cryptotokenkit

What problem does it solve?

CryptoTokenKit simplifies accessing and managing hardware-backed cryptographic keys and certificates so applications can perform signing, decryption, and authentication using smart cards and USB/NFC tokens without leaking secrets or mismanaging sessions. It clarifies platform availability and differences between macOS token driver extensions and client-side token access on macOS/iOS.

Core Features & Use Cases

• Token driver extensions (macOS): Build TKSmartCardTokenDriver/TKToken-backed extensions that expose token keys and certificates to the system and populate keychain items with proper objectIDs and capabilities.
• Smart card communication & APDU handling: Open secure sessions, send APDU commands, handle chained responses, and interpret status words safely.
• Token sessions & authentication: Implement TKTokenSession/TKTokenSessionDelegate, PIN and secure PIN flows, and algorithm capability checks to avoid unsupported operations.
• Keychain & system integration: Query token-backed items using kSecAttrTokenID, use persistent refs, and handle errSecItemNotFound when tokens are removed.
• Use case: A macOS smart card authentication extension that reads PIV certificates, enforces PIN verification via secure PIN interactions, and exposes signing keys to the system for login and SSO flows.

Quick Start

Use CryptoTokenKit to detect present tokens with TKTokenWatcher, verify tokenIDs, and obtain a SecKey via kSecAttrTokenID before performing cryptographic operations.