Error errSecItemNotFound retrieving smart card certs (SecItemCopyMatching)

Question

Created Jun ’22

Replies 3

Boosts 0

Participants 2

Hi. I'm dealing with an issue trying to retrieve SmartCard certificates from the app. I'm getting status -25300 (errSecItemNotFound) for SecItemCopyMatching when the smartcard is connected. The FW Security and SecurityInterfaces are add to the project. This is the code

OSStatus nStatus;
static const void* kKeys[] = {
    kSecClass, kSecMatchLimit, kSecReturnRef, kSecAttrCanSign
};
static const void* kValues[] = {
    kSecClassIdentity, kSecMatchLimitAll, kCFBooleanTrue, kCFBooleanTrue
};

osxObject<CFDictionaryRef> query(CFDictionaryCreate(
                                            kCFAllocatorDefault, kKeys, kValues, 4,
                                            &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
CFArrayRef result;
OSStatus status = SecItemCopyMatching(query.get(),(CFTypeRef *)&result);

//status retrieved is -25300

Why the status my be -25300 even when the smart card if configured and connected? Thanks

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’22

Is this smart card supported by the system out of the box? Or does it require you to have an app with a CryptoTokenKit app extension installed? Or possibly some other software installed?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

pa_szyrko OP

Jun ’22

No, this doesn't require to have an app with a CryptoTokenKit app extension installed or any software installed. The strange things is that the same code running in a separate test application retrieves the cert properly. In both cases (the actual app and the test app) Security and SecurityInterface FWs are added to theXCode project and both are notarized

In the console app when the cert is retrieved these logs are printed out: debug 22:55:37.310517+0530 ctkd Platform rule matched debug 22:55:37.310595+0530 ctkd Request from: '(null)' to access '' was granted

When the cert is not retrieved using the same code in the app nothing is printed out for ctkd. Is it possible that some permissions be affecting this? Thanks

0

Answer 3

DTS Engineer OP

Apple

Jun ’22

I’m not sure what’s going on with your tests but…

I have a YubiKey with two PIV digital identities installed on it. I connected it to my Mac (not paired for authentication, just plugged in) and ran this code in a tiny test app:

var copyResult: CFTypeRef? = nil
let err = SecItemCopyMatching([
    kSecClass: kSecClassIdentity,
    kSecUseDataProtectionKeychain: true,
    kSecMatchLimit: kSecMatchLimitAll,
    kSecReturnRef: true,
] as NSDictionary, &copyResult)
guard err == errSecSuccess else {
    print("no match")
    return
}
let identities = copyResult! as! [SecIdentity]

The identities array now contains those the two identities from my YubiKey.

I suspect the key thing is kSecUseDataProtectionKeychain. Accessing model smart card credentials requires that you go through the data protection keychain. If you’re unfamiliar with that term, see On Mac Keychains.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0