CryptoTokenKit Network Cryptographic Tokens

There are two parts to this:

• Integrating the HSM token with your Mac

• Accessing its credentials from your code

For the first part, you need a CryptoTokenKit (CTK) app extension that acts as a driver for your HSM. Normally that’d be created by the HSM vendor. Presumably that’s not you, so you should ask your HSM vendor if they have CTK support.

If they don’t have CTK support but they do publish their network protocol, you could implement your own CTK app extension. This is a bunch of work, but there’s nothing stopping you.

Once you have the CTK app and you’ve configured it to publish your HSM’s credentials to the system, it’s time to use those credentials from your code. You do this in two steps:

1. Call the SecItem API to find the credential. Typically you want to sign or encrypt something, so the credential is a digital identity (SecIdentity) or private key (SecKey).

2. Use standard Security framework APIs to do your crypto operations. For example, if you have a digital identity you might call:

   • SecIdentityCopyCertificate to get its certificate

   • SecIdentityCopyPrivateKey to get its private key

   and then SecKeyCreateSignature to sign with that private key.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"