. Does anybody know, which entitlement has to be added, so app can be in the App Group, and at the same time it is able to get certificates? Thank you.
0
1
476
Aug ’24
Smart Card Command Fails on macOS 14
I'm encountering an issue related to PCSC (PC/SC) smart card interactions on macOS 14 that I haven't experienced on earlier versions of macOS. When sending an APDU command to generate a key pair on a smart card: On macOS 12: The operation works as expected. On macOS 14: The card responds with an error 66 02. Are there any any changes to PCSC implementation in macOS 14 that might affect smart card operations?
1
0
338
Jul ’24
Documentation of Frameworks that throw ObjC Exceptions?
I recently discovered that CryptokenKit (TKSmartCard.transmit) throws an ObjC exception, and thus crashes a Swift app using TKSmartCard (absent an ObjC wrapper to handle the Objc exception explicitly). That was surprising, as there was no documentation indicating that TKSmartCard needs to be wrapped in ObjC instead being used directly from Swift. (See https://developer.apple.com/documentation/cryptotokenkit/tksmartcard/1390161-transmit) - the exception is a NSInternalInconsistencyException, which is thrown when certain codepaths are executed in a certain sequence (which indeed, leaves a TKSmartCard in an inconsistent state). Is there a list of Frameworks that throw ObjC exceptions (and therefore need special handling by Swift when invoking methods/functions)?
3
0
518
Jul ’24
In somecases it´s not possible to use generated CriptoTokenKit
I am using the CryptoTokenKit functionality to be able to perform validations on web pages that use digital certificates to ensure the user's identity, using the digital certificates included in the Spanish national electronic identity document. I manage to use it correctly in most cases, but sometimes I get an error when trying to retrieve the previously created token. This error is fixed by restarting the phone. I had create the Feedback Assistant with number FB14095789.
1
0
462
Jul ’24
Get calling applications from CryptoTokenKit extension
Is it possible to get the process (name, executable location) that triggers CryptoTokenKit extension security operation, such as signData or decryptData? We are developing smart card middleware, for both Windows (minidriver) and macOS (CryptoTokenKit extension). We would like the possibility to configure various parts of our implementation based on the calling process. For example, we would like to cache PIN code in memory for particular amount of time, that is different for web browser and email client. On Windows it can be done, since minidriver dll is loaded into the calling application process. By calling GetCurrentProcess() inside our minidriver, we can figure out what application is using it. On macOS, however, there is a single process that handles all requests from the apps, using smart cards. So getting current process info does not help. Is there a way to get calling application somehow?
1
0
462
May ’24
smartcard driver(IFDHandler) to be trigger via bluetooth connection from iPhone or android instead via USB
Hi Team, I have developed a smartcard driver which is working fine when inserting USB mouse, So here is the process I followed for smartcard driver: Smartcard driver(IFdHandler) has info.plist which contains vendor Id and product ID attributes Mentioned vendor Id and product ID of USB mouse which one is going to be connected to device(Mac) in info.plist, Build the IFDdriver and replace it to path - /usr/local/libexec/SmartCardServices/drivers/ Once Inserting USB mouse I am getting smart card pairing notification on Mac This scenario is working fine and able to achieve following changes on Mac device - Getting Smart card notification for pairing on Mac device After Pairing , Password field on Login Screen changes to PIN field But I want smartcard driver(IFDHandler) to be trigger via bluetooth connection from iPhone or android instead via USB Is there any way to achieve This? Reference for USB driver smart card driver - https://github.com/frankmorgner/vsmartcard/blob/master/virtualsmartcard/src/ifd-vpcd/ifd-vpcd.c
1
0
473
May ’24
smartcard driver(IFDHandler) to be trigger via bluetooth connection from iPhone or android instead via USB
Hi Team, I have developed a smartcard driver which is working fine when inserting USB mouse, So here is the process I followed for smartcard driver Smartcard driver(IFdHandler) has info.plist which contains vendor Id and product ID attributes Mentioned vendor Id and product ID of USB mouse which one is going to be connected to device(Mac) in info.plist, Build the IFDdriver and replace it to path - /usr/local/libexec/SmartCardServices/drivers/ Once Inserting USB mouse I am getting smart card pairing notification on Mac This scenario is working fine and able to achieve following changes on Mac device - Getting Smart card notification for pairing on Mac device After Pairing , Password field on Login Screen changes to PIN field But I want smartcard driver(IFDHandler) to be trigger via bluetooth connection from iPhone or android instead via USB Is there any way to achieve This? Reference for USB driver smart card driver - https://github.com/frankmorgner/vsmartcard/blob/master/virtualsmartcard/src/ifd-vpcd/ifd-vpcd.c
3
0
535
May ’24
login service in \etc\pam.d\login not getting executed
I am trying to pass smart card PIN from a custom auth plugin with tag kAuthorizationEnvironmentPassword. I added pam_smartcard.so to login stack (\etc\pam.d\login) but the changes do not take place. # login: auth account password session auth sufficient pam_smartcard.so auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass account required pam_nologin.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session required pam_uwtmp.so session optional pam_mount.so What could possible be going wrong in this ? Also is there an API to trigger authorization_ctk from a custom auth plugin to work with smart card ?
4
0
804
May ’24
How to communicate with smart card readers conncetd to USB-C port in iOS?
Hello All, I am new to iOS development and would like to detect the smart card readers connected to USB-C port on iOS (16+) devices. The smart card reader is a custom hardware and not MFi certified. So as per my understanding, I cannot use ExternalAccessory.framework without MFi certification. Correct? How else can I achieve this? Does TKSmartCardSlotManager works for this purpose (or is it only for NFC devices?)? Is there any example for how to use this interface? I couldn't find any example for this as a starting point... Thanks in advance.
4
0
1.2k
Jun ’24
Lock Screen on Token Removal Does Not Work on MacOS14
Issue: The screen saver is not shown, and the user is not locked after removing a smart card with a logged in user. I have tried setting tokenRemovalAction to 1, along with various other com.apple.security.smartcard defaults, and I have also tried setting "turn on screen saver when login token removed." None of this makes the screen locked on card removal. Is this an issue with MacOS14 or is there a different setting/value that has to be set for this to work correctly?
2
0
645
Mar ’24
CryptoTokenKit extension calling an external command
I've developed a crypto token kit extension using the Xcode template. I've successfully added the certificate and its corresponding private key to the keychain. However, when attempting to sign with this certificate, I need to call a command-line interface (CLI) that I've created. The CLI is located at ~/Applications/mycli/cli_executable. My issue arises because the extension is sandboxed, prohibiting direct communication with the CLI. I attempted to remove the sandbox, but that didn't resolve the problem (the extension wasn't being registered without the app sandboxed). Additionally, the CLI relies on a database, so simply copying the file to the app container folder isn't a feasible solution (unless it's a symlink – I'm unsure if this is possible). How can I effectively address this problem and enable communication between the sandboxed extension and my CLI (GoLang app)? Thank you.
2
0
696
Mar ’24
Getting data from SmartCard certificates
I am working on a macOS application written on Swift 5, where the user can login using a smartcard. When user enters the smartcard and selects this way of authentication, we display the certificates on the card for the user to select. Once selected, the user enters the PIN and logs in. I am able to show the certificates using the SecItemCopyMatching call mentioned in this answer. But along with the PIN, I need to send the following information for successfully logging in. Card's name -> for example, Identity Device (NIST SP 800-73 [PIV]) Crypto service provider's name -> for example, Microsoft Base Smart Card Crypto Provider Container name -> in the format aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee Questions: I want to understand how to get this information from the certificate present on the smartcard. (not important) When I run the SecItemCopyMatching call, I get 8 objects in an array but I know that there are only 2 certs on it. Currently, I cast it into a set and see just 2 SecCertificate objects that I need. Is there a better solution to this?
2
0
681
Mar ’24
How to reset a smart card in CTK?
I have verified a PIN in a smart card and I'd like to delete this internal state of the card. Unfortunately, the card doesn't support this with a dedicated command, which is why I'd like to reset the card (cold/warm reset as described in PC/SC, for example). The CryptoTokenKit documentation doesn't seem to have an API for that. Does anyone have an idea how to implement this? Note, that if the smart card is not reset and does not support logout, then the card is permanently in an authenticated state so that related keys can be misused by any other CTK session or even via the PC/SC interface.
0
0
627
Feb ’24
SmartCard logon
Hello, I am developing a smartcard CTK extension for macOS. I have trouble to smartcard logon the first time after a reboot or a logout (e.g. when there is the text "Your password is required to enable touch id"). Trouble = I'm not asked for the PIN. But time to time after a logout (from whatever account), I can login with the smartcard. After a lockscreen I can always login with the smartcard. Is there an easy way to debug the logon process ? Regards, ++dom
6
0
993
Jun ’24