Accessing PIV Smart Card Certificates from iPadOS application.

it seems that the explicit declaration of com.apple.token should not even be required in the entitlements.

It’s easy to get confused here. Claiming access to the com.apple.token keychain access group is required on iOS but not on macOS. macOS apps get implicit access to that [1].

The only difference is that I'm trying to use a PIV smart card to achieve authentication to a server

That different might be significant later on, but it’s irrelevant here because you’re not getting past copy-matching stage.

I'm getting a -34018 missing entitlement error.

The -34018 error, errSecMissingEntitlement, is a strong indication that there’s a problem with your claim to com.apple.token. However, you’ve done all the standard debugging stuff, so I’m not sure why this is failing for you.

Just to be clear, you’re testing this an a real device, right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Although this is further complicated by the fact that macOS apps can access two different keychain implementations, and keychain access groups are only a feature of the data protection keychain. TN3137 On Mac keychain APIs and implementations has all the details about that.

@DTS Engineer Quinn,

Thank you for your response.

To answer your question:

Yes, I am attempting to debug my application on a physical iPad with a card reader + PIV smart card plugged into it. My iPad is an iPad Pro 11-inch (M4) running iPadOS 18.5. The card reader I'm using is an HID Omnikey 3121.

Do you have any additional troubleshooting suggestions?

I went through the steps to reproduce this today and immediately hit a gotcha that’d slipped my mind. When you use Signing & Capabilities > Keychain Sharing to add a keychain access group, Xcode helpfully adds an App ID prefix. Consider:

% plutil -p Test793203/Test793203.entitlements 
{
  "keychain-access-groups" => [
    0 => "$(AppIdentifierPrefix)com.example.apple-samplecode.Test793203"
    1 => "$(AppIdentifierPrefix)com.apple.token"
  ]
}

This is correct normally, but is wrong in the com.apple.token case. The com.apple.token keychain access group is not prefixed. If you manually edit the .entitlements file to remove $(AppIdentifierPrefix) on that line, things should start to work.

I’ve been bitten by this before. This time I actually filed a bug against Xcode about it (r. 156066253). Past Quinn™ definitely didn’t do his due diligence )-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you, Quinn. This worked like a charm. I'm now able to view the certificates on my PIV smart card from my app. I also appreciate you filing the bug.

In your original post, you seemed to imply that using a PIV smart card to authenticate to a server may pose a bit of a challenge. Are there any suggested readings that you would recommend?

Glad to hear you’re making progress.

you seemed to imply that using a PIV smart card to authenticate to a server may pose a bit of a challenge.

Right. Historically there were a bunch of sharp edges there, where digital identities with hardware-bound keys just didn’t work in URLSession and web views. AFAIK we’ve fixed most of those [1]. I think the last remaining gotcha is for folks who use third-party TLS libraries, most notably OpenSSL. That’s something you’d have to research with the library’s vendor.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] The one I’m not 100% sure about is URLSession background session.