cryptotokenkit.pivtoken : Error during signing operation

Based on the documention provided in the below link I was trying to access the PIV token smart card using Keychain services.

https://developer.apple.com/documentation/cryptotokenkit/using_cryptographic_assets_stored_on_a_smart_card?language=objc


Currently trying to use the built-in smart card driver com.apple.CryptoTokenKit.pivtoken:1.0 for PIV smart card.

I am able to access the identity using below code as mentioned in above link.


NSDictionary *getquery = @{ (id)kSecClass: (id)kSecClassIdentity,

(id)kSecAttrTokenID : @"

<PIV token ID>
",

(id)kSecReturnRef: @YES,

};


OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)getquery,

(CFTypeRef *)&identityRef);


I am also able obtain successfully the Certificate and Private key handle from the identity using SecIdentityCopyCertificate and SecIdentityCopyPrivateKey without errors.

However while trying to use the Private key handle for signing operation using SecSignTransformCreate the following error is observed:


The operation couldn’t be completed. (Internal CSSM error error -25304 - Internal error #ffff9d28 at SignTransform_block_invoke /BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-58286.70.7/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:411


This error occurs on invoking SecSignTransformCreate with private key handle obtained from previous step.


Any solution as to why this error is observed for the PIV token?

Is this the right way to access PIV token using built in pluginkit com.apple.CryptoTokenKit.pivtoken:1.0 or should we use any other APIs?

Replies

For those reading along at home, ncel asked this question via another channel and I’ll respond there. Hopefully, one of us will remember to post a summary on this thread when we’re done (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
(s. 718652974)

Just in case someone needs the answer:


Instead of the old SecSignTransformCreate approach, use the new SecKeyCreateSignature method.