CryptoTokenKit not working on Ventura

We already submitted a feedback through the assistant about that

What was the bug number?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, thank you for your interest in this. I was kinda hoping you would hop in...

The feedback ticket is FB11675669 (https://feedbackassistant.apple.com/feedback/11675669).

For information, the CryptokTokenKit is still called successfully when the card is inserted, and we can return some certificates when the smart card content is queried, but it is never called later when an application tries to make use of KeyChain APIs. All the calls we see are successfull, and seem to return the correct information, but it just goes blank at some point.

The feedback ticket is FB11675669

Thanks.

At this point I think it’s best that you work this issue as a bug report. The team should be in touch soon with a request for more info.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am very much looking forward to updates on this topic. Several thousands of our users can't upgrade to Ventura due to inability to authenticate. In our case it's both web applications and Citrix Workspace that are subject to the issue.

Keep up the good work!

Several thousands of our users can't upgrade to Ventura due to inability to authenticate. In our case it's both web applications and Citrix Workspace that are subject to the issue.

Are you discussing this issue with idopte via a side channel? If not, how are you sure that this is the same issue?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

No, we had no contact with this person. However, I have no doubt that, if he is using smart cards for his auth, and it used to work and not working anymore with Ventura, it is the same problem: basically, CryptoTokenKit smart card drivers don't work at all anymore, so it is easy to diagnose. By the way, I had no response from the feedback I sent through the assistant. This is becoming critical now that Ventura is out. Is there any way to push this, either from my side or your side? Thank you.

Hello, is there any update on this issue? I have the same problem, already update to Ventura and I am not able to use Card certificate with secure VPN.

As far as I know there is no systematic problem with CryptoTokenKit app extensions on macOS 13. This thread seems to have two audiences:

• Folks developing CryptoTokenKit app extensions

• Folks using a CryptoTokenKit app extension developed by someone else

If you’re in the second group, I recommend that you raise this issue with the CryptoTokenKit app extension’s vendor.

If you’re in the first group:

• If you’ve debugged this issue and believe it’s a problem with macOS itself, feel free to file a bug about that. Be prepared to provide evidence to back up your claim. At a minimum, you must include a sysdiagnose log. Ideally you’d include a small test project that works on macOS 12 and fails on macOS 13

• If you need help with debugging this, open a DTS tech support incident and we can pick things up in that context.

If you do file a bug, please post the number here, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi,

I can confirm this as well. We use a custom CTK-plugin (CryptoTokenKit), which works in Monterey, but not in Ventura.

The issue seems be related to that the plugin doesn't show up as a smartcard reader, why that doesn't happen I can not answer. I can just point to the differences, works in Monterey but not in Ventura.

This is how one can confirm,

Monterey,

$ > security list-smartcard 
com.***.***.ctk.sctoken:*** <-- CTK-Plugin, shows up when smartcard is inserted.

$ > system_profiler SPSmartCardsDataType 
xx 
Avalable SmarCards (keychain):
com.apple.setoken:
com.apple.setoken:aks:
com.***.***.ctk.sctoken:***:
< --- My certificate ---> 

Avalable SmarCards (token): 
com.apple.setoken:
com.apple.setoken:aks: 
< --- My certificate --->

Now, same in Ventura,

$ > security list-smartcard 
No smart card found. <-- CTK-Plugin, doesn't show up as smart card. Even though the smart card is inserted.

$ > system_profiler SPSmartCardsDataType 
xx 
Avalable SmarCards (keychain):
com.apple.setoken:
com.apple.setoken:aks:
com.***.***.ctk.sctoken:***:
< --- NO certificate --->

Avalable SmarCards (token): 
com.apple.setoken:
com.apple.setoken:aks: 
< --- My certificate

Note how the smartcard is found, and the certificate is in the keychain when running Monterey, but not when running Ventura.

This will effect anyone trying to use smartcard with a custom CTK-Plugin.

Clearly something has changed, either you need to fix it, or you have to tell the developers how to fix it on their side.

Please escalate this matter.

Hi,

I can confirm this as well. We use a custom CTK-plugin (CryptoTokenKit), which works in Monterey, but not in Ventura. The issue seems be related to that the plugin doesn't show up as a smartcard reader, why that doesn't happen I can not answer. I can just point to the differences, works in Monterey but not in Ventura.

I experience the same issues as @sigh and @MP_23

Under Ventura (13.1) the security list-smartcard command returns No smart card found. even though the smart card reader is listed under System Information > Hardware > USB.

Connecting the smart card reader to a secondary computer running Monterey 12.6.1 and running security list-smartcard command returns information about the card that's inserted.

I experience the same issues... In Ventura (13.1) the security list-smartcard command returns No smart card found. even though the smart card reader is listed under System Information > Hardware > USB.

Where is the response and answers from Apple?

Best regards,

Where is the response and answers from Apple?

See my earlier post.

Speaking generally, it’d help if folks on this thread were clear about which group they fall in to. This is Apple Developer Forums, where the focus is developer issues. If you’re developing a CTK app extension (the first group per my previous) I’m happy to help out with that. However, if you’re using another developer’s CTK app extension (the second group), then DevForums is not the right place for you. Rather, my specific advice is that you contact the CTK app extension’s vendor. Alternatively, if you want to share your experiences, I recommend Apple Support Communities, run by Apple Support.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm a CTK developer, and I've observed this on Ventura. We have coded a persistent token extension, works very well on Monterey. On Ventura, the token will show up in System Information, but will not show any associated certificate or key. I enabled smart card logging, and I see this from ctkahp in the Console:

debug	17:11:05.481626-0800	ctkahp	AHP delegate sending event for ctkahp [2609], SmartCard removed, hints {
    0 =     (
        myusername
    );
    2 =     (
        "com.myorg.myapp.myTokenExtension:BA584D9A-239F-4324-9A45-7FC66CEDB705"
    );
}

Then I see the smart card is inserted again, then removed, then inserted.

Ultimately, and even if the smart card is inserted, the cert and keys are not shown in System Information. Only option then is to kill ctkd and ctkahp, and I hate it.

You wrote:

We have coded a persistent token extension

but also:

Ultimately, and even if the smart card is inserted

This seems contradictory, in that a persistent token isn’t a smart card. Are you subclassing TKTokenDriver or TKSmartCardTokenDriver?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello,

We have encountered a similar issue where the CTK extension was not working on Ventura, despite it functioning on older macOS versions. Upon investigation, we discovered that the problem was caused by the main application bundle CTKApp (.app) which included the CTK extension (.appex) having an incorrect bundle identifier.

The bundle identifier for CTKApp was set as: com.MyCompany.MyApp

and the bundle identifier for the CTK extension was set as: com.MyCompany.CTKApp.CTK

To fix this issue, we needed to adjust the bundle identifiers as follows:

CTKApp - com.MyCompany.CTKApp

CTK extension - com.MyCompany.CTKApp.CTK

However, it's worth noting that the correct bundle identifier to use should be based on your provisioning profile. For instance, if your profile is configured differently, you might need to use different identifiers instead. For example:

CTKApp - com.MyCompany.MyApp

CTK extension - com.MyCompany.MyApp.CTK

So it's important to check your provisioning profile and use the appropriate bundle identifiers for your specific configuration.

After making these changes to the bundle identifiers, the CTK extension started working as expected.

It appears that older macOS versions were more tolerant of mismatched bundle identifiers, but it seems that this is no longer the case with newer versions.

> It appears that older macOS versions were more tolerant of mismatched bundle identifiers

Indeed. Since we introduced app extensions back in the 2014 OS releases it’s always been a requirement that an appex’s bundle ID be an immediate ‘child’ of its container app. Xcode even complains if you get this wrong. I was super surprised to hear that this used to work prior to macOS 13.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

This was our problem indeed. Although not conformant to the Apple specs, it used to work, and it wouldn't since Ventura. Thanks Eskimo for the help on that.