{"id":"31dd4945-f7cd-4895-b78e-12462cc5b96f","shortId":"vF9ew5","kind":"skill","title":"cryptotokenkit","tagline":"Access security tokens and smart cards using CryptoTokenKit. Use when building token driver extensions with TKTokenDriver and TKToken, communicating with smart cards via TKSmartCard, implementing certificate-based authentication, managing token sessions, or integrating hardware s","description":"# CryptoTokenKit\n\nAccess security tokens and the cryptographic assets they store using the\nCryptoTokenKit framework. Covers token driver extensions, smart card\ncommunication, token sessions, keychain integration, and certificate-based\nauthentication. Targets Swift 6.3.\n\n**Platform availability:** CryptoTokenKit is primarily a macOS framework.\nSmart card reader access (`TKSmartCard`, `TKSmartCardSlotManager`) requires\nmacOS. Token extension APIs (`TKTokenDriver`, `TKToken`, `TKTokenSession`)\nare macOS-only. Client-side token watching (`TKTokenWatcher`) and keychain\nqueries filtered by `kSecAttrTokenID` are available on iOS 14+/macOS 11+.\nNFC smart card slot sessions are available on iOS 16.4+.\n\n## Contents\n\n- [Architecture Overview](#architecture-overview)\n- [Token Extensions](#token-extensions)\n- [Token Sessions](#token-sessions)\n- [Smart Card Communication](#smart-card-communication)\n- [Keychain Integration](#keychain-integration)\n- [Certificate Authentication](#certificate-authentication)\n- [Token Watching](#token-watching)\n- [Error Handling](#error-handling)\n- [Common Mistakes](#common-mistakes)\n- [Review Checklist](#review-checklist)\n- [References](#references)\n\n## Architecture Overview\n\nCryptoTokenKit bridges hardware security tokens (smart cards, USB tokens)\nwith macOS authentication and keychain services. The framework has two main\nusage modes:\n\n**Token driver extensions** (macOS only) -- App extensions that make a\nhardware token's cryptographic items available to the system. The driver\nhandles token lifecycle, session management, and cryptographic operations.\n\n**Client-side token access** (macOS + iOS) -- Apps query the keychain for\nitems backed by tokens. CryptoTokenKit automatically exposes token items as\nstandard keychain entries when a token is present.\n\n### Key Types\n\n| Type | Role | Platform |\n|---|---|---|\n| `TKTokenDriver` | Base class for token driver extensions | macOS |\n| `TKToken` | Represents a hardware cryptographic token | macOS |\n| `TKTokenSession` | Manages authentication state for a token | macOS |\n| `TKSmartCardTokenDriver` | Entry point for smart card extensions | macOS |\n| `TKSmartCard` | Low-level smart card communication | macOS |\n| `TKSmartCardSlotManager` | Discovers and manages card reader slots | macOS |\n| `TKTokenWatcher` | Observes token insertion and removal | macOS, iOS 14+ |\n| `TKTokenKeychainKey` | A key stored on a token | macOS |\n| `TKTokenKeychainCertificate` | A certificate stored on a token | macOS |\n\n## Token Extensions\n\nA token driver is a macOS app extension that makes a hardware token's\ncryptographic capabilities available to the system. The host app exists\nonly as a delivery mechanism for the extension.\n\nA smart card token extension has three core classes:\n\n1. **TokenDriver** (subclass of `TKSmartCardTokenDriver`) -- entry point\n2. **Token** (subclass of `TKSmartCardToken`) -- represents the token\n3. **TokenSession** (subclass of `TKSmartCardTokenSession`) -- handles operations\n\n### Driver Class\n\n```swift\nimport CryptoTokenKit\n\nfinal class TokenDriver: TKSmartCardTokenDriver, TKSmartCardTokenDriverDelegate {\n func tokenDriver(\n _ driver: TKSmartCardTokenDriver,\n createTokenFor smartCard: TKSmartCard,\n aid: Data?\n ) throws -> TKSmartCardToken {\n return try Token(\n smartCard: smartCard,\n aid: aid,\n instanceID: \"com.example.token:\\(smartCard.slot.name)\",\n tokenDriver: driver\n )\n }\n}\n```\n\n### Token Class\n\nThe token reads certificates and keys from hardware and populates its\nkeychain contents:\n\n```swift\nfinal class Token: TKSmartCardToken, TKTokenDelegate {\n init(\n smartCard: TKSmartCard, aid: Data?,\n instanceID: String, tokenDriver: TKSmartCardTokenDriver\n ) throws {\n try super.init(\n smartCard: smartCard, aid: aid,\n instanceID: instanceID, tokenDriver: tokenDriver\n )\n self.delegate = self\n\n let certData = try readCertificate(from: smartCard)\n guard let cert = SecCertificateCreateWithData(nil, certData as CFData) else {\n throw TKError(.corruptedData)\n }\n\n let certItem = TKTokenKeychainCertificate(certificate: cert, objectID: \"cert-auth\")\n let keyItem = TKTokenKeychainKey(certificate: cert, objectID: \"key-auth\")\n keyItem?.canSign = true\n keyItem?.canDecrypt = false\n keyItem?.isSuitableForLogin = true\n\n self.keychainContents?.fill(with: [certItem!, keyItem!])\n }\n\n func createSession(_ token: TKToken) throws -> TKTokenSession {\n TokenSession(token: token)\n }\n}\n```\n\n### Info.plist and Registration\n\nThe extension's `Info.plist` must name the driver class:\n\n```\nNSExtension\n NSExtensionAttributes\n com.apple.ctk.driver-class = $(PRODUCT_MODULE_NAME).TokenDriver\n NSExtensionPointIdentifier = com.apple.ctk-tokens\n```\n\nRegister the extension once by launching the host app as `_securityagent`:\n\n```shell\nsudo -u _securityagent /Applications/TokenHost.app/Contents/MacOS/TokenHost\n```\n\n## Token Sessions\n\n`TKTokenSession` manages authentication state and performs cryptographic\noperations via its delegate.\n\n```swift\nfinal class TokenSession: TKSmartCardTokenSession, TKTokenSessionDelegate {\n func tokenSession(\n _ session: TKTokenSession,\n supports operation: TKTokenOperation,\n keyObjectID: TKToken.ObjectID,\n algorithm: TKTokenKeyAlgorithm\n ) -> Bool {\n switch operation {\n case .signData:\n return algorithm.isAlgorithm(.rsaSignatureDigestPKCS1v15SHA256)\n || algorithm.isAlgorithm(.ecdsaSignatureDigestX962SHA256)\n case .decryptData:\n return algorithm.isAlgorithm(.rsaEncryptionOAEPSHA256)\n case .performKeyExchange:\n return algorithm.isAlgorithm(.ecdhKeyExchangeStandard)\n default:\n return false\n }\n }\n\n func tokenSession(\n _ session: TKTokenSession,\n sign dataToSign: Data,\n keyObjectID: TKToken.ObjectID,\n algorithm: TKTokenKeyAlgorithm\n ) throws -> Data {\n let smartCard = try getSmartCard()\n return try smartCard.withSession {\n try performCardSign(smartCard: smartCard, data: dataToSign, keyID: keyObjectID)\n }\n }\n\n func tokenSession(\n _ session: TKTokenSession,\n decrypt ciphertext: Data,\n keyObjectID: TKToken.ObjectID,\n algorithm: TKTokenKeyAlgorithm\n ) throws -> Data {\n let smartCard = try getSmartCard()\n return try smartCard.withSession {\n try performCardDecrypt(smartCard: smartCard, data: ciphertext, keyID: keyObjectID)\n }\n }\n}\n```\n\n### PIN Authentication\n\nReturn a `TKTokenAuthOperation` from `beginAuthFor:` to prompt the user\nfor PIN entry before cryptographic operations:\n\n```swift\nfunc tokenSession(\n _ session: TKTokenSession,\n beginAuthFor operation: TKTokenOperation,\n constraint: Any\n) throws -> TKTokenAuthOperation {\n let pinAuth = TKTokenSmartCardPINAuthOperation()\n pinAuth.pinFormat.charset = .numeric\n pinAuth.pinFormat.minPINLength = 4\n pinAuth.pinFormat.maxPINLength = 8\n pinAuth.smartCard = (session as? TKSmartCardTokenSession)?.smartCard\n pinAuth.apduTemplate = buildVerifyAPDU()\n pinAuth.pinByteOffset = 5\n return pinAuth\n}\n```\n\n## Smart Card Communication\n\n`TKSmartCard` provides low-level APDU communication with smart cards\nconnected via readers (macOS-only).\n\n### Discovering Card Readers\n\n```swift\nimport CryptoTokenKit\n\nfunc discoverSmartCards() {\n guard let slotManager = TKSmartCardSlotManager.default else {\n print(\"Smart card services unavailable\")\n return\n }\n\n for slotName in slotManager.slotNames {\n slotManager.getSlot(withName: slotName) { slot in\n guard let slot else { return }\n if slot.state == .validCard, let card = slot.makeSmartCard() {\n communicateWith(card: card)\n }\n }\n }\n}\n```\n\n### Sending APDU Commands\n\nUse `send(ins:p1:p2:data:le:)` for structured APDU communication.\nAlways wrap calls in `withSession`:\n\n```swift\nfunc selectApplication(card: TKSmartCard, aid: Data) throws {\n try card.withSession {\n let (sw, response) = try card.send(\n ins: 0xA4, p1: 0x04, p2: 0x00, data: aid, le: nil\n )\n guard sw == 0x9000 else {\n throw TKError(.communicationError)\n }\n }\n}\n```\n\nFor raw APDU bytes or non-standard formats, use `transmit(_:reply:)` with\nmanual `beginSession`/`endSession` lifecycle management.\n\n### NFC Smart Card Sessions (iOS 16.4+)\n\nOn supported iOS devices, create NFC smart card sessions to communicate\nwith contactless smart cards:\n\n```swift\nfunc readNFCSmartCard() {\n guard let slotManager = TKSmartCardSlotManager.default,\n slotManager.isNFCSupported() else { return }\n\n slotManager.createNFCSlot(message: \"Hold card near iPhone\") { session, error in\n guard let session else { return }\n defer { session.end() }\n\n guard let slotName = session.slotName,\n let slot = slotManager.slotNamed(slotName),\n let card = slot.makeSmartCard() else { return }\n // Communicate with the NFC card using card.send(...)\n }\n}\n```\n\n## Keychain Integration\n\nWhen a token is present, CryptoTokenKit exposes its items as standard\nkeychain entries. Query them using the `kSecAttrTokenID` attribute:\n\n```swift\nimport Security\n\nfunc findTokenKey(tokenID: String) throws -> SecKey {\n let query: [String: Any] = [\n kSecClass as String: kSecClassKey,\n kSecAttrTokenID as String: tokenID,\n kSecReturnRef as String: true\n ]\n var result: CFTypeRef?\n let status = SecItemCopyMatching(query as CFDictionary, &result)\n guard status == errSecSuccess, let key = result else {\n throw TKError(.objectNotFound)\n }\n return key as! SecKey\n}\n```\n\nUse `kSecReturnPersistentRef` instead of `kSecReturnRef` to obtain a\npersistent reference that survives across app launches. The reference\nbecomes invalid when the token is removed -- handle `errSecItemNotFound`\nby prompting the user to reinsert the token.\n\nQuery certificates the same way with `kSecClass: kSecClassCertificate`.\n\n## Certificate Authentication\n\n### Token Key Requirements\n\nFor user login, the token must contain at least one key capable of signing\nwith: EC signature digest X962, RSA signature digest PSS, or RSA signature\ndigest PKCS1v15.\n\nFor keychain unlock, the token needs:\n- 256-bit EC key (`kSecAttrKeyTypeECSECPrimeRandom`) supporting\n `ecdhKeyExchangeStandard`, or\n- 2048/3072/4096-bit RSA key (`kSecAttrKeyTypeRSA`) supporting\n `rsaEncryptionOAEPSHA256` decryption\n\n### Smart Card Authentication Preferences (macOS)\n\nConfigure in the `com.apple.security.smartcard` domain (MDM or systemwide):\n\n| Key | Default | Description |\n|---|---|---|\n| `allowSmartCard` | `true` | Enable smart card authentication |\n| `checkCertificateTrust` | `0` | Certificate trust level (0-3) |\n| `oneCardPerUser` | `false` | Pair a single smart card to an account |\n| `enforceSmartCard` | `false` | Require smart card for login |\n\nTrust levels: `0` = trust all, `1` = validity + issuer, `2` = + soft\nrevocation, `3` = + hard revocation.\n\n## Token Watching\n\n`TKTokenWatcher` monitors token insertion and removal. Available on both\nmacOS and iOS 14+.\n\n```swift\nimport CryptoTokenKit\n\nfinal class TokenMonitor {\n private let watcher = TKTokenWatcher()\n\n func startMonitoring() {\n for tokenID in watcher.tokenIDs {\n print(\"Token present: \\(tokenID)\")\n if let info = watcher.tokenInfo(forTokenID: tokenID) {\n print(\" Driver: \\(info.driverName ?? \"unknown\")\")\n print(\" Slot: \\(info.slotName ?? \"unknown\")\")\n }\n }\n\n watcher.setInsertionHandler { [weak self] tokenID in\n print(\"Token inserted: \\(tokenID)\")\n self?.watcher.addRemovalHandler({ removedTokenID in\n print(\"Token removed: \\(removedTokenID)\")\n }, forTokenID: tokenID)\n }\n }\n}\n```\n\n## Error Handling\n\nCryptoTokenKit operations throw `TKError`. Key error codes:\n\n| Code | Meaning |\n|---|---|\n| `.notImplemented` | Operation not supported by this token |\n| `.communicationError` | Communication with token failed |\n| `.corruptedData` | Data from token is corrupted |\n| `.canceledByUser` | User canceled the operation |\n| `.authenticationFailed` | PIN or password incorrect |\n| `.objectNotFound` | Requested key or certificate not found |\n| `.tokenNotFound` | Token is no longer present |\n| `.authenticationNeeded` | Authentication required before operation |\n\n## Common Mistakes\n\n### DON'T: Query token keychain items without checking token presence\n\n```swift\n// WRONG -- query may fail if token was removed\nlet key = try findTokenKey(tokenID: savedTokenID)\n\n// CORRECT -- verify the token is still present first\nlet watcher = TKTokenWatcher()\nguard watcher.tokenIDs.contains(savedTokenID) else {\n promptUserToInsertToken()\n return\n}\nlet key = try findTokenKey(tokenID: savedTokenID)\n```\n\n### DON'T: Assume smart card APIs work on iOS\n\n```swift\n// WRONG -- TKSmartCardSlotManager.default is nil on iOS\nlet manager = TKSmartCardSlotManager.default! // Crashes on iOS\n\n// CORRECT -- guard availability\nguard let manager = TKSmartCardSlotManager.default else {\n print(\"Smart card services unavailable on this platform\")\n return\n}\n```\n\n### DON'T: Skip session management for card communication\n\n```swift\n// WRONG -- sending commands without a session\ncard.transmit(apdu) { response, error in /* may fail */ }\n\n// CORRECT -- use withSession or beginSession/endSession\ntry card.withSession {\n let (sw, response) = try card.send(\n ins: 0xCA, p1: 0x00, p2: 0x6E, data: nil, le: 0\n )\n}\n```\n\n### DON'T: Ignore status words in APDU responses\n\n```swift\n// WRONG -- assuming success\nlet (_, response) = try card.send(ins: 0xA4, p1: 0x04, p2: 0x00, data: aid, le: nil)\n\n// CORRECT -- check status word\nlet (sw, response) = try card.send(ins: 0xA4, p1: 0x04, p2: 0x00, data: aid, le: nil)\nguard sw == 0x9000 else {\n throw SmartCardError.commandFailed(statusWord: sw)\n}\n```\n\n### DON'T: Hard-code blanket algorithm support\n\nThe `supports` delegate method must reflect what the hardware actually\nimplements. Returning `true` unconditionally causes runtime failures when\nthe system attempts unsupported operations.\n\n## Review Checklist\n\n- [ ] Platform availability verified (`TKSmartCard` macOS-only, `TKTokenWatcher` iOS 14+)\n- [ ] Token extension target uses `NSExtensionPointIdentifier` = `com.apple.ctk-tokens`\n- [ ] `com.apple.ctk.driver-class` set to the correct driver class in Info.plist\n- [ ] Extension registered via `_securityagent` launch during installation\n- [ ] `TKTokenSessionDelegate` checks specific algorithms, not blanket `true`\n- [ ] Smart card sessions opened and closed (`withSession` or `beginSession`/`endSession`)\n- [ ] APDU status words checked after every `send` call\n- [ ] Token presence verified via `TKTokenWatcher` before keychain queries\n- [ ] `TKError` cases handled with appropriate user feedback\n- [ ] Keychain contents populated with correct `objectID` values\n- [ ] `TKTokenKeychainKey` capabilities (`canSign`, `canDecrypt`) match hardware\n- [ ] Certificate trust level configured appropriately for deployment environment\n- [ ] `errSecItemNotFound` handled for persistent references when token is removed\n\n## References\n\n- Extended patterns (PIV commands, TLV parsing, generic token drivers, APDU helpers, secure PIN): [references/cryptotokenkit-patterns.md](references/cryptotokenkit-patterns.md)\n- [CryptoTokenKit framework](https://sosumi.ai/documentation/cryptotokenkit)\n- [TKTokenDriver](https://sosumi.ai/documentation/cryptotokenkit/tktokendriver)\n- [TKToken](https://sosumi.ai/documentation/cryptotokenkit/tktoken)\n- [TKTokenSession](https://sosumi.ai/documentation/cryptotokenkit/tktokensession)\n- [TKSmartCard](https://sosumi.ai/documentation/cryptotokenkit/tksmartcard)\n- [TKSmartCardSlotManager](https://sosumi.ai/documentation/cryptotokenkit/tksmartcardslotmanager)\n- [TKTokenWatcher](https://sosumi.ai/documentation/cryptotokenkit/tktokenwatcher)\n- [Authenticating Users with a Cryptographic Token](https://sosumi.ai/documentation/cryptotokenkit/authenticating-users-with-a-cryptographic-token)\n- [Using Cryptographic Assets Stored on a Smart Card](https://sosumi.ai/documentation/cryptotokenkit/using-cryptographic-assets-stored-on-a-smart-card)\n- [Configuring Smart Card Authentication](https://sosumi.ai/documentation/cryptotokenkit/configuring-smart-card-authentication)","tags":["cryptotokenkit","swift","ios","skills","dpearson2699","accessibility","agent-skills","ai-coding","apple","claude-code","codex-skills","cursor-skills"],"capabilities":["skill","source-dpearson2699","skill-cryptotokenkit","topic-accessibility","topic-agent-skills","topic-ai-coding","topic-apple","topic-claude-code","topic-codex-skills","topic-cursor-skills","topic-ios","topic-ios-development","topic-liquid-glass","topic-localization","topic-mapkit"],"categories":["swift-ios-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/dpearson2699/swift-ios-skills/cryptotokenkit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add dpearson2699/swift-ios-skills","source_repo":"https://github.com/dpearson2699/swift-ios-skills","install_from":"skills.sh"}},"qualityScore":"0.684","qualityRationale":"deterministic score 0.68 from registry signals: · indexed on github topic:agent-skills · 468 github stars · SKILL.md body (16,666 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:53:42.574Z","embedding":null,"createdAt":"2026-04-18T22:00:55.122Z","updatedAt":"2026-04-22T00:53:42.574Z","lastSeenAt":"2026-04-22T00:53:42.574Z","tsv":"'-3':1129 '/applications/tokenhost.app/contents/macos/tokenhost':579 '/documentation/cryptotokenkit)':1629 '/documentation/cryptotokenkit/authenticating-users-with-a-cryptographic-token)':1662 '/documentation/cryptotokenkit/configuring-smart-card-authentication)':1680 '/documentation/cryptotokenkit/tksmartcard)':1645 '/documentation/cryptotokenkit/tksmartcardslotmanager)':1649 '/documentation/cryptotokenkit/tktoken)':1637 '/documentation/cryptotokenkit/tktokendriver)':1633 '/documentation/cryptotokenkit/tktokensession)':1641 '/documentation/cryptotokenkit/tktokenwatcher)':1653 '/documentation/cryptotokenkit/using-cryptographic-assets-stored-on-a-smart-card)':1673 '/macos':114 '0':1124,1128,1149,1418 '0x00':838,1412,1440,1459 '0x04':836,1438,1457 '0x6e':1414 '0x9000':845,1466 '0xa4':834,1436,1455 '0xca':1410 '1':384,1152 '11':115 '14':113,324,1175,1514 '16.4':125,873 '2':391,1155 '2048/3072/4096-bit':1094 '256':1086 '3':399,1158 '4':724 '5':735 '6.3':70 '8':726 'access':2,39,82,238 'account':1139 'across':1017 'actual':1489 'aid':423,432,433,463,474,475,823,840,1442,1461 'algorithm':608,642,670,1478,1542 'algorithm.isalgorithm':616,618,623,628 'allowsmartcard':1117 'alway':813 'apdu':746,800,811,852,1391,1425,1556,1619 'api':89,1341 'app':210,241,349,365,572,1018 'appropri':1576,1596 'architectur':127,130,181 'architecture-overview':129 'asset':45,1665 'assum':1338,1429 'attempt':1500 'attribut':955 'auth':508,517 'authent':30,67,155,158,194,286,584,690,1048,1103,1122,1282,1654,1677 'authenticationfail':1263 'authenticationneed':1281 'automat':251 'avail':72,110,122,220,359,1169,1360,1506 'back':247 'base':29,66,270 'becom':1022 'beginauthfor':695,711 'beginsess':864,1554 'beginsession/endsession':1401 'bit':1087 'blanket':1477,1544 'bool':610 'bridg':184 'build':12 'buildverifyapdu':733 'byte':853 'call':815,1563 'cancel':1260 'canceledbyus':1258 'candecrypt':522,1589 'cansign':519,1588 'capabl':358,1063,1587 'card':7,23,57,80,118,143,147,189,297,305,312,377,739,750,758,772,794,797,798,821,870,881,888,902,924,932,1102,1121,1136,1144,1340,1368,1381,1547,1670,1676 'card.send':832,934,1408,1434,1453 'card.transmit':1390 'card.withsession':827,1403 'case':613,620,625,1573 'caus':1494 'cert':490,504,507,513 'cert-auth':506 'certdata':483,493 'certif':28,65,154,157,335,444,503,512,1040,1047,1125,1272,1592 'certificate-authent':156 'certificate-bas':27,64 'certitem':501,530 'cfdata':495 'cfdictionari':989 'cftyperef':983 'check':1295,1446,1540,1559 'checkcertificatetrust':1123 'checklist':175,178,1504 'ciphertext':666,686 'class':271,383,407,412,440,456,552,556,595,1180,1523,1529 'client':98,235 'client-sid':97,234 'close':1551 'code':1237,1238,1476 'com.apple.ctk':562,1520 'com.apple.ctk.driver':555,1522 'com.apple.security.smartcard':1109 'com.example.token':435 'command':801,1386,1613 'common':169,172,1286 'common-mistak':171 'communic':20,58,144,148,306,740,747,812,884,928,1248,1382 'communicatewith':796 'communicationerror':849,1247 'configur':1106,1595,1674 'connect':751 'constraint':714 'contactless':886 'contain':1058 'content':126,453,1580 'core':382 'correct':1313,1358,1397,1445,1527,1583 'corrupt':1257 'corrupteddata':499,1252 'cover':52 'crash':1355 'creat':878 'createsess':533 'createtokenfor':420 'cryptograph':44,218,232,281,357,588,704,1658,1664 'cryptotokenkit':1,9,38,50,73,183,250,410,762,942,1178,1231,1625 'data':424,464,639,645,657,667,673,685,807,824,839,1253,1415,1441,1460 'datatosign':638,658 'decrypt':665,1100 'decryptdata':621 'default':630,1115 'defer':913 'deleg':592,1482 'deliveri':370 'deploy':1598 'descript':1116 'devic':877 'digest':1069,1073,1078 'discov':309,757 'discoversmartcard':764 'domain':1110 'driver':14,54,206,225,274,345,406,418,438,551,1203,1528,1618 'ec':1067,1088 'ecdhkeyexchangestandard':629,1092 'ecdsasignaturedigestx962sha256':619 'els':496,769,788,846,897,911,926,997,1327,1365,1467 'enabl':1119 'endsess':865,1555 'enforcesmartcard':1140 'entri':258,293,389,702,949 'environ':1599 'error':164,167,906,1229,1236,1393 'error-handl':166 'errsecitemnotfound':1030,1600 'errsecsuccess':993 'everi':1561 'exist':366 'expos':252,943 'extend':1610 'extens':15,55,88,133,136,207,211,275,298,342,350,374,379,545,566,1516,1532 'fail':1251,1302,1396 'failur':1496 'fals':523,632,1131,1141 'feedback':1578 'fill':528 'filter':106 'final':411,455,594,1179 'findtokenkey':960,1310,1333 'first':1320 'format':858 'fortokenid':1200,1227 'found':1274 'framework':51,78,199,1626 'func':416,532,599,633,661,707,763,819,890,959,1186 'generic':1616 'getsmartcard':649,677 'guard':488,765,785,843,892,908,915,991,1324,1359,1361,1464 'handl':165,168,226,404,1029,1230,1574,1601 'hard':1159,1475 'hard-cod':1474 'hardwar':36,185,215,280,354,448,1488,1591 'helper':1620 'hold':901 'host':364,571 'ignor':1421 'implement':26,1490 'import':409,761,957,1177 'in':804,833,1409,1435,1454 'incorrect':1267 'info':1198 'info.drivername':1204 'info.plist':541,547,1531 'info.slotname':1208 'init':460 'insert':319,1166,1217 'instal':1538 'instanceid':434,465,476,477 'instead':1007 'integr':35,62,150,153,936 'invalid':1023 'io':112,124,240,323,872,876,1174,1344,1351,1357,1513 'iphon':904 'issuer':1154 'issuitableforlogin':525 'item':219,246,254,945,1293 'key':264,327,446,516,995,1002,1050,1062,1089,1096,1114,1235,1270,1308,1331 'key-auth':515 'keychain':61,104,149,152,196,244,257,452,935,948,1081,1292,1570,1579 'keychain-integr':151 'keyid':659,687 'keyitem':510,518,521,524,531 'keyobjectid':606,640,660,668,688 'ksecattrkeytypeecsecprimerandom':1090 'ksecattrkeytypersa':1097 'ksecattrtokenid':108,954,973 'ksecclass':969,1045 'ksecclasscertif':1046 'ksecclasskey':972 'ksecreturnpersistentref':1006 'ksecreturnref':977,1009 'launch':569,1019,1536 'le':808,841,1417,1443,1462 'least':1060 'let':482,489,500,509,646,674,718,766,786,793,828,893,909,916,919,923,965,984,994,1183,1197,1307,1321,1330,1352,1362,1404,1431,1449 'level':303,745,1127,1148,1594 'lifecycl':228,866 'login':1054,1146 'longer':1279 'low':302,744 'low-level':301,743 'maco':77,86,95,193,208,239,276,283,291,299,307,315,322,332,340,348,755,1105,1172,1510 'macos-on':94,754,1509 'main':202 'make':213,352 'manag':31,230,285,311,583,867,1353,1363,1379 'manual':863 'match':1590 'may':1301,1395 'mdm':1111 'mean':1239 'mechan':371 'messag':900 'method':1483 'mistak':170,173,1287 'mode':204 'modul':558 'monitor':1164 'must':548,1057,1484 'name':549,559 'near':903 'need':1085 'nfc':116,868,879,931 'nil':492,842,1349,1416,1444,1463 'non':856 'non-standard':855 'notimpl':1240 'nsextens':553 'nsextensionattribut':554 'nsextensionpointidentifi':561,1519 'numer':722 'objectid':505,514,1584 'objectnotfound':1000,1268 'observ':317 'obtain':1011 'one':1061 'onecardperus':1130 'open':1549 'oper':233,405,589,604,612,705,712,1232,1241,1262,1285,1502 'overview':128,131,182 'p1':805,835,1411,1437,1456 'p2':806,837,1413,1439,1458 'pair':1132 'pars':1615 'password':1266 'pattern':1611 'perform':587 'performcarddecrypt':682 'performcardsign':654 'performkeyexchang':626 'persist':1013,1603 'pin':689,701,1264,1622 'pinauth':719,737 'pinauth.apdutemplate':732 'pinauth.pinbyteoffset':734 'pinauth.pinformat.charset':721 'pinauth.pinformat.maxpinlength':725 'pinauth.pinformat.minpinlength':723 'pinauth.smartcard':727 'piv':1612 'pkcs1v15':1079 'platform':71,268,1373,1505 'point':294,390 'popul':450,1581 'prefer':1104 'presenc':1297,1565 'present':263,941,1194,1280,1319 'primarili':75 'print':770,1192,1202,1206,1215,1223,1366 'privat':1182 'product':557 'prompt':697,1032 'promptusertoinserttoken':1328 'provid':742 'pss':1074 'queri':105,242,950,966,987,1039,1290,1300,1571 'raw':851 'read':443 'readcertif':485 'reader':81,313,753,759 'readnfcsmartcard':891 'refer':179,180,1014,1021,1604,1609 'references/cryptotokenkit-patterns.md':1623,1624 'reflect':1485 'regist':564,1533 'registr':543 'reinsert':1036 'remov':321,1028,1168,1225,1306,1608 'removedtokenid':1221,1226 'repli':861 'repres':278,396 'request':1269 'requir':85,1051,1142,1283 'respons':830,1392,1406,1426,1432,1451 'result':982,990,996 'return':427,615,622,627,631,650,678,691,736,775,789,898,912,927,1001,1329,1374,1491 'review':174,177,1503 'review-checklist':176 'revoc':1157,1160 'role':267 'rsa':1071,1076,1095 'rsaencryptionoaepsha256':624,1099 'rsasignaturedigestpkcs1v15sha256':617 'runtim':1495 'savedtokenid':1312,1326,1335 'seccertificatecreatewithdata':491 'secitemcopymatch':986 'seckey':964,1004 'secur':3,40,186,958,1621 'securityag':574,578,1535 'selectappl':820 'self':481,1212,1219 'self.delegate':480 'self.keychaincontents':527 'send':799,803,1385,1562 'servic':197,773,1369 'session':33,60,120,138,141,229,581,601,635,663,709,728,871,882,905,910,1378,1389,1548 'session.end':914 'session.slotname':918 'set':1524 'shell':575 'side':99,236 'sign':637,1065 'signatur':1068,1072,1077 'signdata':614 'singl':1134 'skill' 'skill-cryptotokenkit' 'skip':1377 'slot':119,314,783,787,920,1207 'slot.makesmartcard':795,925 'slot.state':791 'slotmanag':767,894 'slotmanager.createnfcslot':899 'slotmanager.getslot':780 'slotmanager.isnfcsupported':896 'slotmanager.slotnamed':921 'slotmanager.slotnames':779 'slotnam':777,782,917,922 'smart':6,22,56,79,117,142,146,188,296,304,376,738,749,771,869,880,887,1101,1120,1135,1143,1339,1367,1546,1669,1675 'smart-card-commun':145 'smartcard':421,430,431,461,472,473,487,647,655,656,675,683,684,731 'smartcard.slot.name':436 'smartcard.withsession':652,680 'smartcarderror.commandfailed':1469 'soft':1156 'sosumi.ai':1628,1632,1636,1640,1644,1648,1652,1661,1672,1679 'sosumi.ai/documentation/cryptotokenkit)':1627 'sosumi.ai/documentation/cryptotokenkit/authenticating-users-with-a-cryptographic-token)':1660 'sosumi.ai/documentation/cryptotokenkit/configuring-smart-card-authentication)':1678 'sosumi.ai/documentation/cryptotokenkit/tksmartcard)':1643 'sosumi.ai/documentation/cryptotokenkit/tksmartcardslotmanager)':1647 'sosumi.ai/documentation/cryptotokenkit/tktoken)':1635 'sosumi.ai/documentation/cryptotokenkit/tktokendriver)':1631 'sosumi.ai/documentation/cryptotokenkit/tktokensession)':1639 'sosumi.ai/documentation/cryptotokenkit/tktokenwatcher)':1651 'sosumi.ai/documentation/cryptotokenkit/using-cryptographic-assets-stored-on-a-smart-card)':1671 'source-dpearson2699' 'specif':1541 'standard':256,857,947 'startmonitor':1187 'state':287,585 'status':985,992,1422,1447,1557 'statusword':1470 'still':1318 'store':47,328,336,1666 'string':466,962,967,971,975,979 'structur':810 'subclass':386,393,401 'success':1430 'sudo':576 'super.init':471 'support':603,875,1091,1098,1243,1479,1481 'surviv':1016 'sw':829,844,1405,1450,1465,1471 'swift':69,408,454,593,706,760,818,889,956,1176,1298,1345,1383,1427 'switch':611 'system':223,362,1499 'systemwid':1113 'target':68,1517 'three':381 'throw':425,469,497,536,644,672,716,825,847,963,998,1233,1468 'tkerror':498,848,999,1234,1572 'tksmartcard':25,83,300,422,462,741,822,1508,1642 'tksmartcardslotmanag':84,308,1646 'tksmartcardslotmanager.default':768,895,1347,1354,1364 'tksmartcardtoken':395,426,458 'tksmartcardtokendriv':292,388,414,419,468 'tksmartcardtokendriverdeleg':415 'tksmartcardtokensess':403,597,730 'tktoken':19,91,277,535,1634 'tktoken.objectid':607,641,669 'tktokenauthoper':693,717 'tktokendeleg':459 'tktokendriv':17,90,269,1630 'tktokenkeyalgorithm':609,643,671 'tktokenkeychaincertif':333,502 'tktokenkeychainkey':325,511,1586 'tktokenoper':605,713 'tktokensess':92,284,537,582,602,636,664,710,1638 'tktokensessiondeleg':598,1539 'tktokensmartcardpinauthoper':720 'tktokenwatch':102,316,1163,1185,1323,1512,1568,1650 'tlv':1614 'token':4,13,32,41,53,59,87,100,132,135,137,140,159,162,187,191,205,216,227,237,249,253,261,273,282,290,318,331,339,341,344,355,378,392,398,429,439,442,457,534,539,540,563,580,939,1026,1038,1049,1056,1084,1161,1165,1193,1216,1224,1246,1250,1255,1276,1291,1296,1304,1316,1515,1521,1564,1606,1617,1659 'token-extens':134 'token-sess':139 'token-watch':161 'tokendriv':385,413,417,437,467,478,479,560 'tokenid':961,976,1189,1195,1201,1213,1218,1228,1311,1334 'tokenmonitor':1181 'tokennotfound':1275 'tokensess':400,538,596,600,634,662,708 'topic-accessibility' 'topic-agent-skills' 'topic-ai-coding' 'topic-apple' 'topic-claude-code' 'topic-codex-skills' 'topic-cursor-skills' 'topic-ios' 'topic-ios-development' 'topic-liquid-glass' 'topic-localization' 'topic-mapkit' 'transmit':860 'tri':428,470,484,648,651,653,676,679,681,826,831,1309,1332,1402,1407,1433,1452 'true':520,526,980,1118,1492,1545 'trust':1126,1147,1150,1593 'two':201 'type':265,266 'u':577 'unavail':774,1370 'uncondit':1493 'unknown':1205,1209 'unlock':1082 'unsupport':1501 'usag':203 'usb':190 'use':8,10,48,802,859,933,952,1005,1398,1518,1663 'user':699,1034,1053,1259,1577,1655 'valid':1153 'validcard':792 'valu':1585 'var':981 'verifi':1314,1507,1566 'via':24,590,752,1534,1567 'watch':101,160,163,1162 'watcher':1184,1322 'watcher.addremovalhandler':1220 'watcher.setinsertionhandler':1210 'watcher.tokenids':1191 'watcher.tokenids.contains':1325 'watcher.tokeninfo':1199 'way':1043 'weak':1211 'withnam':781 'without':1294,1387 'withsess':817,1399,1552 'word':1423,1448,1558 'work':1342 'wrap':814 'wrong':1299,1346,1384,1428 'x962':1070","prices":[{"id":"dfdbe5a7-72be-4411-8921-95b475c85d2d","listingId":"31dd4945-f7cd-4895-b78e-12462cc5b96f","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"dpearson2699","category":"swift-ios-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T22:00:55.122Z"}],"sources":[{"listingId":"31dd4945-f7cd-4895-b78e-12462cc5b96f","source":"github","sourceId":"dpearson2699/swift-ios-skills/cryptotokenkit","sourceUrl":"https://github.com/dpearson2699/swift-ios-skills/tree/main/skills/cryptotokenkit","isPrimary":false,"firstSeenAt":"2026-04-18T22:00:55.122Z","lastSeenAt":"2026-04-22T00:53:42.574Z"}],"details":{"listingId":"31dd4945-f7cd-4895-b78e-12462cc5b96f","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"dpearson2699","slug":"cryptotokenkit","github":{"repo":"dpearson2699/swift-ios-skills","stars":468,"topics":["accessibility","agent-skills","ai-coding","apple","claude-code","codex-skills","cursor-skills","ios","ios-development","liquid-glass","localization","mapkit","networking","storekit","swift","swift-concurrency","swiftdata","swiftui","widgetkit","xcode"],"license":"other","html_url":"https://github.com/dpearson2699/swift-ios-skills","pushed_at":"2026-04-21T19:26:16Z","description":"Agent Skills for iOS 26+, Swift 6.3, SwiftUI, and modern Apple frameworks","skill_md_sha":"b3fc0b693143b02a6d18225f4d611c14c79b4ebb","skill_md_path":"skills/cryptotokenkit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/dpearson2699/swift-ios-skills/tree/main/skills/cryptotokenkit"},"layout":"multi","source":"github","category":"swift-ios-skills","frontmatter":{"name":"cryptotokenkit","description":"Access security tokens and smart cards using CryptoTokenKit. Use when building token driver extensions with TKTokenDriver and TKToken, communicating with smart cards via TKSmartCard, implementing certificate-based authentication, managing token sessions, or integrating hardware security tokens with the system keychain."},"skills_sh_url":"https://skills.sh/dpearson2699/swift-ios-skills/cryptotokenkit"},"updatedAt":"2026-04-22T00:53:42.574Z"}}