Split out libraries into SPM packages (#298)

2026-03-06 09:47:22 +01:00 · 2022-01-01 16:43:29 -08:00
parent f249932ff2
commit 3f34e91a2c
102 changed files with 1158 additions and 2520 deletions
--- a/Sources/Packages/Sources/Brief/Updater.swift
+++ b/Sources/Packages/Sources/Brief/Updater.swift
@@ -0,0 +1,181 @@
+import Foundation
+import Combine
+
+public protocol UpdaterProtocol: ObservableObject {
+
+    var update: Release? { get }
+    var testBuild: Bool { get }
+}
+
+public class Updater: ObservableObject, UpdaterProtocol {
+
+    @Published public var update: Release?
+    
+    public let testBuild: Bool
+
+    private let osVersion: SemVer
+    private let currentVersion: SemVer
+
+    public init(checkOnLaunch: Bool, osVersion: SemVer = SemVer(ProcessInfo.processInfo.operatingSystemVersion), currentVersion: SemVer = SemVer(Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "0.0.0")) {
+        self.osVersion = osVersion
+        self.currentVersion = currentVersion
+        testBuild = currentVersion == SemVer("0.0.0")
+        if checkOnLaunch {
+            // Don't do a launch check if the user hasn't seen the setup prompt explaining updater yet.
+            checkForUpdates()
+        }
+        let timer = Timer.scheduledTimer(withTimeInterval: 60*60*24, repeats: true) { _ in
+            self.checkForUpdates()
+        }
+        timer.tolerance = 60*60
+    }
+
+    public func checkForUpdates() {
+        URLSession.shared.dataTask(with: Constants.updateURL) { data, _, _ in
+            guard let data = data else { return }
+            guard let releases = try? JSONDecoder().decode([Release].self, from: data) else { return }
+            self.evaluate(releases: releases)
+        }.resume()
+    }
+
+    public func ignore(release: Release) {
+        guard !release.critical else { return }
+        defaults.set(true, forKey: release.name)
+        DispatchQueue.main.async {
+            self.update = nil
+        }
+    }
+
+}
+
+extension Updater {
+
+    func evaluate(releases: [Release]) {
+        guard let release = releases
+                .sorted()
+                .reversed()
+                .filter({ !$0.prerelease })
+                .first(where: { $0.minimumOSVersion <= osVersion }) else { return }
+        guard !userIgnored(release: release) else { return }
+        guard !release.prerelease else { return }
+        let latestVersion = SemVer(release.name)
+        if latestVersion > currentVersion {
+            DispatchQueue.main.async {
+                self.update = release
+            }
+        }
+    }
+
+    func userIgnored(release: Release) -> Bool {
+        guard !release.critical else { return false }
+        return defaults.bool(forKey: release.name)
+    }
+
+    var defaults: UserDefaults {
+        UserDefaults(suiteName: "com.maxgoedjen.Secretive.updater.ignorelist")!
+    }
+}
+
+public struct SemVer {
+
+    let versionNumbers: [Int]
+
+    public init(_ version: String) {
+        // Betas have the format 1.2.3_beta1
+        let strippedBeta = version.split(separator: "_").first!
+        var split = strippedBeta.split(separator: ".").compactMap { Int($0) }
+        while split.count < 3 {
+            split.append(0)
+        }
+        versionNumbers = split
+    }
+
+    public init(_ version: OperatingSystemVersion) {
+        versionNumbers = [version.majorVersion, version.minorVersion, version.patchVersion]
+    }
+
+}
+
+extension SemVer: Comparable {
+
+    public static func < (lhs: SemVer, rhs: SemVer) -> Bool {
+        for (latest, current) in zip(lhs.versionNumbers, rhs.versionNumbers) {
+            if latest < current {
+                return true
+            } else if latest > current {
+                return false
+            }
+        }
+        return false
+    }
+
+
+}
+
+extension Updater {
+
+    enum Constants {
+        static let updateURL = URL(string: "https://api.github.com/repos/maxgoedjen/secretive/releases")!
+    }
+
+}
+
+public struct Release: Codable {
+
+    public let name: String
+    public let prerelease: Bool
+    public let html_url: URL
+    public let body: String
+
+    public init(name: String, prerelease: Bool, html_url: URL, body: String) {
+        self.name = name
+        self.prerelease = prerelease
+        self.html_url = html_url
+        self.body = body
+    }
+
+}
+
+extension Release: Identifiable {
+
+    public var id: String {
+        html_url.absoluteString
+    }
+
+}
+
+extension Release: Comparable {
+
+    public static func < (lhs: Release, rhs: Release) -> Bool {
+        lhs.version < rhs.version
+    }
+
+}
+
+extension Release {
+
+    public var critical: Bool {
+        body.contains(Constants.securityContent)
+    }
+
+    public var version: SemVer {
+        SemVer(name)
+    }
+
+    public var minimumOSVersion: SemVer {
+        guard let range = body.range(of: "Minimum macOS Version"),
+              let numberStart = body.rangeOfCharacter(from: CharacterSet.decimalDigits, options: [], range: range.upperBound..<body.endIndex) else { return SemVer("11.0.0") }
+        let numbersEnd = body.rangeOfCharacter(from: CharacterSet.whitespacesAndNewlines, options: [], range: numberStart.upperBound..<body.endIndex)?.lowerBound ?? body.endIndex
+        let version = numberStart.lowerBound..<numbersEnd
+        return SemVer(String(body[version]))
+    }
+
+}
+
+extension Release {
+
+    enum Constants {
+        static let securityContent = "Critical Security Update"
+    }
+
+}
--- a/Sources/Packages/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/Agent.swift
@@ -0,0 +1,182 @@
+import Foundation
+import CryptoKit
+import OSLog
+import SecretKit
+import AppKit
+
+public class Agent {
+
+    private let storeList: SecretStoreList
+    private let witness: SigningWitness?
+    private let writer = OpenSSHKeyWriter()
+    private let requestTracer = SigningRequestTracer()
+
+    public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
+        Logger().debug("Agent is running")
+        self.storeList = storeList
+        self.witness = witness
+    }
+    
+}
+
+extension Agent {
+
+    public func handle(reader: FileHandleReader, writer: FileHandleWriter) {
+        Logger().debug("Agent handling new data")
+        let data = Data(reader.availableData)
+        guard data.count > 4 else { return }
+        let requestTypeInt = data[4]
+        guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
+            writer.write(OpenSSHKeyWriter().lengthAndData(of: SSHAgent.ResponseType.agentFailure.data))
+            Logger().debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
+            return
+        }
+        Logger().debug("Agent handling request of type \(requestType.debugDescription)")
+        let subData = Data(data[5...])
+        let response = handle(requestType: requestType, data: subData, reader: reader)
+        writer.write(response)
+    }
+
+    func handle(requestType: SSHAgent.RequestType, data: Data, reader: FileHandleReader) -> Data {
+        var response = Data()
+        do {
+            switch requestType {
+            case .requestIdentities:
+                response.append(SSHAgent.ResponseType.agentIdentitiesAnswer.data)
+                response.append(identities())
+                Logger().debug("Agent returned \(SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)")
+            case .signRequest:
+                let provenance = requestTracer.provenance(from: reader)
+                response.append(SSHAgent.ResponseType.agentSignResponse.data)
+                response.append(try sign(data: data, provenance: provenance))
+                Logger().debug("Agent returned \(SSHAgent.ResponseType.agentSignResponse.debugDescription)")
+            }
+        } catch {
+            response.removeAll()
+            response.append(SSHAgent.ResponseType.agentFailure.data)
+            Logger().debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
+        }
+        let full = OpenSSHKeyWriter().lengthAndData(of: response)
+        return full
+    }
+
+}
+
+extension Agent {
+
+    func identities() -> Data {
+        let secrets = storeList.stores.flatMap(\.secrets)
+        var count = UInt32(secrets.count).bigEndian
+        let countData = Data(bytes: &count, count: UInt32.bitWidth/8)
+        var keyData = Data()
+        let writer = OpenSSHKeyWriter()
+        for secret in secrets {
+            let keyBlob = writer.data(secret: secret)
+            keyData.append(writer.lengthAndData(of: keyBlob))
+            let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
+            keyData.append(writer.lengthAndData(of: curveData))
+        }
+        Logger().debug("Agent enumerated \(secrets.count) identities")
+        return countData + keyData
+    }
+
+    func sign(data: Data, provenance: SigningRequestProvenance) throws -> Data {
+        let reader = OpenSSHReader(data: data)
+        let hash = reader.readNextChunk()
+        guard let (store, secret) = secret(matching: hash) else {
+            Logger().debug("Agent did not have a key matching \(hash as NSData)")
+            throw AgentError.noMatchingKey
+        }
+
+        if let witness = witness {
+            try witness.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
+        }
+
+        let dataToSign = reader.readNextChunk()
+        let signed = try store.sign(data: dataToSign, with: secret, for: provenance)
+        let derSignature = signed.data
+
+        let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
+
+        // Convert from DER formatted rep to raw (r||s)
+
+        let rawRepresentation: Data
+        switch (secret.algorithm, secret.keySize) {
+        case (.ellipticCurve, 256):
+            rawRepresentation = try CryptoKit.P256.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
+        case (.ellipticCurve, 384):
+            rawRepresentation = try CryptoKit.P384.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
+        default:
+            throw AgentError.unsupportedKeyType
+        }
+
+
+        let rawLength = rawRepresentation.count/2
+        // Check if we need to pad with 0x00 to prevent certain
+        // ssh servers from thinking r or s is negative
+        let paddingRange: ClosedRange<UInt8> = 0x80...0xFF
+        var r = Data(rawRepresentation[0..<rawLength])
+        if paddingRange ~= r.first! {
+            r.insert(0x00, at: 0)
+        }
+        var s = Data(rawRepresentation[rawLength...])
+        if paddingRange ~= s.first! {
+            s.insert(0x00, at: 0)
+        }
+
+        var signatureChunk = Data()
+        signatureChunk.append(writer.lengthAndData(of: r))
+        signatureChunk.append(writer.lengthAndData(of: s))
+
+        var signedData = Data()
+        var sub = Data()
+        sub.append(writer.lengthAndData(of: curveData))
+        sub.append(writer.lengthAndData(of: signatureChunk))
+        signedData.append(writer.lengthAndData(of: sub))
+
+        if let witness = witness {
+            try witness.witness(accessTo: secret, from: store, by: provenance, requiredAuthentication: signed.requiredAuthentication)
+        }
+
+        Logger().debug("Agent signed request")
+
+        return signedData
+    }
+
+}
+
+extension Agent {
+
+    func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
+        storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
+            let allMatching = store.secrets.filter { secret in
+                hash == writer.data(secret: secret)
+            }
+            if let matching = allMatching.first {
+                return (store, matching)
+            }
+            return nil
+        }.first
+    }
+
+}
+
+
+extension Agent {
+
+    enum AgentError: Error {
+        case unhandledType
+        case noMatchingKey
+        case unsupportedKeyType
+    }
+
+}
+
+extension SSHAgent.ResponseType {
+
+    var data: Data {
+        var raw = self.rawValue
+        return  Data(bytes: &raw, count: UInt8.bitWidth/8)
+    }
+
+}
--- a/Sources/Packages/Sources/SecretAgentKit/FileHandleProtocols.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/FileHandleProtocols.swift
@@ -0,0 +1,26 @@
+import Foundation
+
+public protocol FileHandleReader {
+
+    var availableData: Data { get }
+    var fileDescriptor: Int32 { get }
+    var pidOfConnectedProcess: Int32 { get }
+
+}
+
+public protocol FileHandleWriter {
+
+    func write(_ data: Data)
+
+}
+
+extension FileHandle: FileHandleReader, FileHandleWriter {
+
+    public var pidOfConnectedProcess: Int32 {
+        let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: 4, alignment: 1)
+        var len = socklen_t(MemoryLayout<Int32>.size)
+        getsockopt(fileDescriptor, SOCK_STREAM, LOCAL_PEERPID, pidPointer, &len)
+        return pidPointer.load(as: Int32.self)
+    }
+
+}
--- a/Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SSHAgentProtocol.swift
@@ -0,0 +1,38 @@
+import Foundation
+
+public enum SSHAgent {}
+
+extension SSHAgent {
+
+    public enum RequestType: UInt8, CustomDebugStringConvertible {
+        case requestIdentities = 11
+        case signRequest = 13
+
+        public var debugDescription: String {
+            switch self {
+            case .requestIdentities:
+                return "RequestIdentities"
+            case .signRequest:
+                return "SignRequest"
+            }
+        }
+    }
+
+    public enum ResponseType: UInt8, CustomDebugStringConvertible {
+        case agentFailure = 5
+        case agentIdentitiesAnswer = 12
+        case agentSignResponse = 14
+
+        public var debugDescription: String {
+            switch self {
+            case .agentFailure:
+                return "AgentFailure"
+            case .agentIdentitiesAnswer:
+                return "AgentIdentitiesAnswer"
+            case .agentSignResponse:
+                return "AgentSignResponse"
+            }
+        }
+    }
+    
+}
--- a/Sources/Packages/Sources/SecretAgentKit/SigningRequestTracer.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SigningRequestTracer.swift
@@ -0,0 +1,61 @@
+import Foundation
+import AppKit
+import Security
+import SecretKit
+import SecretAgentKitHeaders
+
+struct SigningRequestTracer {
+}
+
+extension SigningRequestTracer {
+
+    func provenance(from fileHandleReader: FileHandleReader) -> SigningRequestProvenance {
+        let firstInfo = process(from: fileHandleReader.pidOfConnectedProcess)
+
+        var provenance = SigningRequestProvenance(root: firstInfo)
+        while NSRunningApplication(processIdentifier: provenance.origin.pid) == nil && provenance.origin.parentPID != nil {
+            provenance.chain.append(process(from: provenance.origin.parentPID!))
+        }
+        return provenance
+    }
+
+    func pidAndNameInfo(from pid: Int32) -> kinfo_proc {
+        var len = MemoryLayout<kinfo_proc>.size
+        let infoPointer = UnsafeMutableRawPointer.allocate(byteCount: len, alignment: 1)
+        var name: [Int32] = [CTL_KERN, KERN_PROC, KERN_PROC_PID, pid]
+        sysctl(&name, UInt32(name.count), infoPointer, &len, nil, 0)
+        return infoPointer.load(as: kinfo_proc.self)
+    }
+
+    func process(from pid: Int32) -> SigningRequestProvenance.Process {
+        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
+        let ppid = pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
+        let procName = String(cString: &pidAndNameInfo.kp_proc.p_comm.0)
+        let pathPointer = UnsafeMutablePointer<UInt8>.allocate(capacity: Int(MAXPATHLEN))
+        _ = proc_pidpath(pid, pathPointer, UInt32(MAXPATHLEN))
+        let path = String(cString: pathPointer)
+        var secCode: Unmanaged<SecCode>!
+        let flags: SecCSFlags = [.considerExpiration, .enforceRevocationChecks]
+        SecCodeCreateWithPID(pid, SecCSFlags(), &secCode)
+        let valid = SecCodeCheckValidity(secCode.takeRetainedValue(), flags, nil) == errSecSuccess
+        return SigningRequestProvenance.Process(pid: pid, processName: procName, appName: appName(for: pid), iconURL: iconURL(for: pid), path: path, validSignature: valid, parentPID: ppid)
+    }
+
+    func iconURL(for pid: Int32) -> URL? {
+        do {
+            if let app = NSRunningApplication(processIdentifier: pid), let icon = app.icon?.tiffRepresentation {
+                let temporaryURL = URL(fileURLWithPath: (NSTemporaryDirectory() as NSString).appendingPathComponent("\(UUID().uuidString).png"))
+                let bitmap = NSBitmapImageRep(data: icon)
+                try bitmap?.representation(using: .png, properties: [:])?.write(to: temporaryURL)
+                return temporaryURL
+            }
+        } catch {
+        }
+        return nil
+    }
+
+    func appName(for pid: Int32) -> String? {
+        NSRunningApplication(processIdentifier: pid)?.localizedName
+    }
+
+}
--- a/Sources/Packages/Sources/SecretAgentKit/SigningWitness.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SigningWitness.swift
@@ -0,0 +1,9 @@
+import Foundation
+import SecretKit
+
+public protocol SigningWitness {
+
+    func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) throws
+    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, requiredAuthentication: Bool) throws
+
+}
--- a/Sources/Packages/Sources/SecretAgentKit/SocketController.swift
+++ b/Sources/Packages/Sources/SecretAgentKit/SocketController.swift
@@ -0,0 +1,67 @@
+import Foundation
+import OSLog
+
+public class SocketController {
+
+    private var fileHandle: FileHandle?
+    private var port: SocketPort?
+    public var handler: ((FileHandleReader, FileHandleWriter) -> Void)?
+
+    public init(path: String) {
+        Logger().debug("Socket controller setting up at \(path)")
+        if let _ = try? FileManager.default.removeItem(atPath: path) {
+            Logger().debug("Socket controller removed existing socket")
+        }
+        let exists = FileManager.default.fileExists(atPath: path)
+        assert(!exists)
+        Logger().debug("Socket controller path is clear")
+        port = socketPort(at: path)
+        configureSocket(at: path)
+        Logger().debug("Socket listening at \(path)")
+    }
+
+    func configureSocket(at path: String) {
+        guard let port = port else { return }
+        fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
+        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionAccept(notification:)), name: .NSFileHandleConnectionAccepted, object: nil)
+        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionDataAvailable(notification:)), name: .NSFileHandleDataAvailable, object: nil)
+        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
+    }
+
+    func socketPort(at path: String) -> SocketPort {
+        var addr = sockaddr_un()
+        addr.sun_family = sa_family_t(AF_UNIX)
+
+        var len: Int = 0
+        withUnsafeMutablePointer(to: &addr.sun_path.0) { pointer in
+            path.withCString { cstring in
+                len = strlen(cstring)
+                strncpy(pointer, cstring, len)
+            }
+        }
+        addr.sun_len = UInt8(len+2)
+
+        var data: Data!
+        withUnsafePointer(to: &addr) { pointer in
+            data = Data(bytes: pointer, count: MemoryLayout<sockaddr_un>.size)
+        }
+
+        return SocketPort(protocolFamily: AF_UNIX, socketType: SOCK_STREAM, protocol: 0, address: data)!
+    }
+
+    @objc func handleConnectionAccept(notification: Notification) {
+        Logger().debug("Socket controller accepted connection")
+        guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { return }
+        handler?(new, new)
+        new.waitForDataInBackgroundAndNotify()
+        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
+    }
+
+    @objc func handleConnectionDataAvailable(notification: Notification) {
+        Logger().debug("Socket controller has new data available")
+        guard let new = notification.object as? FileHandle else { return }
+        Logger().debug("Socket controller received new file handle")
+        handler?(new, new)
+    }
+
+}
--- a/Sources/Packages/Sources/SecretAgentKitHeaders/Stub.swift
+++ b/Sources/Packages/Sources/SecretAgentKitHeaders/Stub.swift
@@ -0,0 +1 @@
+
--- a/Sources/Packages/Sources/SecretAgentKitHeaders/include/SecretAgentKit.h
+++ b/Sources/Packages/Sources/SecretAgentKitHeaders/include/SecretAgentKit.h
@@ -0,0 +1,19 @@
+#import <Foundation/Foundation.h>
+#import <Security/Security.h>
+
+
+// Forward declarations
+
+// from libproc.h
+int proc_pidpath(int pid, void * buffer, uint32_t  buffersize);
+
+// from SecTask.h
+OSStatus SecCodeCreateWithPID(int32_t, SecCSFlags, SecCodeRef *);
+
+//! Project version number for SecretAgentKit.
+FOUNDATION_EXPORT double SecretAgentKitVersionNumber;
+
+//! Project version string for SecretAgentKit.
+FOUNDATION_EXPORT const unsigned char SecretAgentKitVersionString[];
+
+
--- a/Sources/Packages/Sources/SecretAgentKitHeaders/module.modulemap
+++ b/Sources/Packages/Sources/SecretAgentKitHeaders/module.modulemap
@@ -0,0 +1,4 @@
+module SecretAgentKitHeaders [system] {
+    header "include/SecretAgentKit.h"
+    export *
+}
--- a/Sources/Packages/Sources/SecretKit/BundleIDs.swift
+++ b/Sources/Packages/Sources/SecretKit/BundleIDs.swift
@@ -0,0 +1,7 @@
+import Foundation
+
+
+extension Bundle {
+    public var agentBundleID: String {(self.bundleIdentifier?.replacingOccurrences(of: "Host", with: "SecretAgent"))!}
+    public var hostBundleID: String {(self.bundleIdentifier?.replacingOccurrences(of: "SecretAgent", with: "Host"))!}
+}
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecret.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecret.swift
@@ -0,0 +1,62 @@
+import Foundation
+
+public struct AnySecret: Secret {
+
+    let base: Any
+    private let hashable: AnyHashable
+    private let _id: () -> AnyHashable
+    private let _name: () -> String
+    private let _algorithm: () -> Algorithm
+    private let _keySize: () -> Int
+    private let _publicKey: () -> Data
+
+    public init<T>(_ secret: T) where T: Secret {
+        if let secret = secret as? AnySecret {
+            base = secret.base
+            hashable = secret.hashable
+            _id = secret._id
+            _name = secret._name
+            _algorithm = secret._algorithm
+            _keySize = secret._keySize
+            _publicKey = secret._publicKey
+        } else {
+            base = secret as Any
+            self.hashable = secret
+            _id = { secret.id as AnyHashable }
+            _name = { secret.name }
+            _algorithm = { secret.algorithm }
+            _keySize = { secret.keySize }
+            _publicKey = { secret.publicKey }
+        }
+    }
+
+    public var id: AnyHashable {
+        _id()
+    }
+
+    public var name: String {
+        _name()
+    }
+
+    public var algorithm: Algorithm {
+        _algorithm()
+    }
+
+    public var keySize: Int {
+        _keySize()
+    }
+
+    public var publicKey: Data {
+        _publicKey()
+    }
+
+    public static func == (lhs: AnySecret, rhs: AnySecret) -> Bool {
+        lhs.hashable == rhs.hashable
+    }
+
+    public func hash(into hasher: inout Hasher) {
+        hashable.hash(into: &hasher)
+    }
+
+}
+
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
@@ -0,0 +1,80 @@
+import Foundation
+import Combine
+
+public class AnySecretStore: SecretStore {
+
+    let base: Any
+    private let _isAvailable: () -> Bool
+    private let _id: () -> UUID
+    private let _name: () -> String
+    private let _secrets: () -> [AnySecret]
+    private let _sign: (Data, AnySecret, SigningRequestProvenance) throws -> SignedData
+    private let _persistAuthentication: (AnySecret, TimeInterval) throws -> Void
+
+    private var sink: AnyCancellable?
+
+    public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
+        base = secretStore
+        _isAvailable = { secretStore.isAvailable }
+        _name = { secretStore.name }
+        _id = { secretStore.id }
+        _secrets = { secretStore.secrets.map { AnySecret($0) } }
+        _sign = { try secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
+        _persistAuthentication = { try secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
+        sink = secretStore.objectWillChange.sink { _ in
+            self.objectWillChange.send()
+        }
+    }
+
+    public var isAvailable: Bool {
+        return _isAvailable()
+    }
+
+    public var id: UUID {
+        return _id()
+    }
+
+    public var name: String {
+        return _name()
+    }
+
+    public var secrets: [AnySecret] {
+        return _secrets()
+    }
+
+    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance) throws -> SignedData {
+        try _sign(data, secret, provenance)
+    }
+
+    public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) throws {
+        try _persistAuthentication(secret, duration)
+    }
+
+}
+
+public class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiable {
+
+    private let _create: (String, Bool) throws -> Void
+    private let _delete: (AnySecret) throws -> Void
+    private let _update: (AnySecret, String) throws -> Void
+
+    public init<SecretStoreType>(modifiable secretStore: SecretStoreType) where SecretStoreType: SecretStoreModifiable {
+        _create = { try secretStore.create(name: $0, requiresAuthentication: $1) }
+        _delete = { try secretStore.delete(secret: $0.base as! SecretStoreType.SecretType) }
+        _update = { try secretStore.update(secret: $0.base as! SecretStoreType.SecretType, name: $1) }
+        super.init(secretStore)
+    }
+
+    public func create(name: String, requiresAuthentication: Bool) throws {
+        try _create(name, requiresAuthentication)
+    }
+
+    public func delete(secret: AnySecret) throws {
+        try _delete(secret)
+    }
+
+    public func update(secret: AnySecret, name: String) throws {
+        try _update(secret, name)
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
@@ -0,0 +1,59 @@
+import Foundation
+import CryptoKit
+
+// For the moment, only supports ecdsa-sha2-nistp256 and ecdsa-sha2-nistp386 keys
+public struct OpenSSHKeyWriter {
+
+    public init() {
+    }
+
+    public func data<SecretType: Secret>(secret: SecretType) -> Data {
+        lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+            lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+            lengthAndData(of: secret.publicKey)
+    }
+
+    public func openSSHString<SecretType: Secret>(secret: SecretType, comment: String? = nil) -> String {
+        [curveType(for: secret.algorithm, length: secret.keySize), data(secret: secret).base64EncodedString(), comment]
+            .compactMap { $0 }
+            .joined(separator: " ")
+    }
+
+    public func openSSHSHA256Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
+        // OpenSSL format seems to strip the padding at the end.
+        let base64 = Data(SHA256.hash(data: data(secret: secret))).base64EncodedString()
+        let paddingRange = base64.index(base64.endIndex, offsetBy: -2)..<base64.endIndex
+        let cleaned = base64.replacingOccurrences(of: "=", with: "", range: paddingRange)
+        return "SHA256:\(cleaned)"
+    }
+
+    public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
+        Insecure.MD5.hash(data: data(secret: secret))
+            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
+            .joined(separator: ":")
+    }
+
+}
+
+extension OpenSSHKeyWriter {
+
+    public func lengthAndData(of data: Data) -> Data {
+        let rawLength = UInt32(data.count)
+        var endian = rawLength.bigEndian
+        return Data(bytes: &endian, count: UInt32.bitWidth/8) + data
+    }
+
+    public func curveIdentifier(for algorithm: Algorithm, length: Int) -> String {
+        switch algorithm {
+        case .ellipticCurve:
+            return "nistp" + String(describing: length)
+        }
+    }
+
+    public func curveType(for algorithm: Algorithm, length: Int) -> String {
+        switch algorithm {
+        case .ellipticCurve:
+            return "ecdsa-sha2-nistp" + String(describing: length)
+        }
+    }
+}
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift
@@ -0,0 +1,25 @@
+import Foundation
+
+public class OpenSSHReader {
+
+    var remaining: Data
+
+    public init(data: Data) {
+        remaining = Data(data)
+    }
+
+    public func readNextChunk() -> Data {
+        let lengthRange = 0..<(UInt32.bitWidth/8)
+        let lengthChunk = remaining[lengthRange]
+        remaining.removeSubrange(lengthRange)
+        let littleEndianLength = lengthChunk.withUnsafeBytes { pointer in
+            return pointer.load(as: UInt32.self)
+        }
+        let length = Int(littleEndianLength.bigEndian)
+        let dataRange = 0..<length
+        let ret = Data(remaining[dataRange])
+        remaining.removeSubrange(dataRange)
+        return ret
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/SecretStoreList.swift
+++ b/Sources/Packages/Sources/SecretKit/SecretStoreList.swift
@@ -0,0 +1,39 @@
+import Foundation
+import Combine
+
+public class SecretStoreList: ObservableObject {
+
+    @Published public var stores: [AnySecretStore] = []
+    @Published public var modifiableStore: AnySecretStoreModifiable?
+    private var sinks: [AnyCancellable] = []
+
+    public init() {
+    }
+
+    public func add<SecretStoreType: SecretStore>(store: SecretStoreType) {
+        addInternal(store: AnySecretStore(store))
+    }
+
+    public func add<SecretStoreType: SecretStoreModifiable>(store: SecretStoreType) {
+        let modifiable = AnySecretStoreModifiable(modifiable: store)
+        modifiableStore = modifiable
+        addInternal(store: modifiable)
+    }
+
+    public var anyAvailable: Bool {
+        stores.reduce(false, { $0 || $1.isAvailable })
+    }
+
+}
+
+extension SecretStoreList {
+
+    private func addInternal(store: AnySecretStore) {
+        stores.append(store)
+        let sink = store.objectWillChange.sink {
+            self.objectWillChange.send()
+        }
+        sinks.append(sink)
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/Types/Secret.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/Secret.swift
@@ -0,0 +1,23 @@
+import Foundation
+
+public protocol Secret: Identifiable, Hashable {
+
+    var name: String { get }
+    var algorithm: Algorithm { get }
+    var keySize: Int { get }
+    var publicKey: Data { get }
+
+}
+
+public enum Algorithm: Hashable {
+    case ellipticCurve
+    public init(secAttr: NSNumber) {
+        let secAttrString = secAttr.stringValue as CFString
+        switch secAttrString {
+        case kSecAttrKeyTypeEC:
+            self = .ellipticCurve
+        default:
+            fatalError()
+        }
+    }
+}
--- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
@@ -0,0 +1,31 @@
+import Foundation
+import Combine
+
+public protocol SecretStore: ObservableObject, Identifiable {
+
+    associatedtype SecretType: Secret
+
+    var isAvailable: Bool { get }
+    var id: UUID { get }
+    var name: String { get }
+    var secrets: [SecretType] { get }
+
+    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData
+
+    func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) throws
+
+}
+
+public protocol SecretStoreModifiable: SecretStore {
+
+    func create(name: String, requiresAuthentication: Bool) throws
+    func delete(secret: SecretType) throws
+    func update(secret: SecretType, name: String) throws
+
+}
+
+extension NSNotification.Name {
+
+    public static let secretStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.updated")
+
+}
--- a/Sources/Packages/Sources/SecretKit/Types/SignedData.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SignedData.swift
@@ -0,0 +1,13 @@
+import Foundation
+
+public struct SignedData {
+
+    public let data: Data
+    public let requiredAuthentication: Bool
+
+    public init(data: Data, requiredAuthentication: Bool) {
+        self.data = data
+        self.requiredAuthentication = requiredAuthentication
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift
@@ -0,0 +1,53 @@
+import Foundation
+import AppKit
+
+public struct SigningRequestProvenance: Equatable {
+
+    public var chain: [Process]
+    public init(root: Process) {
+        self.chain = [root]
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public var origin: Process {
+        chain.last!
+    }
+
+    public var intact: Bool {
+        chain.allSatisfy { $0.validSignature }
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public struct Process: Equatable {
+
+        public let pid: Int32
+        public let processName: String
+        public let appName: String?
+        public let iconURL: URL?
+        public let path: String
+        public let validSignature: Bool
+        public let parentPID: Int32?
+
+        public init(pid: Int32, processName: String, appName: String?, iconURL: URL?, path: String, validSignature: Bool, parentPID: Int32?) {
+            self.pid = pid
+            self.processName = processName
+            self.appName = appName
+            self.iconURL = iconURL
+            self.path = path
+            self.validSignature = validSignature
+            self.parentPID = parentPID
+        }
+
+        public var displayName: String {
+            appName ?? processName
+        }
+
+    }
+
+}
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclave.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclave.swift
@@ -0,0 +1 @@
+public enum SecureEnclave {}
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveSecret.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveSecret.swift
@@ -0,0 +1,17 @@
+import Foundation
+import Combine
+import SecretKit
+
+extension SecureEnclave {
+
+    public struct Secret: SecretKit.Secret {
+
+        public let id: Data
+        public let name: String
+        public let algorithm = Algorithm.ellipticCurve
+        public let keySize = 256
+        public let publicKey: Data
+
+    }
+
+}
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
@@ -0,0 +1,271 @@
+import Foundation
+import Security
+import CryptoTokenKit
+import LocalAuthentication
+import SecretKit
+
+extension SecureEnclave {
+
+    public class Store: SecretStoreModifiable {
+
+        public var isAvailable: Bool {
+            // For some reason, as of build time, CryptoKit.SecureEnclave.isAvailable always returns false
+            // error msg "Received error sending GET UNIQUE DEVICE command"
+            // Verify it with TKTokenWatcher manually.
+            TKTokenWatcher().tokenIDs.contains("com.apple.setoken")
+        }
+        public let id = UUID()
+        public let name = NSLocalizedString("Secure Enclave", comment: "Secure Enclave")
+        @Published public private(set) var secrets: [Secret] = []
+
+        private var persistedAuthenticationContexts: [Secret: PersistentAuthenticationContext] = [:]
+
+        public init() {
+            DistributedNotificationCenter.default().addObserver(forName: .secretStoreUpdated, object: nil, queue: .main) { _ in
+                self.reloadSecrets(notify: false)
+            }
+            loadSecrets()
+        }
+
+        // MARK: Public API
+
+        public func create(name: String, requiresAuthentication: Bool) throws {
+            var accessError: SecurityError?
+            let flags: SecAccessControlCreateFlags
+            if requiresAuthentication {
+                flags = [.privateKeyUsage, .userPresence]
+            } else {
+                flags = .privateKeyUsage
+            }
+            let access =
+                SecAccessControlCreateWithFlags(kCFAllocatorDefault,
+                                                kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+                                                flags,
+                                                &accessError) as Any
+            if let error = accessError {
+                throw error.takeRetainedValue() as Error
+            }
+
+            let attributes = [
+                kSecAttrLabel: name,
+                kSecAttrKeyType: Constants.keyType,
+                kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
+                kSecAttrApplicationTag: Constants.keyTag,
+                kSecPrivateKeyAttrs: [
+                    kSecAttrIsPermanent: true,
+                    kSecAttrAccessControl: access
+                ]
+            ] as CFDictionary
+
+            var createKeyError: SecurityError?
+            let keypair = SecKeyCreateRandomKey(attributes, &createKeyError)
+            if let error = createKeyError {
+                throw error.takeRetainedValue() as Error
+            }
+            guard let keypair = keypair, let publicKey = SecKeyCopyPublicKey(keypair) else {
+                throw KeychainError(statusCode: nil)
+            }
+            try savePublicKey(publicKey, name: name)
+            reloadSecrets()
+        }
+
+        public func delete(secret: Secret) throws {
+            let deleteAttributes = [
+                kSecClass: kSecClassKey,
+                kSecAttrApplicationLabel: secret.id as CFData
+            ] as CFDictionary
+            let status = SecItemDelete(deleteAttributes)
+            if status != errSecSuccess {
+                throw KeychainError(statusCode: status)
+            }
+            reloadSecrets()
+        }
+
+        public func update(secret: Secret, name: String) throws {
+            let updateQuery = [
+                kSecClass: kSecClassKey,
+                kSecAttrApplicationLabel: secret.id as CFData
+            ] as CFDictionary
+
+            let updatedAttributes = [
+                kSecAttrLabel: name,
+            ] as CFDictionary
+
+            let status = SecItemUpdate(updateQuery, updatedAttributes)
+            if status != errSecSuccess {
+                throw KeychainError(statusCode: status)
+            }
+            reloadSecrets()
+        }
+
+        public func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData {
+            let context: LAContext
+            if let existing = persistedAuthenticationContexts[secret], existing.valid {
+                context = existing.context
+            } else {
+                let newContext = LAContext()
+                newContext.localizedCancelTitle = "Deny"
+                context = newContext
+            }
+            context.localizedReason = "sign a request from \"\(provenance.origin.displayName)\" using secret \"\(secret.name)\""
+            let attributes = [
+                kSecClass: kSecClassKey,
+                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
+                kSecAttrApplicationLabel: secret.id as CFData,
+                kSecAttrKeyType: Constants.keyType,
+                kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
+                kSecAttrApplicationTag: Constants.keyTag,
+                kSecUseAuthenticationContext: context,
+                kSecReturnRef: true
+                ] as CFDictionary
+            var untyped: CFTypeRef?
+            let status = SecItemCopyMatching(attributes, &untyped)
+            if status != errSecSuccess {
+                throw KeychainError(statusCode: status)
+            }
+            guard let untypedSafe = untyped else {
+                throw KeychainError(statusCode: errSecSuccess)
+            }
+            let key = untypedSafe as! SecKey
+            var signError: SecurityError?
+
+            let signingStartTime = Date()
+            guard let signature = SecKeyCreateSignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, &signError) else {
+                throw SigningError(error: signError)
+            }
+            let signatureDuration = Date().timeIntervalSince(signingStartTime)
+            // Hack to determine if the user had to authenticate to sign.
+            // Since there's now way to inspect SecAccessControl to determine (afaict).
+            let requiredAuthentication = signatureDuration > Constants.unauthenticatedThreshold
+
+            return SignedData(data: signature as Data, requiredAuthentication: requiredAuthentication)
+        }
+
+        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) throws {
+            let newContext = LAContext()
+            newContext.touchIDAuthenticationAllowableReuseDuration = duration
+            newContext.localizedCancelTitle = "Deny"
+
+            let formatter = DateComponentsFormatter()
+            formatter.unitsStyle = .spellOut
+            formatter.allowedUnits = [.hour, .minute, .day]
+
+            if let durationString = formatter.string(from: duration) {
+                newContext.localizedReason = "unlock secret \"\(secret.name)\" for \(durationString)"
+            } else {
+                newContext.localizedReason = "unlock secret \"\(secret.name)\""
+            }
+            newContext.evaluatePolicy(LAPolicy.deviceOwnerAuthentication, localizedReason: newContext.localizedReason) { [weak self] success, _ in
+                guard success else { return }
+                let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
+                self?.persistedAuthenticationContexts[secret] = context
+            }
+        }
+
+    }
+
+}
+
+extension SecureEnclave.Store {
+
+    private func reloadSecrets(notify: Bool = true) {
+        secrets.removeAll()
+        loadSecrets()
+        if notify {
+            DistributedNotificationCenter.default().post(name: .secretStoreUpdated, object: nil)
+        }
+    }
+
+    private func loadSecrets() {
+        let attributes = [
+            kSecClass: kSecClassKey,
+            kSecAttrKeyType: SecureEnclave.Constants.keyType,
+            kSecAttrApplicationTag: SecureEnclave.Constants.keyTag,
+            kSecAttrKeyClass: kSecAttrKeyClassPublic,
+            kSecReturnRef: true,
+            kSecMatchLimit: kSecMatchLimitAll,
+            kSecReturnAttributes: true
+            ] as CFDictionary
+        var untyped: CFTypeRef?
+        SecItemCopyMatching(attributes, &untyped)
+        guard let typed = untyped as? [[CFString: Any]] else { return }
+        let wrapped: [SecureEnclave.Secret] = typed.map {
+            let name = $0[kSecAttrLabel] as? String ?? "Unnamed"
+            let id = $0[kSecAttrApplicationLabel] as! Data
+            let publicKeyRef = $0[kSecValueRef] as! SecKey
+            let publicKeyAttributes = SecKeyCopyAttributes(publicKeyRef) as! [CFString: Any]
+            let publicKey = publicKeyAttributes[kSecValueData] as! Data
+            return SecureEnclave.Secret(id: id, name: name, publicKey: publicKey)
+        }
+        secrets.append(contentsOf: wrapped)
+    }
+
+    private func savePublicKey(_ publicKey: SecKey, name: String) throws {
+        let attributes = [
+            kSecClass: kSecClassKey,
+            kSecAttrKeyType: SecureEnclave.Constants.keyType,
+            kSecAttrKeyClass: kSecAttrKeyClassPublic,
+            kSecAttrApplicationTag: SecureEnclave.Constants.keyTag,
+            kSecValueRef: publicKey,
+            kSecAttrIsPermanent: true,
+            kSecReturnData: true,
+            kSecAttrLabel: name
+            ] as CFDictionary
+        let status = SecItemAdd(attributes, nil)
+        if status != errSecSuccess {
+            throw SecureEnclave.KeychainError(statusCode: status)
+        }
+    }
+
+}
+
+extension SecureEnclave {
+
+    public struct KeychainError: Error {
+        public let statusCode: OSStatus?
+    }
+
+    public struct SigningError: Error {
+        public let error: SecurityError?
+    }
+
+}
+
+extension SecureEnclave {
+
+    public typealias SecurityError = Unmanaged<CFError>
+
+}
+
+extension SecureEnclave {
+
+    enum Constants {
+        static let keyTag = "com.maxgoedjen.secretive.secureenclave.key".data(using: .utf8)! as CFData
+        static let keyType = kSecAttrKeyTypeECSECPrimeRandom
+        static let unauthenticatedThreshold: TimeInterval = 0.05
+    }
+
+}
+
+extension SecureEnclave {
+
+    private struct PersistentAuthenticationContext {
+
+        let secret: Secret
+        let context: LAContext
+        // Monotonic time instead of Date() to prevent people setting the clock back.
+        let expiration: UInt64
+
+        init(secret: Secret, context: LAContext, duration: TimeInterval) {
+            self.secret = secret
+            self.context = context
+            let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
+            self.expiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
+        }
+
+        var valid: Bool {
+            clock_gettime_nsec_np(CLOCK_MONOTONIC) < expiration
+        }
+    }
+
+}
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCard.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCard.swift
@@ -0,0 +1 @@
+public enum SmartCard {}
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardSecret.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardSecret.swift
@@ -0,0 +1,17 @@
+import Foundation
+import Combine
+import SecretKit
+
+extension SmartCard {
+
+    public struct Secret: SecretKit.Secret {
+
+        public let id: Data
+        public let name: String
+        public let algorithm: Algorithm
+        public let keySize: Int
+        public let publicKey: Data
+
+    }
+
+}
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
@@ -0,0 +1,178 @@
+import Foundation
+import Security
+import CryptoTokenKit
+import LocalAuthentication
+import SecretKit
+
+// TODO: Might need to split this up into "sub-stores?"
+// ie, each token has its own Store.
+extension SmartCard {
+
+    public class Store: SecretStore {
+
+        @Published public var isAvailable: Bool = false
+        public let id = UUID()
+        public private(set) var name = NSLocalizedString("Smart Card", comment: "Smart Card")
+        @Published public private(set) var secrets: [Secret] = []
+        private let watcher = TKTokenWatcher()
+        private var tokenID: String?
+
+        public init() {
+            tokenID = watcher.nonSecureEnclaveTokens.first
+            watcher.setInsertionHandler { string in
+                guard self.tokenID == nil else { return }
+                guard !string.contains("setoken") else { return }
+
+                self.tokenID = string
+                self.reloadSecrets()
+                self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: string)
+            }
+            if let tokenID = tokenID {
+                self.isAvailable = true
+                self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: tokenID)
+            }
+            loadSecrets()
+        }
+
+        // MARK: Public API
+
+        public func create(name: String) throws {
+            fatalError("Keys must be created on the smart card.")
+        }
+
+        public func delete(secret: Secret) throws {
+            fatalError("Keys must be deleted on the smart card.")
+        }
+
+        public func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData {
+            guard let tokenID = tokenID else { fatalError() }
+            let context = LAContext()
+            context.localizedReason = "sign a request from \"\(provenance.origin.displayName)\" using secret \"\(secret.name)\""
+            context.localizedCancelTitle = "Deny"
+            let attributes = [
+                kSecClass: kSecClassKey,
+                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
+                kSecAttrApplicationLabel: secret.id as CFData,
+                kSecAttrTokenID: tokenID,
+                kSecUseAuthenticationContext: context,
+                kSecReturnRef: true
+                ] as CFDictionary
+            var untyped: CFTypeRef?
+            let status = SecItemCopyMatching(attributes, &untyped)
+            if status != errSecSuccess {
+                throw KeychainError(statusCode: status)
+            }
+            guard let untypedSafe = untyped else {
+                throw KeychainError(statusCode: errSecSuccess)
+            }
+            let key = untypedSafe as! SecKey
+            var signError: SecurityError?
+            let signatureAlgorithm: SecKeyAlgorithm
+            switch (secret.algorithm, secret.keySize) {
+            case (.ellipticCurve, 256):
+                signatureAlgorithm = .ecdsaSignatureMessageX962SHA256
+            case (.ellipticCurve, 384):
+                signatureAlgorithm = .ecdsaSignatureMessageX962SHA384
+            default:
+                fatalError()
+            }
+            guard let signature = SecKeyCreateSignature(key, signatureAlgorithm, data as CFData, &signError) else {
+                throw SigningError(error: signError)
+            }
+            return SignedData(data: signature as Data, requiredAuthentication: false)
+        }
+
+        public func persistAuthentication(secret: SmartCard.Secret, forDuration: TimeInterval) throws {
+        }
+
+    }
+
+}
+
+extension SmartCard.Store {
+
+    private func smartcardRemoved(for tokenID: String? = nil) {
+        self.tokenID = nil
+        reloadSecrets()
+    }
+
+    private func reloadSecrets() {
+        DispatchQueue.main.async {
+            self.isAvailable = self.tokenID != nil
+            self.secrets.removeAll()
+            self.loadSecrets()
+        }
+    }
+
+    private func loadSecrets() {
+        guard let tokenID = tokenID else { return }
+
+        let fallbackName = NSLocalizedString("Smart Card", comment: "Smart Card")
+        if #available(macOS 12.0, *) {
+            if let driverName = watcher.tokenInfo(forTokenID: tokenID)?.driverName {
+                name = driverName
+            } else {
+                name = fallbackName
+            }
+        } else {
+            // Hack to read name if there's only one smart card
+            let slotNames = TKSmartCardSlotManager().slotNames
+            if watcher.nonSecureEnclaveTokens.count == 1 && slotNames.count == 1 {
+                name = slotNames.first!
+            } else {
+                name = fallbackName
+            }
+        }
+
+        let attributes = [
+            kSecClass: kSecClassKey,
+            kSecAttrTokenID: tokenID,
+            kSecAttrKeyType: kSecAttrKeyTypeEC, // Restrict to EC
+            kSecReturnRef: true,
+            kSecMatchLimit: kSecMatchLimitAll,
+            kSecReturnAttributes: true
+            ] as CFDictionary
+        var untyped: CFTypeRef?
+        SecItemCopyMatching(attributes, &untyped)
+        guard let typed = untyped as? [[CFString: Any]] else { return }
+        let wrapped: [SmartCard.Secret] = typed.map {
+            let name = $0[kSecAttrLabel] as? String ?? "Unnamed"
+            let tokenID = $0[kSecAttrApplicationLabel] as! Data
+            let algorithm = Algorithm(secAttr: $0[kSecAttrKeyType] as! NSNumber)
+            let keySize = $0[kSecAttrKeySizeInBits] as! Int
+            let publicKeyRef = $0[kSecValueRef] as! SecKey
+            let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!
+            let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]
+            let publicKey = publicKeyAttributes[kSecValueData] as! Data
+            return SmartCard.Secret(id: tokenID, name: name, algorithm: algorithm, keySize: keySize, publicKey: publicKey)
+        }
+        secrets.append(contentsOf: wrapped)
+    }
+
+}
+
+extension TKTokenWatcher {
+
+    fileprivate var nonSecureEnclaveTokens: [String] {
+        tokenIDs.filter { !$0.contains("setoken") }
+    }
+
+}
+
+extension SmartCard {
+
+    public struct KeychainError: Error {
+        public let statusCode: OSStatus
+    }
+
+    public struct SigningError: Error {
+        public let error: SecurityError?
+    }
+
+}
+
+extension SmartCard {
+
+    public typealias SecurityError = Unmanaged<CFError>
+
+}