Using KeyChain items from CryptoTokenKit

Question

Jtasoftware OP

Created Apr ’20

Replies 8

Boosts 0

Views 3.1k

Participants 5

Hi,

I'm writing a CryptoTokenKit extension (simular to sample available in CTK documentation).

In this extension I'm trying to use SecKeyCreateSignature or SecKeyCreateDecryptedData using private keys I get using SecItemCopyMatching.

However the crypto operations fail with errors -25308 :

CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION (errKCInteractionNotAllowed / errSecInteractionNotAllowed / Interaction is not allowed with the Security Server)

The same code runs fine from the host App.

Are there Sec API limitations in CTK ?

I've seen some posts in the forum about application whitelising using provisioning profiles but I don't understand which keys should to be used.

Here is one of the post I refer to : https://forums.developer.apple.com/thread/128767

Any help is welcome,

Regards,

Jerome T

Answered by DTS Engineer in 416382022

I don’t think this is coming from the CryptoTokenKit side but rather the keychain side. As a general rule we only allow biometrics to present UI from an app context. I’ve worked with other developers who’ve hit this limitation, most notably those doing NetworkExtension providers.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’20

errSecInteractionNotAllowed

usually means that the system is trying to present UI and can’t because of the context in which the code is running. Do your crypto operations present UI? For example, biometrics?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

Jtasoftware OP

Apr ’20

Yes effectively it occurs during operations that rely on private key, typically displaying authentification dialogs.

Succeeds with both TouchID or user password.

I had in mind that CKT plugins can do UI, should TKTokenAuthOperation be the only place where UI occurs ?

Is UI limited to default dialogs (e.g TKTokenPasswordAuthOperation) ?

Regards,

Jerome T

0

Answer 3

DTS Engineer OP

Apple

Apr ’20

Accepted Answer

I don’t think this is coming from the CryptoTokenKit side but rather the keychain side. As a general rule we only allow biometrics to present UI from an app context. I’ve worked with other developers who’ve hit this limitation, most notably those doing NetworkExtension providers.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

Jtasoftware OP

Apr ’20

Effectively I tried using LocalAuthentication from a TKTokenAuthOperation and it runs fine.

I can get an authentified context (at least for decrypt and key exchange operations - strangely it fails for signing).

I cannot go further then because LocalAuthentication doesn't seems usable as a pre-authentification for SecKeyCreateSignature or SecKeyCreatedDecryptedData.

0

Answer 5

c_d_ OP

Nov ’20

Hello Jerome T:
I noticed that you are doing some research about CryptoTokenKit plugin(smart card extension). And you mentioned about " using a generic Token" to implement the extension and " loading the extention by invoking the Keychain from host App". What I want to do is to implement an extention (inheriting form TKToken) with software(maybe based on openssl+p12 ), but I can not find more information or samples about that. I try to remove the "com.apple.ctk.aid" and customize the "com.apple.ctk.token-type", but I don't know how to load the extension by invoking the keychain. Can you give me some help or tell me where can find some samples code?Thank you very much!

Best Regards

Code Block cd

0

Answer 6

anshuman_mor OP

Mar ’21

I have hit the same problem, apparantly when TokenExtension is trying to read values from Keychain it is failing with CSSMERR_CSP_NO_USER_INTERACTION .

logs -
2021-03-11 23:06:50.865217+0530 0x96754 Activity 0x750db 10567 0 TokenExtension: (Security) SecItemCopyMatching
2021-03-11 23:06:50.865297+0530 0x96754 Activity 0x750dc 10567 0 TokenExtension: (Security) SecItemCopyMatching_ios
2021-03-11 23:06:50.871820+0530 0x96754 Default 0x750db 10567 0 TokenExtension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
2021-03-11 23:06:50.871872+0530 0x96754 Default 0x750db 10567 0 TokenExtension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
2021-03-11 23:06:50.871908+0530 0x96754 Default 0x750db 10567 0 TokenExtension: (Security) [com.apple.securityd:integrity] caught CssmError: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION
2021-03-11 23:06:50.872014+0530 0x96754 Default 0x750db 10567 0 TokenExtension: (Security) [com.apple.securityd:integrity] error while checking integrity, denying access: CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION

Can you help me here?

0

Answer 7

anshuman_mor OP

Mar ’21

Hi Eskimo, Can you please help me with the issue I am facing with CryptoTokenKit? I have also raised TSI case but no reply as of now.

Regards,
Anshuman

0

Answer 8

DTS Engineer OP

Apple

Mar ’21

I have also raised TSI case but no reply as of now.

Cool. That will have been routed to my colleague who supports CryptoTokenKit. I expect he’ll be in touch soon. If you don’t hear back within three business days — which is our expected response time per the DTS page on the developer web site — feel free to drop me a line via email (my address is in my signature).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0