2362 Views 7 Replies
      Latest reply on Jul 30, 2019 1:51 AM by michaelang12345
      ElenaS Level 1 Level 1 (10 points)
      ElenaS Jul 12, 2018 11:10 PM

        As documentation states

        "Tokens are physical devices that can be built in to the system, located on attached hardware (like a smart card), or accessible through a network connection"

        We'd like to make token that would acquire TKTokenKeychainContents(certificates) through network(without smart card reader).

        What's would be the best approach for this ?

        What should we set for com.apple.ctk.token-type in Info.plist ?

        The only possible value i found is "smartcard".

        I have not found any documentation regarding other options.

        The only extension target that Xcode gives is "Smart Card Token Extension"

        • Re: Network token with CryptoTokenKit
          ElenaS Level 1 Level 1 (10 points)
          ElenaS Sep 20, 2018 11:59 AM (in response to ElenaS)

          Seems like nobody has an idea.

          Are there any source files we could analyze ?

            • Re: Network token with CryptoTokenKit
              pjruiz Level 1 Level 1 (0 points)
              pjruiz Oct 18, 2018 7:18 AM (in response to ElenaS)

              Did you get any notice about this thread?

              I am thinking to do something similar, but I could not find any documentation or basic example to do that.


              Thanks!!

              • Re: Network token with CryptoTokenKit
                gmolnar2008 Level 1 Level 1 (0 points)
                gmolnar2008 Nov 21, 2018 1:22 AM (in response to ElenaS)

                I have a similar problem.

                I want to use a smartphone as key storage device and implement a key storage provider as an app extension using CryptoTokenKit.

                The only difference to a smartcard is, that there is no plug-in detection in my case, and no automatic identity storing in keychain.

                Up to now, I didn't find any description how could I activate my app extension to start its work in case of missing token plug-in.

                This activation would store the token identity in keychain via TKTokenChainContents.

                Maybe the CryptoTokenKit API is not flexible enough.

              • Re: Network token with CryptoTokenKit
                eskimo Apple Staff Apple Staff (11,655 points)
                eskimo Sep 21, 2018 1:15 AM (in response to ElenaS)

                I don’t know enough about CryptoTokenKit to tell you whether this idea is feasible.  My recommendation is that you open a DTS tech support incident and talk to our CryptoTokenKit expert.

                Share and Enjoy

                Quinn “The Eskimo!”
                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                let myEmail = "eskimo" + "1" + "@apple.com"

                • Re: Network token with CryptoTokenKit
                  michaelang12345 Level 1 Level 1 (10 points)
                  michaelang12345 Jul 30, 2019 1:51 AM (in response to ElenaS)

                  Basically it should be possible, when looking at the CryptoTokenKit framework included in xcode 11, they have implemented _TKClientTokenServerPortName, this should give you a hint where to go from this.

                   

                  One possible solution is to read the reference data from your certificate and keys from the server into the so called user keychain database, located in your ~Library/Keychains and once they are there they are automatically recognized by safari for doing web authentication or smartcard logon or just any other application.

                   

                  Below is a snippet where you can find the available functionalities inside ctk;

                   

                  --- !tapi-tbd-v3

                  archs:           [ x86_64 ]

                  uuids:           [ 'x86_64: 6F9BF731-FACA-3161-B1C7-22B11942FCFA', 'x86_64: 6F9BF731-FACA-3161-B1C7-22B11942FCFA' ]

                  platform:        zippered

                  install-name:    '/System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit'

                  exports:       

                    - archs:           [ x86_64 ]

                      symbols:         [ _TKClientTokenServerPortName, _TKEntitlementSlotType, _TKErrorDomain,

                                         _TKNotifyNameFirstSlot, _TKProtocolSlotClientName, _TKProtocolSlotRegistryName,

                                         _TKProtocolTokenPairingNotificationName, _TKProtocolWatcherClientName,

                                         _TKRegisterOptionRemoveObjects, _TKSlotTypeSmartCard, _TKSmartCardSessionEndPolicyKey,

                                         _TKSmartCardSessionProtocol, _TKSmartCardSessionSensitive,

                                         _TKSmartCardSlotATR, _TKSmartCardSlotMaxInputLength, _TKSmartCardSlotMaxOutputLength,

                                         _TKSmartCardSlotPowerStateKey, _TKSmartCardSlotPreviousStateKey,

                                         _TKSmartCardSlotSecurePINChangeSupportedKey, _TKSmartCardSlotSecurePINVerificationSupportedKey,

                                         _TKSmartCardSlotShareStateKey, _TKSmartCardSlotStateKey, _TKTokenClassDriverApplicationIDKey,

                                         _TKTokenClassDriverClassIDKey, _TKTokenClassDriverClassNameKey,

                                         _TKTokenConfigurationProtocolName, _TKTokenTypeKey, _TKTokenWatcherServerStartedNotification,

                                         _TKTransportSlotName, _TKUnderlyingAKSErrorKey ]

                      objc-classes:    [ TKBERTLVRecord, TKClientToken, TKClientTokenAdvertisedItem,

                                         TKClientTokenObject, TKClientTokenSession, TKCompactTLVRecord,

                                         TKSharedResource, TKSharedResourceSlot, TKSimpleTLVRecord,

                                         TKSmartCard, TKSmartCardATR, TKSmartCardATRInterfaceGroup,

                                         TKSmartCardPINFormat, TKSmartCardSlot, TKSmartCardSlotEngine,

                                         TKSmartCardSlotManager, TKSmartCardSlotScreen, TKSmartCardToken,

                                         TKSmartCardTokenDriver, TKSmartCardTokenSession, TKSmartCardUserInteraction,

                                         TKSmartCardUserInteractionForConfirmation, TKSmartCardUserInteractionForPINOperation,

                                         TKSmartCardUserInteractionForSecurePINChange, TKSmartCardUserInteractionForSecurePINVerification,

                                         TKSmartCardUserInteractionForStringEntry, TKTLVRecord, TKToken,

                                         TKTokenAuthOperation, TKTokenBaseContext, TKTokenConfiguration,

                                         TKTokenConfigurationTransaction, TKTokenDriver, TKTokenDriverConfiguration,

                                         TKTokenID, TKTokenKeyAlgorithm, TKTokenKeyExchangeParameters,

                                         TKTokenKeychainCertificate, TKTokenKeychainContents, TKTokenKeychainItem,

                                         TKTokenKeychainKey, TKTokenPasswordAuthOperation, TKTokenSession,

                                         TKTokenSmartCardPINAuthOperation, TKTokenWatcher ]

                  Good luck

                  Michael Ang