Hi, I want to support client certifcate authentication for a URL loaded in WKWebView. Certificate is in the smartcard that is connected to iOS device through lightning port smart card reader. For USB-C type reader, iOS supports this out of the box. But for the lightning port reader, I thought of writing a CTK extension to access smartcard and read the certificate. I have a smart card sdk to access the smartcard. Could you please let me know which is the extension that should be used for this purpose. There are 2 types of extensions available in Xcode. Smartcard extension and Persistent Token extension. Which one should be used for this case? When I tried persistent token extension, it seems to hit sign function inside Tokensession class but with smartcard extension it is not getting called when I try to access the URL in WKWebView after certificate selection. Also the smartcard sdk has EAAccessory framework dependency. Is EAAccessory allowed to be used in CTK extension? https://developer.apple.com/forums/thread/111691?answerId=342707022 says EAAccessory is not working inside app extension. Thanks in advance.

Hello, I am creating CryptotokenKit persistent token extension for macOS using Xcode on Sonoma. The goal is to support external crypto provider over network (with API calls). I created a bare minimum app and a new target “Persistent Token Extension”. Before I go into specific implementation, I wanted to check if my extension/token initialises correctly. My understanding is that once the host app is started and the extension is registered by the OS, future queries for digital identities should check with it as well. I tried is accessing mTLS website with Safari and Firefox that require client certificates, as well running custom application using SecItemCopyMatching to query the keychain for identities. However, Token / TokenDriver seem to not initialize (logging never executes). Am I missing something here? pluginkit sees the extension: $ pluginkit -vvvvmi demo.TokenApp.TokenExt demo.TokenApp.TokenExt(1.0) Path = /Users/alexander/Library/Developer/Xcode/DerivedData/TokenApp-dzulesgoanwnacguirprimnipibk/Build/Intermediates.noindex/Previews/TokenApp/Products/Debug/TokenApp.app/Contents/PlugIns/TokenExt.appex UUID = 617526E8-987A-493F-A9E3-6295FF5AB00D Timestamp = 2024-01-19 13:13:35 +0000 SDK = com.apple.ctk-tokens Parent Bundle = /Users/alexander/Library/Developer/Xcode/DerivedData/TokenApp-dzulesgoanwnacguirprimnipibk/Build/Intermediates.noindex/Previews/TokenApp/Products/Debug/TokenApp.app Display Name = TokenExt Short Name = TokenExt Parent Name = TokenApp Platform = macOS Token.swift: import CryptoTokenKit import OSLog class Token: TKToken, TKTokenDelegate { private let log = Logger(subsystem: "demo.tokenapp", category: "Token"); func createSession(_ token: TKToken) throws -> TKTokenSession { log.log(level: .info, "Token.createSession") return TokenSession(token:self) } } TokenDriver.swift: import CryptoTokenKit import OSLog class TokenDriver: TKTokenDriver, TKTokenDriverDelegate { private let log = Logger(subsystem: "demo.tokenapp", category: "TokenDriver"); func tokenDriver(_ driver: TKTokenDriver, tokenFor configuration: TKToken.Configuration) throws -> TKToken { log.log(level: .info, "TokenDriver.tokenDriver") return Token(tokenDriver: self, instanceID: configuration.instanceID) } }

I need an OV certificate to code sign an Electron application. I was used to build in Jenkins the application oth for Windows and macOS using Electron-Forge (https://www.electronforge.io/guides/code-signing/code-signing-macos). To be more specific use XCode and Keychain to store the certificate. Sadly, new certificate industry requirements will force me to use Azure Key Vaults (or other cloud HSM alternatives) to store the certificate. I need to find a way to code-sign it for macOS from Azure Key Vaults or equivalent solutions. Thank you

Hi there, I could not find any previous post about this so I figured I should open one. It looks like the use of CryptoTokenKit modules (whether SmartCard or Persistent ones) is hindered on headless environments. This was observed on AWS backed macOS machines, and also on actual physical machines when using CI/CD tools with no GUI access. My first guess is that this is due to the fact that loading the CTK Extension relies on running the GUI CTK App, which is not possible in pure headless fashion. The bug report FB12135879 was filled in this regard. Any input on this would be appreciated. Thanks,

Please excuse my lack of understanding of what are probably fundamental concepts in iOS/iPadOS development but I have searched far and wide for documentation and haven't had much luck so far. I am not sure that what I want to do is even possible with an iPad iPadOS app. Goals: Develop a Swift iPadOS app that can digitally sign a file using a PIV SmartCard/Token (Personal Identity Verification Card): Insert a PIV SmartCard/Token (such as a Yubikey 5Ci) into the lightning port of an iPadOS device iPad (NOT MacOS) Interface with the SmartCard/Token to access the user's PIV certificate/signature and "use it" to sign a file Question 1: How to get the PIV Certificate from SmartCard/Token/Yubikey into iPadOS keychain?   * Do we need to get the PIV certificate into the iOS keychain? Is there another way to interact with a SmartCard directly?   * This should prompt the user for their PIN? Question 2: How to get our Swift app to hook into the event that the SmartCard/Token is inserted into the device and then interface with the user's certificate?   * When is the user prompted to enter their PIN for SmartCard/Token/Yubikey?   * Do we need to use CyrptoTokenKit to interface with a smartcard inserted into the lightning port of an iOS device?

General: Apple Platform Security support document Security Overview Cryptography: DevForums tags: Security, Apple CryptoKit Security framework documentation Apple CryptoKit framework documentation Common Crypto man pages — For the full list of pages, run: % man -k 3cc For more information about man pages, see Reading UNIX Manual Pages. On Cryptographic Key Formats DevForums post SecItem attributes for keys DevForums post CryptoCompatibility sample code Keychain: DevForums tags: Security Security > Keychain Items documentation TN3137 On Mac keychain APIs and implementations SecItem Fundamentals DevForums post SecItem Pitfalls and Best Practices DevForums post Investigating hard-to-reproduce keychain problems DevForums post Smart cards and other secure tokens: DevForums tag: CryptoTokenKit CryptoTokenKit framework documentation Mac-specific frameworks: DevForums tags: Security Foundation, Security Interface Security Foundation framework documentation Security Interface framework documentation Related: Networking Resources — This covers high-level network security, including HTTPS and TLS. Network Extension Resources — This covers low-level network security, including VPN and content filters. Code Signing Resources Notarisation Resources Trusted Execution Resources — This includes Gatekeeper. App Sandbox Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"