CryptoTokenKit not working on Ventura

Hello,

We already submitted a feedback through the assistant about that, but I'm not sure we will ever get an answer, and it might be interesting for other people as well.

On MacOS Ventura, It seems like applications using the KeyChain services are unable to see certificates provided by CryptoTokenKit smart card token drivers.

In order to reproduce, you need a CryptotokenKit smart card driver appex working under Big Sur or Monterey. Install the same appex on Ventura. You'll see that Safari does not see the certificates provided by the appex, and cannot perform SSL/TLS client authentications with them. Similar symptoms can be seen with other apps (Chrome, mail clients, or even custom apps that directly use the Keychain API: token instances cannot be obtained from the app).

We tested with both our own CryptoTokenKit driver (a TKSmartCard driver, which worked well with all previous MacOS versions), and the CryptoTokenKit driver from another company (Yubico). Both work on older MacOS, but not on Ventura.

Has something changed in the security framework between Monterey and Ventura? Do we need to change something in our CryptoTokenKit, or is it a bug from MacOS? If it's a bug, is Apple aware of it, and will it be fixed? This is a functionality that is largely used in enterprise environments.

We already submitted a feedback through the assistant about that

What was the bug number?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, thank you for your interest in this. I was kinda hoping you would hop in...

The feedback ticket is FB11675669 (https://feedbackassistant.apple.com/feedback/11675669).

For information, the CryptokTokenKit is still called successfully when the card is inserted, and we can return some certificates when the smart card content is queried, but it is never called later when an application tries to make use of KeyChain APIs. All the calls we see are successfull, and seem to return the correct information, but it just goes blank at some point.

The feedback ticket is FB11675669

Thanks.

At this point I think it’s best that you work this issue as a bug report. The team should be in touch soon with a request for more info.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am very much looking forward to updates on this topic. Several thousands of our users can't upgrade to Ventura due to inability to authenticate. In our case it's both web applications and Citrix Workspace that are subject to the issue.

Keep up the good work!

Several thousands of our users can't upgrade to Ventura due to inability to authenticate. In our case it's both web applications and Citrix Workspace that are subject to the issue.

Are you discussing this issue with idopte via a side channel? If not, how are you sure that this is the same issue?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

No, we had no contact with this person. However, I have no doubt that, if he is using smart cards for his auth, and it used to work and not working anymore with Ventura, it is the same problem: basically, CryptoTokenKit smart card drivers don't work at all anymore, so it is easy to diagnose. By the way, I had no response from the feedback I sent through the assistant. This is becoming critical now that Ventura is out. Is there any way to push this, either from my side or your side? Thank you.

Hello, is there any update on this issue? I have the same problem, already update to Ventura and I am not able to use Card certificate with secure VPN.

As far as I know there is no systematic problem with CryptoTokenKit app extensions on macOS 13. This thread seems to have two audiences:

  • Folks developing CryptoTokenKit app extensions

  • Folks using a CryptoTokenKit app extension developed by someone else

If you’re in the second group, I recommend that you raise this issue with the CryptoTokenKit app extension’s vendor.

If you’re in the first group:

  • If you’ve debugged this issue and believe it’s a problem with macOS itself, feel free to file a bug about that. Be prepared to provide evidence to back up your claim. At a minimum, you must include a sysdiagnose log. Ideally you’d include a small test project that works on macOS 12 and fails on macOS 13

  • If you need help with debugging this, open a DTS tech support incident and we can pick things up in that context.

If you do file a bug, please post the number here, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi,

I can confirm this as well. We use a custom CTK-plugin (CryptoTokenKit), which works in Monterey, but not in Ventura.

The issue seems be related to that the plugin doesn't show up as a smartcard reader, why that doesn't happen I can not answer. I can just point to the differences, works in Monterey but not in Ventura.

This is how one can confirm,

Monterey,

$ > security list-smartcard 
com.***.***.ctk.sctoken:*** <-- CTK-Plugin, shows up when smartcard is inserted.

$ > system_profiler SPSmartCardsDataType 
xx 
Avalable SmarCards (keychain):
com.apple.setoken:
com.apple.setoken:aks:
com.***.***.ctk.sctoken:***:
< --- My certificate ---> 

Avalable SmarCards (token): 
com.apple.setoken:
com.apple.setoken:aks: 
< --- My certificate --->

Now, same in Ventura,

$ > security list-smartcard 
No smart card found. <-- CTK-Plugin, doesn't show up as smart card. Even though the smart card is inserted.

$ > system_profiler SPSmartCardsDataType 
xx 
Avalable SmarCards (keychain):
com.apple.setoken:
com.apple.setoken:aks:
com.***.***.ctk.sctoken:***:
< --- NO certificate --->

Avalable SmarCards (token): 
com.apple.setoken:
com.apple.setoken:aks: 
< --- My certificate

Note how the smartcard is found, and the certificate is in the keychain when running Monterey, but not when running Ventura.

This will effect anyone trying to use smartcard with a custom CTK-Plugin.

Clearly something has changed, either you need to fix it, or you have to tell the developers how to fix it on their side.

Please escalate this matter.

Hi,

I can confirm this as well. We use a custom CTK-plugin (CryptoTokenKit), which works in Monterey, but not in Ventura. The issue seems be related to that the plugin doesn't show up as a smartcard reader, why that doesn't happen I can not answer. I can just point to the differences, works in Monterey but not in Ventura.

I experience the same issues as @sigh and @MP_23

Under Ventura (13.1) the security list-smartcard command returns No smart card found. even though the smart card reader is listed under System Information > Hardware > USB.

Connecting the smart card reader to a secondary computer running Monterey 12.6.1 and running security list-smartcard command returns information about the card that's inserted.

I experience the same issues... In Ventura (13.1) the security list-smartcard command returns No smart card found. even though the smart card reader is listed under System Information > Hardware > USB.

Where is the response and answers from Apple?

Best regards,

Where is the response and answers from Apple?

See my earlier post.

Speaking generally, it’d help if folks on this thread were clear about which group they fall in to. This is Apple Developer Forums, where the focus is developer issues. If you’re developing a CTK app extension (the first group per my previous) I’m happy to help out with that. However, if you’re using another developer’s CTK app extension (the second group), then DevForums is not the right place for you. Rather, my specific advice is that you contact the CTK app extension’s vendor. Alternatively, if you want to share your experiences, I recommend Apple Support Communities, run by Apple Support.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm a CTK developer, and I've observed this on Ventura. We have coded a persistent token extension, works very well on Monterey. On Ventura, the token will show up in System Information, but will not show any associated certificate or key. I enabled smart card logging, and I see this from ctkahp in the Console:

debug	17:11:05.481626-0800	ctkahp	AHP delegate sending event for ctkahp [2609], SmartCard removed, hints {
    0 =     (
        myusername
    );
    2 =     (
        "com.myorg.myapp.myTokenExtension:BA584D9A-239F-4324-9A45-7FC66CEDB705"
    );
}

Then I see the smart card is inserted again, then removed, then inserted.

Ultimately, and even if the smart card is inserted, the cert and keys are not shown in System Information. Only option then is to kill ctkd and ctkahp, and I hate it.

You wrote:

We have coded a persistent token extension

but also:

Ultimately, and even if the smart card is inserted

This seems contradictory, in that a persistent token isn’t a smart card. Are you subclassing TKTokenDriver or TKSmartCardTokenDriver?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

CryptoTokenKit not working on Ventura
 
 
Q