CryptoTokenKit

CryptoTokenKit is a module for macOS used to add smart card (or similar) support to macOS applications. The CryptoTokenKit module replaces the older Tokend module which is deprecated by Apple.

The CryptoTokenKit module is only focusing on application use, and never administration of tokens. The typical usage is to register the certificates, corresponding private keys, and to access requirement (PIN) at smart card insert. The calling application checks what is registered when a certificate is required, and tries to use it.

Applications

The CryptoTokenKit module is only used by macOS applications, for example Apple Mail and Apple Safari. It is not possible to tell what is implemented by macOS and what parts are handled by each application, because of different behavior in different applications. The CryptoTokenKit module only gives information about certificates, information string, and error messages. It does never cache the PIN, or show any dialogs.

The CryptoTokenKit module gives information about certificates, information string, and error messages, to the caller. And it will execute PIN verification or key operations whenever the caller tells us. It will never show any dialogs, but will remember the PIN verification status, since the CryptoTokenKit is running as a separate process. The caller is always unknown to the CryptoTokenKit module and Apple macOS will be the one calling on behalf of the original application, for example Apple Mail or Apple Safari. The CryptoTokenKit module will tell the caller when PIN is required, for example the first use of private key. Multiple uses is also possible unless the private key has single-use enabled, that is, non-repudiation key. The caller can cache the PIN, and the caller is responsible for showing the PIN dialog.

Ask Apple for more information about caching policies for CryptoTokenKit. It is not part of the public documentation, but the important notice is that we cannot control it.

CryptoTokenKit gives information ⇒ The macOS application chose what is displayed

Keychain Access

The main macOS application for cryptographic tokens and certificates is Keychain Access. Therefore, it is a bit confusing that Apple have decided not to present information from CryptoTokenKit modules in that application. Instead you must start Terminal and behave like a traditional Linux guru, see Terminal section.

Terminal

The Terminal is used to show information from CryptoTokenKit modules.

Check for installed CryptoTokenKit modules

Synopsis

pluginkit -m -p com.apple.ctk-tokens

Output

secmakers-Mac:~$ pluginkit -m -p com.apple.ctk-tokens
     com.apple.CryptoTokenKit.pivtoken(1.0)
     com.apple.CryptoTokenKit.setoken(1.0)
     com.secmaker.netid.ctk.sctoken(1.0)

Check for inserted smart cards

Synopsis

security list-smartcards

Output

secmakers-Mac:~$ security list-smartcards
com.secmaker.netid.ctk.sctoken:9752269885705648365

Show information of all inserted smart cards — all info

Synopsis

security export-smartcard

Output

$ security export-smartcard

==== private key #1
	crtr : 0
	esiz : 0
	decr : 1
	persistref : <>
	atag : ""
	kcls : 1
	agrp : "com.apple.token"
	pdmn : "dk"
	bsiz : 2 048
	type : 42
	klbl : <01 d0 f0 0a 42 64 d5 7e 54 32 74 83 5d 0e 9d 73 93 19 04 a5>
	edat : 2001-01-01 00:00:00 +0000
	sign : 1
	mdat : 2021-07-02 11:51:03 +0000
	drve : 0
	labl : "Anna Sahlström (SecUDTest Sub CA v2)/Instant IP10 (identification)"
	sync : 0
	musr : <>
	sha1 : <80 40 d7 4c 39 b8 37 64 0a 5a 1a 21 15 76 4f 2e 7c 82 d7 28>
	cdat : 2021-07-02 11:51:03 +0000
	tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
	sdat : 2001-01-01 00:00:00 +0000
	tomb : 0
	priv : 1
	accc : constraints: {
			od : "PIN1",
			osgn : "PIN1"
		}
		protection: {
			tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
		}
	unwp : 1
====

==== private key #2
	crtr : 0
	esiz : 0
	decr : 0
	persistref : <>
	atag : ""
	kcls : 1
	agrp : "com.apple.token"
	pdmn : "dk"
	bsiz : 2 048
	type : 42
	klbl : <a3 79 82 0b ec 88 f4 f2 d1 40 3f 3d 3c 6c ed 57 f5 af 4a ba>
	edat : 2001-01-01 00:00:00 +0000
	sign : 1
	mdat : 2021-07-02 11:51:03 +0000
	drve : 0
	labl : "Anna Sahlström (SecUDTest Sub CA v2)/Instant IP10 (signature)"
	sync : 0
	musr : <>
	sha1 : <da 9e 67 42 95 29 2e c2 59 0c 91 cf 6b 27 ba 71 58 5b 97 3c>
	cdat : 2021-07-02 11:51:03 +0000
	tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
	sdat : 2001-01-01 00:00:00 +0000
	tomb : 0
	priv : 1
	accc : constraints: {
			osgn : "PIN2"
		}
		protection: {
			tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
		}
	unwp : 0
====

==== identity #1
	class : "idnt"
	slnr : <3d 00 00 06 bf 01 af 7f 28 d0 0d 28 0a 00 02 00 00 06 bf>
	certdata : <CFData 0x12c011c00 [0x1fb7c88c0]>{length = 1941, capacity = 1941, bytes = 0x3082079130820579a00302010202133d ... 60e7bfc1458e8bf0}
	certtkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
	priv : 1
	ctyp : 3
	mdat : 2021-07-02 11:51:03 +0000
	sdat : 2001-01-01 00:00:00 +0000
	bsiz : 2 048
	type : 42
	sha1 : <45 3a 00 44 6b fa 36 e0 ce 31 06 af 9a c1 cf be 3e 4e 31 fd>
	pkhh : <01 d0 f0 0a 42 64 d5 7e 54 32 74 83 5d 0e 9d 73 93 19 04 a5>
	cdat : 2021-07-02 11:51:03 +0000
	skid : <01 d0 f0 0a 42 64 d5 7e 54 32 74 83 5d 0e 9d 73 93 19 04 a5>
	tomb : 0
	UUID : "678A40EA-86D5-4032-9B49-77B46C8455B7"
	persistref : <>
	accc : constraints: {
			od : "PIN1",
			osgn : "PIN1"
		}
		protection: {
			tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
		}
	sync : 0
	tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
	pdmn : "dk"
	musr : <>
	subj : <31 15 30 13 06 03 55 04 05 13 0c 31 39 38 38 30 38 31 35 37 35 32 36 31 0b 30 09 06 03 55 04 06 13 02 53 45 31 0c 30 0a 06 03 55 04 0a 13 03 4c 41 42 31 18 30 16 06 03 55 04 03 0c 0f 41 6e 6e 61 20 53 61 68 6c 73 74 72 c3 b6 6d>
	sign : 1
	esiz : 0
	decr : 1
	atag : ""
	edat : 2001-01-01 00:00:00 +0000
	klbl : <01 d0 f0 0a 42 64 d5 7e 54 32 74 83 5d 0e 9d 73 93 19 04 a5>
	crtr : 0
	unwp : 1
	issr : <31 13 30 11 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 03 63 6f 6d 31 19 30 17 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 09 73 65 63 75 64 74 65 73 74 31 1c 30 1a 06 03 55 04 03 13 13 53 45 43 55 44 54 45 53 54 20 53 55 42 20 43 41 20 56 32>
	cenc : 3
	kcls : 1
	agrp : "com.apple.token"
	labl : "Anna Sahlström (SecUDTest Sub CA v2)/Instant IP10 (identification)"
	drve : 0
====

==== identity #2
	class : "idnt"
	slnr : <3d 00 00 06 be 71 e8 03 0e 74 4c 51 1e 00 02 00 00 06 be>
	certdata : <CFData 0x12c01e800 [0x1fb7c88c0]>{length = 1914, capacity = 1914, bytes = 0x308207763082055ea00302010202133d ... a62596ed16e93d60}
	certtkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
	priv : 1
	ctyp : 3
	mdat : 2021-07-02 11:51:03 +0000
	sdat : 2001-01-01 00:00:00 +0000
	bsiz : 2 048
	type : 42
	sha1 : <a4 3b 3f 77 5e 7f 0a 49 d8 55 f3 17 dd 12 4e 57 d5 cf dc f4>
	pkhh : <a3 79 82 0b ec 88 f4 f2 d1 40 3f 3d 3c 6c ed 57 f5 af 4a ba>
	cdat : 2021-07-02 11:51:03 +0000
	skid : <a3 79 82 0b ec 88 f4 f2 d1 40 3f 3d 3c 6c ed 57 f5 af 4a ba>
	tomb : 0
	UUID : "0BFB125D-D5D4-43E9-9877-EB45B32C89CA"
	persistref : <>
	accc : constraints: {
			osgn : "PIN2"
		}
		protection: {
			tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
		}
	sync : 0
	tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
	pdmn : "dk"
	musr : <>
	subj : <31 15 30 13 06 03 55 04 05 13 0c 31 39 38 38 30 38 31 35 37 35 32 36 31 0b 30 09 06 03 55 04 06 13 02 53 45 31 0e 30 0c 06 03 55 04 07 13 05 4e 41 43 4b 41 31 0c 30 0a 06 03 55 04 0a 13 03 4c 41 42 31 18 30 16 06 03 55 04 03 0c 0f 41 6e 6e 61 20 53 61 68 6c 73 74 72 c3 b6 6d>
	sign : 1
	esiz : 0
	decr : 0
	atag : ""
	edat : 2001-01-01 00:00:00 +0000
	klbl : <a3 79 82 0b ec 88 f4 f2 d1 40 3f 3d 3c 6c ed 57 f5 af 4a ba>
	crtr : 0
	unwp : 0
	issr : <31 13 30 11 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 03 63 6f 6d 31 19 30 17 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 09 73 65 63 75 64 74 65 73 74 31 1c 30 1a 06 03 55 04 03 13 13 53 45 43 55 44 54 45 53 54 20 53 55 42 20 43 41 20 56 32>
	cenc : 3
	kcls : 1
	agrp : "com.apple.token"
	labl : "Anna Sahlström (SecUDTest Sub CA v2)/Instant IP10 (signature)"
	drve : 0
====

==== certificate #1
	class : "cert"
	subj : <31 15 30 13 06 03 55 04 05 13 0c 31 39 38 38 30 38 31 35 37 35 32 36 31 0b 30 09 06 03 55 04 06 13 02 53 45 31 0e 30 0c 06 03 55 04 07 13 05 4e 41 43 4b 41 31 0c 30 0a 06 03 55 04 0a 13 03 4c 41 42 31 18 30 16 06 03 55 04 03 0c 0f 41 6e 6e 61 20 53 61 68 6c 73 74 72 c3 b6 6d>
	cenc : 3
	ctyp : 3
	pkhh : <a3 79 82 0b ec 88 f4 f2 d1 40 3f 3d 3c 6c ed 57 f5 af 4a ba>
	persistref : <>
	agrp : "com.apple.token"
	pdmn : "dk"
	labl : "Anna Sahlström (SecUDTest Sub CA v2)/Instant IP10 (signature)"
	UUID : "0BFB125D-D5D4-43E9-9877-EB45B32C89CA"
	mdat : 2021-07-02 11:51:03 +0000
	slnr : <3d 00 00 06 be 71 e8 03 0e 74 4c 51 1e 00 02 00 00 06 be>
	sync : 0
	sha1 : <a4 3b 3f 77 5e 7f 0a 49 d8 55 f3 17 dd 12 4e 57 d5 cf dc f4>
	tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
	musr : <>
	cdat : 2021-07-02 11:51:03 +0000
	tomb : 0
	skid : <a3 79 82 0b ec 88 f4 f2 d1 40 3f 3d 3c 6c ed 57 f5 af 4a ba>
	issr : <31 13 30 11 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 03 63 6f 6d 31 19 30 17 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 09 73 65 63 75 64 74 65 73 74 31 1c 30 1a 06 03 55 04 03 13 13 53 45 43 55 44 54 45 53 54 20 53 55 42 20 43 41 20 56 32>
	accc : constraints: {
			ord : true
		}
		protection: {
			tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
		}
====

==== certificate #2
	class : "cert"
	subj : <31 15 30 13 06 03 55 04 05 13 0c 31 39 38 38 30 38 31 35 37 35 32 36 31 0b 30 09 06 03 55 04 06 13 02 53 45 31 0c 30 0a 06 03 55 04 0a 13 03 4c 41 42 31 18 30 16 06 03 55 04 03 0c 0f 41 6e 6e 61 20 53 61 68 6c 73 74 72 c3 b6 6d>
	cenc : 3
	ctyp : 3
	pkhh : <01 d0 f0 0a 42 64 d5 7e 54 32 74 83 5d 0e 9d 73 93 19 04 a5>
	persistref : <>
	agrp : "com.apple.token"
	pdmn : "dk"
	labl : "Anna Sahlström (SecUDTest Sub CA v2)/Instant IP10 (identification)"
	UUID : "678A40EA-86D5-4032-9B49-77B46C8455B7"
	mdat : 2021-07-02 11:51:03 +0000
	slnr : <3d 00 00 06 bf 01 af 7f 28 d0 0d 28 0a 00 02 00 00 06 bf>
	sync : 0
	sha1 : <45 3a 00 44 6b fa 36 e0 ce 31 06 af 9a c1 cf be 3e 4e 31 fd>
	tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
	musr : <>
	cdat : 2021-07-02 11:51:03 +0000
	tomb : 0
	skid : <01 d0 f0 0a 42 64 d5 7e 54 32 74 83 5d 0e 9d 73 93 19 04 a5>
	issr : <31 13 30 11 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 03 63 6f 6d 31 19 30 17 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 09 73 65 63 75 64 74 65 73 74 31 1c 30 1a 06 03 55 04 03 13 13 53 45 43 55 44 54 45 53 54 20 53 55 42 20 43 41 20 56 32>
	accc : constraints: {
			ord : true
		}
		protection: {
			tkid : "com.secmaker.netid.ctk.sctoken:9752288595719137738"
		}
====

The information above can be difficult to understand, but it gives all information an application needs to know about the certificates, private keys, and PINs.

Show information of all inserted smart cards — simple view #1

This command shows information that is easier to read and understand. And it also supports the older Tokend modules.

Synopsis

system_profiler SPSmartCardsDataType

Output

$ system_profiler SPSmartCardsDataType

SmartCards:

    Readers:

      #01: OMNIKEY AG 3121 USB (ATR:{length = 20, bytes = 0x3b7f96000080318065b084534e0f1202f0829000})

    Reader Drivers:

      #01: org.debian.alioth.pcsclite.smartcardccid:1.4.32 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)

    SmartCard Drivers:

      #01: com.secmaker.netid.ctk.sctoken:1.0.2 (/Applications/Net iD.app/Contents/PlugIns/CryptoTokenKit.appex)
      #02: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)

    Available SmartCards (keychain):

        com.apple.setoken:

        com.apple.setoken:aks:

        com.secmaker.netid.ctk.sctoken:9752288595719137738:

          #01: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0xa379820bec88f4f2d1403f3d3c6ced57f5af4aba}, Usage: Sign
Valid from: 2021-07-02 09:31:40 +0000 to: 2026-07-01 09:31:40 +0000, SSL trust: NO, X509 trust: YES

-----BEGIN CERTIFICATE-----
MIIHdjCCBV6gAwIBAgITPQAABr5x6AMOdExRHgACAAAGvjANBgkqhkiG9w0BAQsFADBOMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJc2VjdWR0ZXN0MRwwGgYDVQQDExNTZWNVRFRlc3QgU3ViIENBIHYyMB4XDTIxMDcwMjA5MzE0MFoXDTI2MDcwMTA5MzE0MFowXDEVMBMGA1UEBRMMMTk4ODA4MTU3NTI2MQswCQYDVQQGEwJTRTEOMAwGA1UEBxMFTmFja2ExDDAKBgNVBAoTA0xhYjEYMBYGA1UEAwwPQW5uYSBTYWhsc3Ryw7ZtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1prvoaYXX96571K2B0F2oA+LUiTW8G5c02hmHKYStZ7nGm6YJULVQ0v+qlPuKxHf3e9V1Df5pvz6zU8JATGCyDXba+8DDxI9f835MH2U9jkxp30ZJF9zHKCcWowFPF1BSNbzWKIT9VDPmc/WpwYpe2nB9+PGevMCbdz2WRjIrym9AixqKnxOAaoIShf/cptmJ+5FDB3gq3leHvs/fl9986BXnY9Kr3cwM4NZQi+hIZPqQyzuWBGHGnPNjiEg6d+QoDlVZBwk1lRLaozd5Vb6Sijta1u4OE8hyKzisD8/kah3DryB0U3YUO8lDkQA4qOjb3d4stoDWLjTe3E9H33YOwIDAQABo4IDPTCCAzkwDgYDVR0PAQH/BAQDAgZAMB0GA1UdDgQWBBSjeYIL7Ij08tFAPz08bO1X9a9KujAfBgNVHSMEGDAWgBTjCa1bLjLJMF5/U0nBCttDNfjn4TCCASMGA1UdHwSCARowggEWMIIBEqCCAQ6gggEKhoHIbGRhcDovLy9DTj1TZWNVRFRlc3QlMjBTdWIlMjBDQSUyMHYyKDIpLENOPXN1LWNhc3J2MDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VjdWR0ZXN0LERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGPWh0dHA6Ly9jcmwuc2VjdWR0ZXN0LmNvbS9DRFAvU2VjVURUZXN0JTIwU3ViJTIwQ0ElMjB2MigyKS5jcmwwggEzBggrBgEFBQcBAQSCASUwggEhMIG6BggrBgEFBQcwAoaBrWxkYXA6Ly8vQ049U2VjVURUZXN0JTIwU3ViJTIwQ0ElMjB2MixDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZWN1ZHRlc3QsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MGIGCCsGAQUFBzAChlZodHRwOi8vY3JsLnNlY3VkdGVzdC5jb20vQ0RQL3N1LWNhc3J2MDEuc2VjdWR0ZXN0LmNvbV9TZWNVRFRlc3QlMjBTdWIlMjBDQSUyMHYyKDIpLmNydDA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiBzMcqgq/sHYeNlziFtNMuxL1bgVKGu9Ifhq6aPgIBZAIBCDAVBgNVHSUEDjAMBgorBgEEAYI3CgMMMB0GCSsGAQQBgjcVCgQQMA4wDAYKKwYBBAGCNwoDDDAUBgNVHSAEDTALMAkGByqFcEoIAwMwDQYJKoZIhvcNAQELBQADggIBAKOKeHuXPchHHaubV4ctro+jj13rt9I7xPvMHoptB3GIDPVPr9wjZrzjhdSrs5x6d/IiLnrfMscF8jlCxOqM2ffVu04hvQE1ZlayEHlrp1Skvc805uLQTMbyByxJil4edZ7kQNOxljjPGovZ8XhCqz48yKRrTaNCbVT6q6RrtErTZltVR0YUcOKyD83QJsaEY/9s+b6tvyQ2a2Baj1OBW3lNwZ2YLC+9VmIK87Y0OnkSNqfPnVPaYNfcx3MxaZJOqiKRGs4w/9OCrk+HAFu30CObi7pEbrGIYDx34N39qHYthxO2nWRzqIDfkuckFLDwr0XzdttkpkLmwVQjxvrDXWm/KSUdUmpZ5BZNBDQaBC+R6yMqeCWKi1rDl0gRPM29RtZvQVzyTNTyOBdGuxfkaC6EXmqeUnYfCIgZtLFKDdto/U3CYWssbN2fUdzEUxYNfrKyJTyQLXS8kN5DdyagUNMaGKB8zLzaSY06aQRMxoFXmJoWQs/jH8gUgTWS7noPcm2bADcGnxZvCerm3J0OhgQS8s8zOkRjMRK5dNvUU0nusAYhvb5dDz4hmb+2+sfecw0px8QqdFP4+EUugzaJlw+RyIZ6iCQJntMHBsZ+EdDo7axrx85m0PGLId7+dks8w+ykNXUpFx4J5JZ77mJtVZNsfkC1ZJTR1KYllu0W6T1g
-----END CERTIFICATE-----

          #02: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0x01d0f00a4264d57e543274835d0e9d73931904a5}, Usage: Sign Decrypt Unwrap
Valid from: 2021-07-02 09:31:41 +0000 to: 2026-07-01 09:31:41 +0000, SSL trust: NO, X509 trust: YES

-----BEGIN CERTIFICATE-----
MIIHkTCCBXmgAwIBAgITPQAABr8Br38o0A0oCgACAAAGvzANBgkqhkiG9w0BAQsFADBOMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJc2VjdWR0ZXN0MRwwGgYDVQQDExNTZWNVRFRlc3QgU3ViIENBIHYyMB4XDTIxMDcwMjA5MzE0MVoXDTI2MDcwMTA5MzE0MVowTDEVMBMGA1UEBRMMMTk4ODA4MTU3NTI2MQswCQYDVQQGEwJTRTEMMAoGA1UEChMDTGFiMRgwFgYDVQQDDA9Bbm5hIFNhaGxzdHLDtm0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjZrhuEy+oza+TjdoDINUXwvhafVgvF8V8Z+87flvHUHeFFDE/u3zIKpE1H5N/ewHJIWflLZmjPyibppTApEyoEWOlcxQTSPzef/3aTlRR74ee16/OLC/Dm0jqTJTi1AoShG+tSPGydmB7Bv+Kgj3cnjFj1w5LWnG6DOF0Z6iu/d7vDqjUWoOtai/LAxy9FhTaMl9bekNC2FqroFxvpwkIkvZ+ri8icZ0l5gifI0p3F2nAwfEt3HFO/JAcvhPhz/nLSH4FEDdBe50k3E0srPvOSym7C5LJPRnBO7HJwIVHq7gzSaqenPMXZ2Lv3h890y04EHLv5W72Oajirn/ujzvrAgMBAAGjggNoMIIDZDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFAHQ8ApCZNV+VDJ0g10OnXOTGQSlMB8GA1UdIwQYMBaAFOMJrVsuMskwXn9TScEK20M1+OfhMIIBIwYDVR0fBIIBGjCCARYwggESoIIBDqCCAQqGgchsZGFwOi8vL0NOPVNlY1VEVGVzdCUyMFN1YiUyMENBJTIwdjIoMiksQ049c3UtY2FzcnYwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZWN1ZHRlc3QsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL2NybC5zZWN1ZHRlc3QuY29tL0NEUC9TZWNVRFRlc3QlMjBTdWIlMjBDQSUyMHYyKDIpLmNybDCCATMGCCsGAQUFBwEBBIIBJTCCASEwgboGCCsGAQUFBzAChoGtbGRhcDovLy9DTj1TZWNVRFRlc3QlMjBTdWIlMjBDQSUyMHYyLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlY3VkdGVzdCxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwYgYIKwYBBQUHMAKGVmh0dHA6Ly9jcmwuc2VjdWR0ZXN0LmNvbS9DRFAvc3UtY2FzcnYwMS5zZWN1ZHRlc3QuY29tX1NlY1VEVGVzdCUyMFN1YiUyMENBJTIwdjIoMikuY3J0MD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIHMxyqCr+wdh42XOIW00y7EvVuBUoOyli+CsMluAgFkAgEKMB8GA1UdJQQYMBYGCisGAQQBgjcUAgIGCCsGAQUFBwMCMCkGCSsGAQQBgjcVCgQcMBowDAYKKwYBBAGCNxQCAjAKBggrBgEFBQcDAjApBgNVHREEIjAgoB4GCisGAQQBgjcUAgOgEAwOYW5uc2FoQGxhYi5jb20wDQYJKoZIhvcNAQELBQADggIBAFjZ8FDg8bkVPtOj3iR2S1Tsbn1BbcscF0mhKJ/z52XPIpY0k7Wn3lNIFq7pHe8Ruc2RikBPjysG/KLuDFuEAMbmdRrR6+43TdCWlCVNAQ2W1FASZjnS+51dzKx8iDLcz1RmBFcVgWY0PNbyIeqfEp/wsuvkuDry6p8fAC9fW44jDAvcJgMRnDrkQsjraBAFEelNIIuqeGxPmH2bFRprO0cR/LgmF9/WVMowqoIQQ3tPlN2O3BSH8ykUmIj+453bO5bcMPyPKuKlkMR96bl8xRrQXMoES2bBhEZoegALPQWgGUNpm4eLKuDe/tiuHJKUglMaM1rlAU4jjICzU4xwCISBL5cCyftozGSRQ6yw0xpe1cEx3bcNxuEfW2y7bXH7AFC4eC+F1O9VrrI1MEIGXU+hi1rwkFwd4R1sHL5XncO8k/+AM5t5bkiilgLwXbUysaCilx2HA9jldxWsaoqEaqWQCkFqyjWJuPdGfuMViX8JCR8p5309CtDUXz+wbJs7g5eoqcZT/HlouVNt8Phi8ND3OERdZiPlYaIV7szLZW6AT39f5zx+dxoMrT04nIhR9Tg1FYp8bVpvzoQ3sTBlHW23BtkIX6Pnv6YOOpR5EBgs2ii9AJ8EZhb+hzLt/GhU6Fq2V654utnH8M+rxErWWUwYxrRE0DLjr2Dnv8FFjovw
-----END CERTIFICATE-----


    Available SmartCards (token):

        com.apple.setoken:

        com.apple.setoken:aks:

        com.secmaker.netid.ctk.sctoken:9752288595719137738:

          #01: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0xa379820bec88f4f2d1403f3d3c6ced57f5af4aba}, Usage: Sign
Valid from: 2021-07-02 09:31:40 +0000 to: 2026-07-01 09:31:40 +0000, SSL trust: NO, X509 trust: YES

-----BEGIN CERTIFICATE-----
MIIHdjCCBV6gAwIBAgITPQAABr5x6AMOdExRHgACAAAGvjANBgkqhkiG9w0BAQsFADBOMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJc2VjdWR0ZXN0MRwwGgYDVQQDExNTZWNVRFRlc3QgU3ViIENBIHYyMB4XDTIxMDcwMjA5MzE0MFoXDTI2MDcwMTA5MzE0MFowXDEVMBMGA1UEBRMMMTk4ODA4MTU3NTI2MQswCQYDVQQGEwJTRTEOMAwGA1UEBxMFTmFja2ExDDAKBgNVBAoTA0xhYjEYMBYGA1UEAwwPQW5uYSBTYWhsc3Ryw7ZtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1prvoaYXX96571K2B0F2oA+LUiTW8G5c02hmHKYStZ7nGm6YJULVQ0v+qlPuKxHf3e9V1Df5pvz6zU8JATGCyDXba+8DDxI9f835MH2U9jkxp30ZJF9zHKCcWowFPF1BSNbzWKIT9VDPmc/WpwYpe2nB9+PGevMCbdz2WRjIrym9AixqKnxOAaoIShf/cptmJ+5FDB3gq3leHvs/fl9986BXnY9Kr3cwM4NZQi+hIZPqQyzuWBGHGnPNjiEg6d+QoDlVZBwk1lRLaozd5Vb6Sijta1u4OE8hyKzisD8/kah3DryB0U3YUO8lDkQA4qOjb3d4stoDWLjTe3E9H33YOwIDAQABo4IDPTCCAzkwDgYDVR0PAQH/BAQDAgZAMB0GA1UdDgQWBBSjeYIL7Ij08tFAPz08bO1X9a9KujAfBgNVHSMEGDAWgBTjCa1bLjLJMF5/U0nBCttDNfjn4TCCASMGA1UdHwSCARowggEWMIIBEqCCAQ6gggEKhoHIbGRhcDovLy9DTj1TZWNVRFRlc3QlMjBTdWIlMjBDQSUyMHYyKDIpLENOPXN1LWNhc3J2MDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2VjdWR0ZXN0LERDPWNvbT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGPWh0dHA6Ly9jcmwuc2VjdWR0ZXN0LmNvbS9DRFAvU2VjVURUZXN0JTIwU3ViJTIwQ0ElMjB2MigyKS5jcmwwggEzBggrBgEFBQcBAQSCASUwggEhMIG6BggrBgEFBQcwAoaBrWxkYXA6Ly8vQ049U2VjVURUZXN0JTIwU3ViJTIwQ0ElMjB2MixDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZWN1ZHRlc3QsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MGIGCCsGAQUFBzAChlZodHRwOi8vY3JsLnNlY3VkdGVzdC5jb20vQ0RQL3N1LWNhc3J2MDEuc2VjdWR0ZXN0LmNvbV9TZWNVRFRlc3QlMjBTdWIlMjBDQSUyMHYyKDIpLmNydDA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiBzMcqgq/sHYeNlziFtNMuxL1bgVKGu9Ifhq6aPgIBZAIBCDAVBgNVHSUEDjAMBgorBgEEAYI3CgMMMB0GCSsGAQQBgjcVCgQQMA4wDAYKKwYBBAGCNwoDDDAUBgNVHSAEDTALMAkGByqFcEoIAwMwDQYJKoZIhvcNAQELBQADggIBAKOKeHuXPchHHaubV4ctro+jj13rt9I7xPvMHoptB3GIDPVPr9wjZrzjhdSrs5x6d/IiLnrfMscF8jlCxOqM2ffVu04hvQE1ZlayEHlrp1Skvc805uLQTMbyByxJil4edZ7kQNOxljjPGovZ8XhCqz48yKRrTaNCbVT6q6RrtErTZltVR0YUcOKyD83QJsaEY/9s+b6tvyQ2a2Baj1OBW3lNwZ2YLC+9VmIK87Y0OnkSNqfPnVPaYNfcx3MxaZJOqiKRGs4w/9OCrk+HAFu30CObi7pEbrGIYDx34N39qHYthxO2nWRzqIDfkuckFLDwr0XzdttkpkLmwVQjxvrDXWm/KSUdUmpZ5BZNBDQaBC+R6yMqeCWKi1rDl0gRPM29RtZvQVzyTNTyOBdGuxfkaC6EXmqeUnYfCIgZtLFKDdto/U3CYWssbN2fUdzEUxYNfrKyJTyQLXS8kN5DdyagUNMaGKB8zLzaSY06aQRMxoFXmJoWQs/jH8gUgTWS7noPcm2bADcGnxZvCerm3J0OhgQS8s8zOkRjMRK5dNvUU0nusAYhvb5dDz4hmb+2+sfecw0px8QqdFP4+EUugzaJlw+RyIZ6iCQJntMHBsZ+EdDo7axrx85m0PGLId7+dks8w+ykNXUpFx4J5JZ77mJtVZNsfkC1ZJTR1KYllu0W6T1g
-----END CERTIFICATE-----

          #02: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0x01d0f00a4264d57e543274835d0e9d73931904a5}, Usage: Sign Decrypt Unwrap
Valid from: 2021-07-02 09:31:41 +0000 to: 2026-07-01 09:31:41 +0000, SSL trust: NO, X509 trust: YES

-----BEGIN CERTIFICATE-----
MIIHkTCCBXmgAwIBAgITPQAABr8Br38o0A0oCgACAAAGvzANBgkqhkiG9w0BAQsFADBOMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJc2VjdWR0ZXN0MRwwGgYDVQQDExNTZWNVRFRlc3QgU3ViIENBIHYyMB4XDTIxMDcwMjA5MzE0MVoXDTI2MDcwMTA5MzE0MVowTDEVMBMGA1UEBRMMMTk4ODA4MTU3NTI2MQswCQYDVQQGEwJTRTEMMAoGA1UEChMDTGFiMRgwFgYDVQQDDA9Bbm5hIFNhaGxzdHLDtm0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjZrhuEy+oza+TjdoDINUXwvhafVgvF8V8Z+87flvHUHeFFDE/u3zIKpE1H5N/ewHJIWflLZmjPyibppTApEyoEWOlcxQTSPzef/3aTlRR74ee16/OLC/Dm0jqTJTi1AoShG+tSPGydmB7Bv+Kgj3cnjFj1w5LWnG6DOF0Z6iu/d7vDqjUWoOtai/LAxy9FhTaMl9bekNC2FqroFxvpwkIkvZ+ri8icZ0l5gifI0p3F2nAwfEt3HFO/JAcvhPhz/nLSH4FEDdBe50k3E0srPvOSym7C5LJPRnBO7HJwIVHq7gzSaqenPMXZ2Lv3h890y04EHLv5W72Oajirn/ujzvrAgMBAAGjggNoMIIDZDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0OBBYEFAHQ8ApCZNV+VDJ0g10OnXOTGQSlMB8GA1UdIwQYMBaAFOMJrVsuMskwXn9TScEK20M1+OfhMIIBIwYDVR0fBIIBGjCCARYwggESoIIBDqCCAQqGgchsZGFwOi8vL0NOPVNlY1VEVGVzdCUyMFN1YiUyMENBJTIwdjIoMiksQ049c3UtY2FzcnYwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZWN1ZHRlc3QsREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9aHR0cDovL2NybC5zZWN1ZHRlc3QuY29tL0NEUC9TZWNVRFRlc3QlMjBTdWIlMjBDQSUyMHYyKDIpLmNybDCCATMGCCsGAQUFBwEBBIIBJTCCASEwgboGCCsGAQUFBzAChoGtbGRhcDovLy9DTj1TZWNVRFRlc3QlMjBTdWIlMjBDQSUyMHYyLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXNlY3VkdGVzdCxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwYgYIKwYBBQUHMAKGVmh0dHA6Ly9jcmwuc2VjdWR0ZXN0LmNvbS9DRFAvc3UtY2FzcnYwMS5zZWN1ZHRlc3QuY29tX1NlY1VEVGVzdCUyMFN1YiUyMENBJTIwdjIoMikuY3J0MD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCIHMxyqCr+wdh42XOIW00y7EvVuBUoOyli+CsMluAgFkAgEKMB8GA1UdJQQYMBYGCisGAQQBgjcUAgIGCCsGAQUFBwMCMCkGCSsGAQQBgjcVCgQcMBowDAYKKwYBBAGCNxQCAjAKBggrBgEFBQcDAjApBgNVHREEIjAgoB4GCisGAQQBgjcUAgOgEAwOYW5uc2FoQGxhYi5jb20wDQYJKoZIhvcNAQELBQADggIBAFjZ8FDg8bkVPtOj3iR2S1Tsbn1BbcscF0mhKJ/z52XPIpY0k7Wn3lNIFq7pHe8Ruc2RikBPjysG/KLuDFuEAMbmdRrR6+43TdCWlCVNAQ2W1FASZjnS+51dzKx8iDLcz1RmBFcVgWY0PNbyIeqfEp/wsuvkuDry6p8fAC9fW44jDAvcJgMRnDrkQsjraBAFEelNIIuqeGxPmH2bFRprO0cR/LgmF9/WVMowqoIQQ3tPlN2O3BSH8ykUmIj+453bO5bcMPyPKuKlkMR96bl8xRrQXMoES2bBhEZoegALPQWgGUNpm4eLKuDe/tiuHJKUglMaM1rlAU4jjICzU4xwCISBL5cCyftozGSRQ6yw0xpe1cEx3bcNxuEfW2y7bXH7AFC4eC+F1O9VrrI1MEIGXU+hi1rwkFwd4R1sHL5XncO8k/+AM5t5bkiilgLwXbUysaCilx2HA9jldxWsaoqEaqWQCkFqyjWJuPdGfuMViX8JCR8p5309CtDUXz+wbJs7g5eoqcZT/HlouVNt8Phi8ND3OERdZiPlYaIV7szLZW6AT39f5zx+dxoMrT04nIhR9Tg1FYp8bVpvzoQ3sTBlHW23BtkIX6Pnv6YOOpR5EBgs2ii9AJ8EZhb+hzLt/GhU6Fq2V654utnH8M+rxErWWUwYxrRE0DLjr2Dnv8FFjovw
-----END CERTIFICATE-----

Show information of all inserted smart cards — simple view #2

It is possible to get the same information shown in Show information of all inserted smart cards — simple view #1 by using the following procedure.

  1. Click the Apple icon, and the click About this Mac.

  2. On the Overview tab click System Report.

  3. In the menu to the left, go to SoftwareSmartCards.

Troubleshooting

The most important information above is the certificate row containing information about trust:

Valid from: 2015-04-27 12:01:55 +0000 to: 2020-04-23 21:58:00 +0000, SSL trust: YES, X509 trust: YES
SSL trust: YES

Certificate trusted for Apple Safari.

X509 trust: YES

Certificate trusted for all other purposes, for example Apple Mail.

Information available ⇒ Applications may work
Information missing ⇒ Applications will not work

The note above can be seen as a strange comment, but it is the simple truth. The macOS is handling all smart card readers, and the CryptoTokenKit module is called by macOS when a smart card is inserted. The information above is registered by the CryptoTokenKit module, but that part is simple and will basically never fail, so information missing means macOS has a problem. And unfortunately this means that you need to ask Apple: Why?!?

Strategy

  • Smart card successfully detected ⇒ Ask SecMaker about problems

    Example 1. Smart card successfully detected
    secmakers-Mac:~ secmaker$ security list-smartcards
    com.secmaker.netid.ctk.sctoken:9752269885705648365
  • Smart card not found ⇒ Ask Apple about problems

    Example 2. Smart card not found
    secmakers-Mac:~ secmaker$ security list-smartcards
    No smartcards found.

Trace

The CryptoTokenKit module must run in a sandboxed environment. This is a macOS requirement and cannot be ignored. As a result, this module cannot communicate with other parts of the Client, such as single sign-on. It uses its own configuration and cannot read anything outside of the sandbox.

The installed module with configuration:

/Applications/Net iD.app/Contents/PlugIns/CryptoTokenKit.appex
/Applications/Net iD.app/Contents/PlugIns/CryptoTokenKit.appex/Contents/Resources/netid.conf

The configuration cannot change after installation because of digitally signed component, so trace is always enabled. The CryptoTokenKit module cannot write outside of its environment, so the location is specified to temp folder:

[Trace]
Path=%TEMP%/netid.txt

Find the trace file from the terminal

Enter this string in the terminal window:

$ find /var/folders -name "netid.txt" 2>/dev/null

Limitation

Two basic limitations are part of the architecture:

  • Multiple certificates for a private key is not allowed.

  • Not all smart cards are supported.

Multiple certificates

The architecture is handling private keys instead of certificates. This behavior is common in North America and it to be expected since Apple is based in that part of the world. In Northern Europe the use of multiple certificates for each private key is common, since any additional/secondary certificate can rely on the security used to issue the initial certificate.

The limitation is not based on the architecture, but rather the implementation of the architecture. This is because private keys are used by reference, and the unique ID connecting the certificate with the private key is generated by the CryptoTokenKit module. This unique ID will for our conditions be generated from the certificate thumbprint.

In theory it is possible to have multiple private key references using the same private key. Unfortunately, Apple does not allow multiple private key references with the same public key parts, which is the only part they will know.

If you think this is a bad practice, please contact Apple and let them know.

Smart card support

The smart card reader support is implemented by macOS. It is not allowed to use any other implementation, such as PC/SC Lite. The limitation is not the smart card, but rather that the smart card reader driver is implemented by Apple and unfortunately it is not as stable as PC/SC Lite.

Thus, you must verify that the smart card works with a specific smart card reader. As long as the smart card is detected and it is possible to read the certificate, it should work. Still, there are some issues with smart card removal, so make sure to verify that certificates disappear when card is removed.