Network token with CryptoTokenKit

As documentation states

"Tokens are physical devices that can be built in to the system, located on attached hardware (like a smart card), or accessible through a network connection"

We'd like to make token that would acquire

TKTokenKeychainContents
(certificates) through network(without smart card reader).

What's would be the best approach for this ?

What should we set for com.apple.ctk.token-type in Info.plist ?

The only possible value i found is "smartcard".

I have not found any documentation regarding other options.

The only extension target that Xcode gives is "Smart Card Token Extension"

Replies

Seems like nobody has an idea.

Are there any source files we could analyze ?

I don’t know enough about CryptoTokenKit to tell you whether this idea is feasible. My recommendation is that you open a DTS tech support incident and talk to our CryptoTokenKit expert.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Did you get any notice about this thread?
I am thinking to do something similar, but I could not find any documentation or basic example to do that.

Thanks!!

We did open DTS-TSI thee weeks ago, but sadly no answer so far.

We'll keep this thread updated.

I have a similar problem.

I want to use a smartphone as key storage device and implement a key storage provider as an app extension using CryptoTokenKit.

The only difference to a smartcard is, that there is no plug-in detection in my case, and no automatic identity storing in keychain.

Up to now, I didn't find any description how could I activate my app extension to start its work in case of missing token plug-in.

This activation would store the token identity in keychain via TKTokenChainContents.

Maybe the CryptoTokenKit API is not flexible enough.

opened DTS right after Your post.

Case ID: 699988558


No response yet.

I tried to get some estimates, but i was tols there are none.

And as a user you're unable to track status of DTS.

Please involve someone that could help

Basically it should be possible, when looking at the CryptoTokenKit framework included in xcode 11, they have implemented _TKClientTokenServerPortName, this should give you a hint where to go from this.


One possible solution is to read the reference data from your certificate and keys from the server into the so called user keychain database, located in your ~Library/Keychains and once they are there they are automatically recognized by safari for doing web authentication or smartcard logon or just any other application.


Below is a snippet where you can find the available functionalities inside ctk;


--- !tapi-tbd-v3

archs: [ x86_64 ]

uuids: [ 'x86_64: 6F9BF731-FACA-3161-B1C7-22B11942FCFA', 'x86_64: 6F9BF731-FACA-3161-B1C7-22B11942FCFA' ]

platform: zippered

install-name: '/System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit'

exports:

- archs: [ x86_64 ]

symbols: [ _TKClientTokenServerPortName, _TKEntitlementSlotType, _TKErrorDomain,

_TKNotifyNameFirstSlot, _TKProtocolSlotClientName, _TKProtocolSlotRegistryName,

_TKProtocolTokenPairingNotificationName, _TKProtocolWatcherClientName,

_TKRegisterOptionRemoveObjects, _TKSlotTypeSmartCard, _TKSmartCardSessionEndPolicyKey,

_TKSmartCardSessionProtocol, _TKSmartCardSessionSensitive,

_TKSmartCardSlotATR, _TKSmartCardSlotMaxInputLength, _TKSmartCardSlotMaxOutputLength,

_TKSmartCardSlotPowerStateKey, _TKSmartCardSlotPreviousStateKey,

_TKSmartCardSlotSecurePINChangeSupportedKey, _TKSmartCardSlotSecurePINVerificationSupportedKey,

_TKSmartCardSlotShareStateKey, _TKSmartCardSlotStateKey, _TKTokenClassDriverApplicationIDKey,

_TKTokenClassDriverClassIDKey, _TKTokenClassDriverClassNameKey,

_TKTokenConfigurationProtocolName, _TKTokenTypeKey, _TKTokenWatcherServerStartedNotification,

_TKTransportSlotName, _TKUnderlyingAKSErrorKey ]

objc-classes: [ TKBERTLVRecord, TKClientToken, TKClientTokenAdvertisedItem,

TKClientTokenObject, TKClientTokenSession, TKCompactTLVRecord,

TKSharedResource, TKSharedResourceSlot, TKSimpleTLVRecord,

TKSmartCard, TKSmartCardATR, TKSmartCardATRInterfaceGroup,

TKSmartCardPINFormat, TKSmartCardSlot, TKSmartCardSlotEngine,

TKSmartCardSlotManager, TKSmartCardSlotScreen, TKSmartCardToken,

TKSmartCardTokenDriver, TKSmartCardTokenSession, TKSmartCardUserInteraction,

TKSmartCardUserInteractionForConfirmation, TKSmartCardUserInteractionForPINOperation,

TKSmartCardUserInteractionForSecurePINChange, TKSmartCardUserInteractionForSecurePINVerification,

TKSmartCardUserInteractionForStringEntry, TKTLVRecord, TKToken,

TKTokenAuthOperation, TKTokenBaseContext, TKTokenConfiguration,

TKTokenConfigurationTransaction, TKTokenDriver, TKTokenDriverConfiguration,

TKTokenID, TKTokenKeyAlgorithm, TKTokenKeyExchangeParameters,

TKTokenKeychainCertificate, TKTokenKeychainContents, TKTokenKeychainItem,

TKTokenKeychainKey, TKTokenPasswordAuthOperation, TKTokenSession,

TKTokenSmartCardPINAuthOperation, TKTokenWatcher ]

Good luck

Michael Ang

Some update?


I'm trying to do the same thing, but i don't know exactly how.


MichaelLang, where did you find that reference with that methods? I have downloaded xcode 11, but i can't find that methods.

Where did you find this function . "_TKClientTokenServerPortName" ???

I have xcode 11 and it does not has this inside of it.

Some update on this? Very interested in using CTK with network tokens!

nothing.

Nobody from apple responded to my DTS

Hi,


With multiple tests I figured that :

com.apple.ctk.token-type can include any identifier (e.g 'token')

com.apple.ctk.aid can be avoided if the token isn't a smartcard


Most of the CryptoTokenKit sample code is fine by using a generic Token (not inheriting from SmartCard variants). This includes loading the extention by invoking the Keychain from host App, using TKConfigurationData to fetch context from host or replying to TKTokenSession callbacks.


However TKTokenKeychainContents seems to be missing if the TKToken doesn't inherit from TKSmartCardToken. token.keychainContents remains nil forbiding use of [keychainContents fillWithItems:]. This is a blocking point to perform crypto operations that usualy rely on [keychainContents keyForObjectID].


Any idea on why keychainContents remains nil ?


Regards,


Jerome T

How exactly did you load the extension by invoking the Keychain from host App?

Anyone able to implement this or have any idea how to implement it for Network based Soft token repository, I am trying to see If I can write one using Software based implementation.

Has anyone from Apple replied to anyone's query above or via TSI?

I am trying to see if I can write one using Software based
implementation.

Modern systems support hardware-less CryptoTokenKit (CTK) extensions. I don’t support this technology myself, but DTS’s CTK specialist regularly answers question about this.

By “modern” I mean “if TKTokenDriverConfiguration is available”, with the caveat that it didn’t start working on the Mac until 10.15.4.

I’m not aware of any Apple sample code for this but there are some third-party options [1].

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

[1] <bitbucket.org/twocanoes/gate-secure-enclave-token-management/>