Client certificate authentication using CTK extension in iOS device

Hi, I want to support client certifcate authentication for a URL loaded in WKWebView. Certificate is in the smartcard that is connected to iOS device through lightning port smart card reader. For USB-C type reader, iOS supports this out of the box. But for the lightning port reader, I thought of writing a CTK extension to access smartcard and read the certificate. I have a smart card sdk to access the smartcard. Could you please let me know which is the extension that should be used for this purpose. There are 2 types of extensions available in Xcode. Smartcard extension and Persistent Token extension. Which one should be used for this case? When I tried persistent token extension, it seems to hit sign function inside Tokensession class but with smartcard extension it is not getting called when I try to access the URL in WKWebView after certificate selection. Also the smartcard sdk has EAAccessory framework dependency. Is EAAccessory allowed to be used in CTK extension? https://developer.apple.com/forums/thread/111691?answerId=342707022 says EAAccessory is not working inside app extension. Thanks in advance.

Does smart card ctk extension detect the smartcard connected through lightning port or the vendor smartcard sdk has to do the smartcard detection?

But for the lightning port reader, I thought of writing a CTK extension to access smartcard and read the certificate.

Normally I just connect a USB smart card reader via the Lightning to USB Camera Adapter. Does that not work with your reader?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo I am developing a CTK extension in order to access Client Authentication SSL websites with certificates installed on smartcards. My reader is a lightening port reader. Here are few questions:

  1. What is difference between Smartcard extension and Persistent Token extension? Which one I should use?
  2. Since my smartcard reader has lightening port, curious to know if EAAccessory is allowed to be used in CTK extension? https://developer.apple.com/forums/thread/111691?answerId=342707022 says EAAccessory is not working inside app extension. Kindly confirm

What is difference between Smartcard extension and Persistent Token extension?

A persistent token extension allows you to create an entirely virtual token. A smart card extension is meant to present a smart card interface, with cards being inserted and removed, APDU stuff, and so on.

Which one I should use?

That depends on much your reader looks like a traditional smart card reader. It sounds like it’s very close, in which case a smart card extension would make sense.

Since my smartcard reader has lightening port, curious to know if EAAccessory is allowed to be used in CTK extension?

I don’t know. This is more of an EA question than a CTK question, and that’s not an area in which I maintain expertise.

I know that some CTK extensions do the crypto in their container app rather than in the appex. This is necessary for technologies, like Core NFC, where the API only works in an app. That process is rather convoluted, but it does work. I helped a developer go down that path once, and my final advice was to use a Unix domain socket to communicate between the appex and the app. This works because CTK won’t allow the appex to be suspended while there’s a signing request in flight, so the appex keeps running when the user switches to the container app to interact with NFC.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for your support. Could you please clarify the following doubts.

  1. We want to support client certificate authentication using lightning port smart card readers. Could you please let me know if there are any advantages in using smart card token extension here? Does smartcard extension do lightning port smart card reader card insertion and detection? Or we have to use a persistent token extension as we are already doing?
  2. One thing we want to support is the automatic insertion of certificates present in the smartcard to keychain configuration whenever the smart card is detected and remove them once the card is removed. This will avoid the necessity of users having to manually add the certificate to configuration which they can later select during client certification authentication. Could you please let me know which token extension is suitable for this? Does the smartcard token extension do smartcard detection itself for lightning port readers? Or if we have to do the smartcard detection ourselves using the vendor smartcard SDK in CTK extension, then what is the life cycle of CTK extension? Is it launched when the device boots and will be running as a background process?
  3. You also mentioned another approach of routing the request from CTK extension to the app using unix domain sockets. Is this the recommended way instead of integrating vendor smartcard SDK in CTK itself? 
  4. Also could you please let me know if this https://twocanoes.com/knowledge-base/fb9876464-cryptotokenkit-extension-stops-working-when-replacing-container-app-until-reboot/ issue will be fixed in coming releases.

Thanks.

Client certificate authentication using CTK extension in iOS device
 
 
Q