Add key and certificate labels in ui, and slight refactoring

SecureEnclaveToken.xcodeproj/project.pbxproj

@@ -439,6 +439,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 10.15;
+				MARKETING_VERSION = 1.0.1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.mwielgoszewski.SecureEnclaveToken;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_VERSION = 5.0;
@@ -468,6 +469,7 @@
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 10.15;
+				MARKETING_VERSION = 1.0.1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.mwielgoszewski.SecureEnclaveToken;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_VERSION = 5.0;
@@ -488,6 +490,7 @@
 					"@executable_path/../Frameworks",
 					"@executable_path/../../../../Frameworks",
 				);
+				MARKETING_VERSION = 1.0.1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.mwielgoszewski.SecureEnclaveToken.SecureEnclaveTokenExtension;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SKIP_INSTALL = YES;
@@ -509,6 +512,7 @@
 					"@executable_path/../Frameworks",
 					"@executable_path/../../../../Frameworks",
 				);
+				MARKETING_VERSION = 1.0.1;
 				PRODUCT_BUNDLE_IDENTIFIER = com.mwielgoszewski.SecureEnclaveToken.SecureEnclaveTokenExtension;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SKIP_INSTALL = YES;

SecureEnclaveToken/ContentView.swift

@@ -12,8 +12,10 @@ import CertificateSigningRequest
 
 struct ContentView: View {
     @State private var keysIsEmpty = false
-    @State private var loadButton = "Query Token Configuration"
+    @State private var loadButton = "Query Token"
     @State private var keysLoaded = 0
+    @State private var certificateLabel = ""
+    @State private var keyLabel = ""
     @State private var generateKeyDescription = ""
     @State private var showDeleteConfirmation = false
     @State private var commonName = ""
@@ -76,7 +78,6 @@ struct ContentView: View {
 
     var body: some View {
         let tag = "com.mwielgoszewski.SecureEnclaveToken.Key".data(using: .utf8)!
-        var keysLoaded = tokenConfig.keychainItems.count
 
         VStack(alignment: .leading, spacing: 5) {
             HStack {
@@ -90,16 +91,33 @@ struct ContentView: View {
                             let certificate = panel.url!.absoluteURL
                             _ = loadCertificateForTagIntoTokenConfig(certificatePath: certificate, tag: tag, tokenConfig: tokenConfig)
                         }
-                    } else if self.loadButton == "Unload SE Keys" {
+                    } else if self.loadButton == "Unload Token" {
                         tokenConfig.keychainItems.removeAll()
                     }
-                    self.loadButton = tokenConfig.keychainItems.isEmpty ? "Load SE Keys" : "Unload SE Keys"
+                    self.loadButton = tokenConfig.keychainItems.isEmpty ? "Load Token" : "Unload Token"
                     keysLoaded = tokenConfig.keychainItems.count
 
+                    if keysLoaded > 0 {
+                        do {
+                            let tkcert = try tokenConfig.certificate(for: tag)
+                            let tkkey  = try tokenConfig.key(for: tag)
+                            certificateLabel = " • \(tkcert.label ?? "")"
+                            keyLabel = " • \(tkkey.label ?? "")"
+                        } catch {
+                        }
+                    } else {
+                        certificateLabel = ""
+                        keyLabel = ""
+                    }
+
                 }) {
                     Text(loadButton)
                 }
-                Text("\(keysLoaded) token keychain items loaded")
+                VStack(alignment: .leading) {
+                    Text("\(keysLoaded) token keychain items loaded")
+                    Text(certificateLabel)
+                    Text(keyLabel)
+                }
             }
 
             HStack(alignment: .top) {

SecureEnclaveToken/Info.plist

@@ -17,13 +17,15 @@
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.0</string>
+	<string>$(MARKETING_VERSION)</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 	<key>LSApplicationCategoryType</key>
 	<string>public.app-category.utilities</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
+	<key>NSHumanReadableCopyright</key>
+	<string>Marcin Wielgoszewski</string>
 	<key>NSMainStoryboardFile</key>
 	<string>Main</string>
 	<key>NSPrincipalClass</key>

SecureEnclaveToken/SecureEnclaveTokenUtils.swift

@@ -7,6 +7,7 @@
 
 import Foundation
 import Security
+import CryptoKit
 import CryptoTokenKit
 
 func generateKeyInEnclave(tag: Data, accessibility: CFString, accessControlFlags: Int) -> SecKey {
@@ -95,7 +96,7 @@ func deleteSecureEnclaveKey(tag: Data) -> Bool {
     return status == errSecSuccess
 }
 
-func loadCertificateForTagIntoTokenConfig(certificatePath: URL, tag: Data, tokenConfig: TKToken.Configuration) -> Bool {
+func loadCertificateForTagIntoTokenConfig(certificatePath: URL, tag: Data, tokenConfig: TKToken.Configuration) -> SecCertificate? {
 
     if FileManager.default.fileExists(atPath: certificatePath.path) {
         do {
@@ -122,27 +123,36 @@ func loadCertificateForTagIntoTokenConfig(certificatePath: URL, tag: Data, token
                 throw NSError()
             }
 
+            let publicKeyHash = Insecure.SHA1.hash(data: bytes)
+
+            var commonName: CFString?
+            _ = SecCertificateCopyCommonName(certificate, &commonName)
+
             let tokenCertificate = TKTokenKeychainCertificate(certificate: certificate, objectID: tag)
-            tokenCertificate?.label = "se certificate"
+            tokenCertificate?.label = "Certificate for PIV Authentication (\(commonName ?? "Secure Enclave" as CFString))"
 
             let tokenKey = TKTokenKeychainKey(certificate: certificate, objectID: tag)
-            tokenKey?.label = "se key"
+            tokenKey?.label = "PIV AUTH key"
             tokenKey?.canSign = true
             tokenKey?.canPerformKeyExchange = true
             tokenKey?.isSuitableForLogin = true
             tokenKey?.canDecrypt = false
+            tokenKey?.applicationTag = tag
+            tokenKey?.keySizeInBits = 256
+            tokenKey?.keyType = kSecAttrKeyTypeECSECPrimeRandom as String
+            tokenKey?.publicKeyData = bytes
+            tokenKey?.publicKeyHash = publicKeyHash.data
 
             tokenConfig.keychainItems.append(tokenKey!)
             tokenConfig.keychainItems.append(tokenCertificate!)
-            return true
+            return certificate
         } catch {
             print("Failed to create cert??")
-            return false
         }
     } else {
         print("Certificate is not a file")
     }
-    return false
+    return nil
 }
 
 func importCertificateAndCreateSecIdentity(key: SecKey, certificatePath: URL, tag: Data) -> SecIdentity? {

SecureEnclaveTokenExtension/Info.plist

@@ -17,7 +17,7 @@
 	<key>CFBundlePackageType</key>
 	<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.0</string>
+	<string>$(MARKETING_VERSION)</string>
 	<key>CFBundleVersion</key>
 	<string>1</string>
 	<key>LSMinimumSystemVersion</key>

SecureEnclaveTokenExtension/Token.swift

@@ -14,6 +14,13 @@ class Token: TKSmartCardToken, TKTokenDelegate {
         NSLog("Got instanceID: \(configuration.instanceID)")
         super.init(smartCard: smartCard, aid: nil, instanceID: configuration.instanceID, tokenDriver: tokenDriver)
         self.keychainContents?.fill(with: configuration.keychainItems)
+        do {
+            let tag = "com.mwielgoszewski.SecureEnclaveToken.Key".data(using: .utf8)!
+            let certificate = try self.keychainContents?.certificate(forObjectID: tag)
+            NSLog("Got certificate for \(String(describing: certificate?.label)) -> \(String(describing: certificate?.data.base64EncodedString()))")
+        } catch {
+            NSLog("Failed pulling certificate")
+        }
         NSLog("Got keychain items: \(String(describing: self.keychainContents?.items.count))")
     }
 

SecureEnclaveTokenExtension/TokenDriver.swift

@@ -18,5 +18,4 @@ class TokenDriver: TKSmartCardTokenDriver, TKSmartCardTokenDriverDelegate {
     func tokenDriver(_ driver: TKSmartCardTokenDriver, createTokenFor smartCard: TKSmartCard, aid AID: Data?) throws -> TKSmartCardToken {
         return try Token(smartCard: smartCard, aid: AID, tokenDriver: self)
     }
-
 }