WIP SPM

Sources/SecretKit/Common/BundleIDs.swift

@@ -0,0 +1,7 @@
+import Foundation
+
+
+extension Bundle {
+    public var agentBundleID: String {(self.bundleIdentifier?.replacingOccurrences(of: "Host", with: "SecretAgent"))!}
+    public var hostBundleID: String {(self.bundleIdentifier?.replacingOccurrences(of: "SecretAgent", with: "Host"))!}
+}

Sources/SecretKit/Common/Erasers/AnySecret.swift

@@ -0,0 +1,62 @@
+import Foundation
+
+public struct AnySecret: Secret {
+
+    let base: Any
+    private let hashable: AnyHashable
+    private let _id: () -> AnyHashable
+    private let _name: () -> String
+    private let _algorithm: () -> Algorithm
+    private let _keySize: () -> Int
+    private let _publicKey: () -> Data
+
+    public init<T>(_ secret: T) where T: Secret {
+        if let secret = secret as? AnySecret {
+            base = secret.base
+            hashable = secret.hashable
+            _id = secret._id
+            _name = secret._name
+            _algorithm = secret._algorithm
+            _keySize = secret._keySize
+            _publicKey = secret._publicKey
+        } else {
+            base = secret as Any
+            self.hashable = secret
+            _id = { secret.id as AnyHashable }
+            _name = { secret.name }
+            _algorithm = { secret.algorithm }
+            _keySize = { secret.keySize }
+            _publicKey = { secret.publicKey }
+        }
+    }
+
+    public var id: AnyHashable {
+        _id()
+    }
+
+    public var name: String {
+        _name()
+    }
+
+    public var algorithm: Algorithm {
+        _algorithm()
+    }
+
+    public var keySize: Int {
+        _keySize()
+    }
+
+    public var publicKey: Data {
+        _publicKey()
+    }
+
+    public static func == (lhs: AnySecret, rhs: AnySecret) -> Bool {
+        lhs.hashable == rhs.hashable
+    }
+
+    public func hash(into hasher: inout Hasher) {
+        hashable.hash(into: &hasher)
+    }
+
+}
+

Sources/SecretKit/Common/Erasers/AnySecretStore.swift

@@ -0,0 +1,80 @@
+import Foundation
+import Combine
+
+public class AnySecretStore: SecretStore {
+
+    let base: Any
+    private let _isAvailable: () -> Bool
+    private let _id: () -> UUID
+    private let _name: () -> String
+    private let _secrets: () -> [AnySecret]
+    private let _sign: (Data, AnySecret, SigningRequestProvenance) throws -> SignedData
+    private let _persistAuthentication: (AnySecret, TimeInterval) throws -> Void
+
+    private var sink: AnyCancellable?
+
+    public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
+        base = secretStore
+        _isAvailable = { secretStore.isAvailable }
+        _name = { secretStore.name }
+        _id = { secretStore.id }
+        _secrets = { secretStore.secrets.map { AnySecret($0) } }
+        _sign = { try secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
+        _persistAuthentication = { try secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
+        sink = secretStore.objectWillChange.sink { _ in
+            self.objectWillChange.send()
+        }
+    }
+
+    public var isAvailable: Bool {
+        return _isAvailable()
+    }
+
+    public var id: UUID {
+        return _id()
+    }
+
+    public var name: String {
+        return _name()
+    }
+
+    public var secrets: [AnySecret] {
+        return _secrets()
+    }
+
+    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance) throws -> SignedData {
+        try _sign(data, secret, provenance)
+    }
+
+    public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) throws {
+        try _persistAuthentication(secret, duration)
+    }
+
+}
+
+public class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiable {
+
+    private let _create: (String, Bool) throws -> Void
+    private let _delete: (AnySecret) throws -> Void
+    private let _update: (AnySecret, String) throws -> Void
+
+    public init<SecretStoreType>(modifiable secretStore: SecretStoreType) where SecretStoreType: SecretStoreModifiable {
+        _create = { try secretStore.create(name: $0, requiresAuthentication: $1) }
+        _delete = { try secretStore.delete(secret: $0.base as! SecretStoreType.SecretType) }
+        _update = { try secretStore.update(secret: $0.base as! SecretStoreType.SecretType, name: $1) }
+        super.init(secretStore)
+    }
+
+    public func create(name: String, requiresAuthentication: Bool) throws {
+        try _create(name, requiresAuthentication)
+    }
+
+    public func delete(secret: AnySecret) throws {
+        try _delete(secret)
+    }
+
+    public func update(secret: AnySecret, name: String) throws {
+        try _update(secret, name)
+    }
+
+}

Sources/SecretKit/Common/OpenSSH/OpenSSHKeyWriter.swift

@@ -0,0 +1,59 @@
+import Foundation
+import CryptoKit
+
+// For the moment, only supports ecdsa-sha2-nistp256 and ecdsa-sha2-nistp386 keys
+public struct OpenSSHKeyWriter {
+
+    public init() {
+    }
+
+    public func data<SecretType: Secret>(secret: SecretType) -> Data {
+        lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+            lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+            lengthAndData(of: secret.publicKey)
+    }
+
+    public func openSSHString<SecretType: Secret>(secret: SecretType, comment: String? = nil) -> String {
+        [curveType(for: secret.algorithm, length: secret.keySize), data(secret: secret).base64EncodedString(), comment]
+            .compactMap { $0 }
+            .joined(separator: " ")
+    }
+
+    public func openSSHSHA256Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
+        // OpenSSL format seems to strip the padding at the end.
+        let base64 = Data(SHA256.hash(data: data(secret: secret))).base64EncodedString()
+        let paddingRange = base64.index(base64.endIndex, offsetBy: -2)..<base64.endIndex
+        let cleaned = base64.replacingOccurrences(of: "=", with: "", range: paddingRange)
+        return "SHA256:\(cleaned)"
+    }
+
+    public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
+        Insecure.MD5.hash(data: data(secret: secret))
+            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
+            .joined(separator: ":")
+    }
+
+}
+
+extension OpenSSHKeyWriter {
+
+    public func lengthAndData(of data: Data) -> Data {
+        let rawLength = UInt32(data.count)
+        var endian = rawLength.bigEndian
+        return Data(bytes: &endian, count: UInt32.bitWidth/8) + data
+    }
+
+    public func curveIdentifier(for algorithm: Algorithm, length: Int) -> String {
+        switch algorithm {
+        case .ellipticCurve:
+            return "nistp" + String(describing: length)
+        }
+    }
+
+    public func curveType(for algorithm: Algorithm, length: Int) -> String {
+        switch algorithm {
+        case .ellipticCurve:
+            return "ecdsa-sha2-nistp" + String(describing: length)
+        }
+    }
+}

Sources/SecretKit/Common/OpenSSH/OpenSSHReader.swift

@@ -0,0 +1,25 @@
+import Foundation
+
+public class OpenSSHReader {
+
+    var remaining: Data
+
+    public init(data: Data) {
+        remaining = Data(data)
+    }
+
+    public func readNextChunk() -> Data {
+        let lengthRange = 0..<(UInt32.bitWidth/8)
+        let lengthChunk = remaining[lengthRange]
+        remaining.removeSubrange(lengthRange)
+        let littleEndianLength = lengthChunk.withUnsafeBytes { pointer in
+            return pointer.load(as: UInt32.self)
+        }
+        let length = Int(littleEndianLength.bigEndian)
+        let dataRange = 0..<length
+        let ret = Data(remaining[dataRange])
+        remaining.removeSubrange(dataRange)
+        return ret
+    }
+
+}

Sources/SecretKit/Common/SecretStoreList.swift

@@ -0,0 +1,39 @@
+import Foundation
+import Combine
+
+public class SecretStoreList: ObservableObject {
+
+    @Published public var stores: [AnySecretStore] = []
+    @Published public var modifiableStore: AnySecretStoreModifiable?
+    private var sinks: [AnyCancellable] = []
+
+    public init() {
+    }
+
+    public func add<SecretStoreType: SecretStore>(store: SecretStoreType) {
+        addInternal(store: AnySecretStore(store))
+    }
+
+    public func add<SecretStoreType: SecretStoreModifiable>(store: SecretStoreType) {
+        let modifiable = AnySecretStoreModifiable(modifiable: store)
+        modifiableStore = modifiable
+        addInternal(store: modifiable)
+    }
+
+    public var anyAvailable: Bool {
+        stores.reduce(false, { $0 || $1.isAvailable })
+    }
+
+}
+
+extension SecretStoreList {
+
+    private func addInternal(store: AnySecretStore) {
+        stores.append(store)
+        let sink = store.objectWillChange.sink {
+            self.objectWillChange.send()
+        }
+        sinks.append(sink)
+    }
+
+}

Sources/SecretKit/Common/Types/Secret.swift

@@ -0,0 +1,23 @@
+import Foundation
+
+public protocol Secret: Identifiable, Hashable {
+
+    var name: String { get }
+    var algorithm: Algorithm { get }
+    var keySize: Int { get }
+    var publicKey: Data { get }
+
+}
+
+public enum Algorithm: Hashable {
+    case ellipticCurve
+    public init(secAttr: NSNumber) {
+        let secAttrString = secAttr.stringValue as CFString
+        switch secAttrString {
+        case kSecAttrKeyTypeEC:
+            self = .ellipticCurve
+        default:
+            fatalError()
+        }
+    }
+}

Sources/SecretKit/Common/Types/SecretStore.swift

@@ -0,0 +1,31 @@
+import Combine
+import Foundation
+
+public protocol SecretStore: ObservableObject, Identifiable {
+
+    associatedtype SecretType: Secret
+
+    var isAvailable: Bool { get }
+    var id: UUID { get }
+    var name: String { get }
+    var secrets: [SecretType] { get }
+
+    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData
+
+    func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) throws
+
+}
+
+public protocol SecretStoreModifiable: SecretStore {
+
+    func create(name: String, requiresAuthentication: Bool) throws
+    func delete(secret: SecretType) throws
+    func update(secret: SecretType, name: String) throws
+
+}
+
+extension NSNotification.Name {
+
+    static let secretStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.updated")
+
+}

Sources/SecretKit/Common/Types/SignedData.swift

@@ -0,0 +1,13 @@
+import Foundation
+
+public struct SignedData {
+
+    public let data: Data
+    public let requiredAuthentication: Bool
+
+    public init(data: Data, requiredAuthentication: Bool) {
+        self.data = data
+        self.requiredAuthentication = requiredAuthentication
+    }
+
+}

Sources/SecretKit/Common/Types/SigningRequestProvenance.swift

@@ -0,0 +1,53 @@
+import Foundation
+import AppKit
+
+public struct SigningRequestProvenance: Equatable {
+
+    public var chain: [Process]
+    public init(root: Process) {
+        self.chain = [root]
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public var origin: Process {
+        chain.last!
+    }
+
+    public var intact: Bool {
+        chain.allSatisfy { $0.validSignature }
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public struct Process: Equatable {
+
+        public let pid: Int32
+        public let processName: String
+        public let appName: String?
+        public let iconURL: URL?
+        public let path: String
+        public let validSignature: Bool
+        public let parentPID: Int32?
+
+        public init(pid: Int32, processName: String, appName: String?, iconURL: URL?, path: String, validSignature: Bool, parentPID: Int32?) {
+            self.pid = pid
+            self.processName = processName
+            self.appName = appName
+            self.iconURL = iconURL
+            self.path = path
+            self.validSignature = validSignature
+            self.parentPID = parentPID
+        }
+
+        public var displayName: String {
+            appName ?? processName
+        }
+
+    }
+
+}

Sources/SecretKit/SecureEnclave/SecureEnclave.swift

@@ -0,0 +1 @@
+public enum SecureEnclave {}

Sources/SecretKit/SecureEnclave/SecureEnclaveSecret.swift

@@ -0,0 +1,16 @@
+import Foundation
+import Combine
+
+extension SecureEnclave {
+
+    public struct Secret: SecretKit.Secret {
+
+        public let id: Data
+        public let name: String
+        public let algorithm = Algorithm.ellipticCurve
+        public let keySize = 256
+        public let publicKey: Data
+
+    }
+
+}

Sources/SecretKit/SecureEnclave/SecureEnclaveStore.swift

@@ -0,0 +1,267 @@
+import Foundation
+import Security
+import CryptoTokenKit
+import LocalAuthentication
+
+extension SecureEnclave {
+
+    public class Store: SecretStoreModifiable {
+
+        public var isAvailable: Bool {
+            // For some reason, as of build time, CryptoKit.SecureEnclave.isAvailable always returns false
+            // error msg "Received error sending GET UNIQUE DEVICE command"
+            // Verify it with TKTokenWatcher manually.
+            TKTokenWatcher().tokenIDs.contains("com.apple.setoken")
+        }
+        public let id = UUID()
+        public let name = NSLocalizedString("Secure Enclave", comment: "Secure Enclave")
+        @Published public private(set) var secrets: [Secret] = []
+
+        private var persistedAuthenticationContexts: [Secret: PersistentAuthenticationContext] = [:]
+
+        public init() {
+            DistributedNotificationCenter.default().addObserver(forName: .secretStoreUpdated, object: nil, queue: .main) { _ in
+                self.reloadSecrets(notify: false)
+            }
+            loadSecrets()
+        }
+
+        // MARK: Public API
+
+        public func create(name: String, requiresAuthentication: Bool) throws {
+            var accessError: SecurityError?
+            let flags: SecAccessControlCreateFlags
+            if requiresAuthentication {
+                flags = [.privateKeyUsage, .userPresence]
+            } else {
+                flags = .privateKeyUsage
+            }
+            let access =
+                SecAccessControlCreateWithFlags(kCFAllocatorDefault,
+                                                kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+                                                flags,
+                                                &accessError) as Any
+            if let error = accessError {
+                throw error.takeRetainedValue() as Error
+            }
+
+            let attributes = [
+                kSecAttrLabel: name,
+                kSecAttrKeyType: Constants.keyType,
+                kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
+                kSecAttrApplicationTag: Constants.keyTag,
+                kSecPrivateKeyAttrs: [
+                    kSecAttrIsPermanent: true,
+                    kSecAttrAccessControl: access
+                ]
+            ] as CFDictionary
+
+            var privateKey: SecKey? = nil
+            var publicKey: SecKey? = nil
+            let status = SecKeyGeneratePair(attributes, &publicKey, &privateKey)
+            guard privateKey != nil, let pk = publicKey else {
+                throw KeychainError(statusCode: status)
+            }
+            try savePublicKey(pk, name: name)
+            reloadSecrets()
+        }
+
+        public func delete(secret: Secret) throws {
+            let deleteAttributes = [
+                kSecClass: kSecClassKey,
+                kSecAttrApplicationLabel: secret.id as CFData
+            ] as CFDictionary
+            let status = SecItemDelete(deleteAttributes)
+            if status != errSecSuccess {
+                throw KeychainError(statusCode: status)
+            }
+            reloadSecrets()
+        }
+
+        public func update(secret: Secret, name: String) throws {
+            let updateQuery = [
+                kSecClass: kSecClassKey,
+                kSecAttrApplicationLabel: secret.id as CFData
+            ] as CFDictionary
+
+            let updatedAttributes = [
+                kSecAttrLabel: name,
+            ] as CFDictionary
+
+            let status = SecItemUpdate(updateQuery, updatedAttributes)
+            if status != errSecSuccess {
+                throw KeychainError(statusCode: status)
+            }
+            reloadSecrets()
+        }
+
+        public func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData {
+            let context: LAContext
+            if let existing = persistedAuthenticationContexts[secret], existing.valid {
+                context = existing.context
+            } else {
+                let newContext = LAContext()
+                newContext.localizedCancelTitle = "Deny"
+                context = newContext
+            }
+            context.localizedReason = "sign a request from \"\(provenance.origin.displayName)\" using secret \"\(secret.name)\""
+            let attributes = [
+                kSecClass: kSecClassKey,
+                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
+                kSecAttrApplicationLabel: secret.id as CFData,
+                kSecAttrKeyType: Constants.keyType,
+                kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
+                kSecAttrApplicationTag: Constants.keyTag,
+                kSecUseAuthenticationContext: context,
+                kSecReturnRef: true
+                ] as CFDictionary
+            var untyped: CFTypeRef?
+            let status = SecItemCopyMatching(attributes, &untyped)
+            if status != errSecSuccess {
+                throw KeychainError(statusCode: status)
+            }
+            guard let untypedSafe = untyped else {
+                throw KeychainError(statusCode: errSecSuccess)
+            }
+            let key = untypedSafe as! SecKey
+            var signError: SecurityError?
+
+            let signingStartTime = Date()
+            guard let signature = SecKeyCreateSignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, &signError) else {
+                throw SigningError(error: signError)
+            }
+            let signatureDuration = Date().timeIntervalSince(signingStartTime)
+            // Hack to determine if the user had to authenticate to sign.
+            // Since there's now way to inspect SecAccessControl to determine (afaict).
+            let requiredAuthentication = signatureDuration > Constants.unauthenticatedThreshold
+
+            return SignedData(data: signature as Data, requiredAuthentication: requiredAuthentication)
+        }
+
+        public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) throws {
+            let newContext = LAContext()
+            newContext.localizedCancelTitle = "Deny"
+
+            let formatter = DateComponentsFormatter()
+            formatter.unitsStyle = .spellOut
+            formatter.allowedUnits = [.hour, .minute, .day]
+
+            if let durationString = formatter.string(from: duration) {
+                newContext.localizedReason = "unlock secret \"\(secret.name)\" for \(durationString)"
+            } else {
+                newContext.localizedReason = "unlock secret \"\(secret.name)\""
+            }
+            newContext.evaluatePolicy(LAPolicy.deviceOwnerAuthentication, localizedReason: newContext.localizedReason) { [weak self] success, _ in
+                guard success else { return }
+                let context = PersistentAuthenticationContext(secret: secret, context: newContext, duration: duration)
+                self?.persistedAuthenticationContexts[secret] = context
+            }
+        }
+
+    }
+
+}
+
+extension SecureEnclave.Store {
+
+    private func reloadSecrets(notify: Bool = true) {
+        secrets.removeAll()
+        loadSecrets()
+        if notify {
+            DistributedNotificationCenter.default().post(name: .secretStoreUpdated, object: nil)
+        }
+    }
+
+    private func loadSecrets() {
+        let attributes = [
+            kSecClass: kSecClassKey,
+            kSecAttrKeyType: SecureEnclave.Constants.keyType,
+            kSecAttrApplicationTag: SecureEnclave.Constants.keyTag,
+            kSecAttrKeyClass: kSecAttrKeyClassPublic,
+            kSecReturnRef: true,
+            kSecMatchLimit: kSecMatchLimitAll,
+            kSecReturnAttributes: true
+            ] as CFDictionary
+        var untyped: CFTypeRef?
+        SecItemCopyMatching(attributes, &untyped)
+        guard let typed = untyped as? [[CFString: Any]] else { return }
+        let wrapped: [SecureEnclave.Secret] = typed.map {
+            let name = $0[kSecAttrLabel] as? String ?? "Unnamed"
+            let id = $0[kSecAttrApplicationLabel] as! Data
+            let publicKeyRef = $0[kSecValueRef] as! SecKey
+            let publicKeyAttributes = SecKeyCopyAttributes(publicKeyRef) as! [CFString: Any]
+            let publicKey = publicKeyAttributes[kSecValueData] as! Data
+            return SecureEnclave.Secret(id: id, name: name, publicKey: publicKey)
+        }
+        secrets.append(contentsOf: wrapped)
+    }
+
+    private func savePublicKey(_ publicKey: SecKey, name: String) throws {
+        let attributes = [
+            kSecClass: kSecClassKey,
+            kSecAttrKeyType: SecureEnclave.Constants.keyType,
+            kSecAttrKeyClass: kSecAttrKeyClassPublic,
+            kSecAttrApplicationTag: SecureEnclave.Constants.keyTag,
+            kSecValueRef: publicKey,
+            kSecAttrIsPermanent: true,
+            kSecReturnData: true,
+            kSecAttrLabel: name
+            ] as CFDictionary
+        let status = SecItemAdd(attributes, nil)
+        if status != errSecSuccess {
+            throw SecureEnclave.KeychainError(statusCode: status)
+        }
+    }
+
+}
+
+extension SecureEnclave {
+
+    public struct KeychainError: Error {
+        public let statusCode: OSStatus
+    }
+
+    public struct SigningError: Error {
+        public let error: SecurityError?
+    }
+
+}
+
+extension SecureEnclave {
+
+    public typealias SecurityError = Unmanaged<CFError>
+
+}
+
+extension SecureEnclave {
+
+    enum Constants {
+        static let keyTag = "com.maxgoedjen.secretive.secureenclave.key".data(using: .utf8)! as CFData
+        static let keyType = kSecAttrKeyTypeECSECPrimeRandom
+        static let unauthenticatedThreshold: TimeInterval = 0.05
+    }
+
+}
+
+extension SecureEnclave {
+
+    private struct PersistentAuthenticationContext {
+
+        let secret: Secret
+        let context: LAContext
+        // Monotonic time instead of Date() to prevent people setting the clock back.
+        let expiration: UInt64
+
+        init(secret: Secret, context: LAContext, duration: TimeInterval) {
+            self.secret = secret
+            self.context = context
+            let durationInNanoSeconds = Measurement(value: duration, unit: UnitDuration.seconds).converted(to: .nanoseconds).value
+            self.expiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
+        }
+
+        var valid: Bool {
+            clock_gettime_nsec_np(CLOCK_MONOTONIC) < expiration
+        }
+    }
+
+}

Sources/SecretKit/SmartCard/SmartCard.swift

@@ -0,0 +1 @@
+public enum SmartCard {}

Sources/SecretKit/SmartCard/SmartCardSecret.swift

@@ -0,0 +1,16 @@
+import Foundation
+import Combine
+
+extension SmartCard {
+
+    public struct Secret: SecretKit.Secret {
+
+        public let id: Data
+        public let name: String
+        public let algorithm: Algorithm
+        public let keySize: Int
+        public let publicKey: Data
+
+    }
+
+}

Sources/SecretKit/SmartCard/SmartCardStore.swift

@@ -0,0 +1,177 @@
+import Foundation
+import Security
+import CryptoTokenKit
+import LocalAuthentication
+
+// TODO: Might need to split this up into "sub-stores?"
+// ie, each token has its own Store.
+extension SmartCard {
+
+    public class Store: SecretStore {
+
+        @Published public var isAvailable: Bool = false
+        public let id = UUID()
+        public private(set) var name = NSLocalizedString("Smart Card", comment: "Smart Card")
+        @Published public private(set) var secrets: [Secret] = []
+        private let watcher = TKTokenWatcher()
+        private var tokenID: String?
+
+        public init() {
+            tokenID = watcher.nonSecureEnclaveTokens.first
+            watcher.setInsertionHandler { string in
+                guard self.tokenID == nil else { return }
+                guard !string.contains("setoken") else { return }
+
+                self.tokenID = string
+                self.reloadSecrets()
+                self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: string)
+            }
+            if let tokenID = tokenID {
+                self.isAvailable = true
+                self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: tokenID)
+            }
+            loadSecrets()
+        }
+
+        // MARK: Public API
+
+        public func create(name: String) throws {
+            fatalError("Keys must be created on the smart card.")
+        }
+
+        public func delete(secret: Secret) throws {
+            fatalError("Keys must be deleted on the smart card.")
+        }
+
+        public func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData {
+            guard let tokenID = tokenID else { fatalError() }
+            let context = LAContext()
+            context.localizedReason = "sign a request from \"\(provenance.origin.displayName)\" using secret \"\(secret.name)\""
+            context.localizedCancelTitle = "Deny"
+            let attributes = [
+                kSecClass: kSecClassKey,
+                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
+                kSecAttrApplicationLabel: secret.id as CFData,
+                kSecAttrTokenID: tokenID,
+                kSecUseAuthenticationContext: context,
+                kSecReturnRef: true
+                ] as CFDictionary
+            var untyped: CFTypeRef?
+            let status = SecItemCopyMatching(attributes, &untyped)
+            if status != errSecSuccess {
+                throw KeychainError(statusCode: status)
+            }
+            guard let untypedSafe = untyped else {
+                throw KeychainError(statusCode: errSecSuccess)
+            }
+            let key = untypedSafe as! SecKey
+            var signError: SecurityError?
+            let signatureAlgorithm: SecKeyAlgorithm
+            switch (secret.algorithm, secret.keySize) {
+            case (.ellipticCurve, 256):
+                signatureAlgorithm = .ecdsaSignatureMessageX962SHA256
+            case (.ellipticCurve, 384):
+                signatureAlgorithm = .ecdsaSignatureMessageX962SHA384
+            default:
+                fatalError()
+            }
+            guard let signature = SecKeyCreateSignature(key, signatureAlgorithm, data as CFData, &signError) else {
+                throw SigningError(error: signError)
+            }
+            return SignedData(data: signature as Data, requiredAuthentication: false)
+        }
+
+        public func persistAuthentication(secret: SmartCard.Secret, forDuration: TimeInterval) throws {
+        }
+
+    }
+
+}
+
+extension SmartCard.Store {
+
+    private func smartcardRemoved(for tokenID: String? = nil) {
+        self.tokenID = nil
+        reloadSecrets()
+    }
+
+    private func reloadSecrets() {
+        DispatchQueue.main.async {
+            self.isAvailable = self.tokenID != nil
+            self.secrets.removeAll()
+            self.loadSecrets()
+        }
+    }
+
+    private func loadSecrets() {
+        guard let tokenID = tokenID else { return }
+
+        let fallbackName = NSLocalizedString("Smart Card", comment: "Smart Card")
+        if #available(macOS 12.0, *) {
+            if let driverName = watcher.tokenInfo(forTokenID: tokenID)?.driverName {
+                name = driverName
+            } else {
+                name = fallbackName
+            }
+        } else {
+            // Hack to read name if there's only one smart card
+            let slotNames = TKSmartCardSlotManager().slotNames
+            if watcher.nonSecureEnclaveTokens.count == 1 && slotNames.count == 1 {
+                name = slotNames.first!
+            } else {
+                name = fallbackName
+            }
+        }
+
+        let attributes = [
+            kSecClass: kSecClassKey,
+            kSecAttrTokenID: tokenID,
+            kSecAttrKeyType: kSecAttrKeyTypeEC, // Restrict to EC
+            kSecReturnRef: true,
+            kSecMatchLimit: kSecMatchLimitAll,
+            kSecReturnAttributes: true
+            ] as CFDictionary
+        var untyped: CFTypeRef?
+        SecItemCopyMatching(attributes, &untyped)
+        guard let typed = untyped as? [[CFString: Any]] else { return }
+        let wrapped: [SmartCard.Secret] = typed.map {
+            let name = $0[kSecAttrLabel] as? String ?? "Unnamed"
+            let tokenID = $0[kSecAttrApplicationLabel] as! Data
+            let algorithm = Algorithm(secAttr: $0[kSecAttrKeyType] as! NSNumber)
+            let keySize = $0[kSecAttrKeySizeInBits] as! Int
+            let publicKeyRef = $0[kSecValueRef] as! SecKey
+            let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!
+            let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]
+            let publicKey = publicKeyAttributes[kSecValueData] as! Data
+            return SmartCard.Secret(id: tokenID, name: name, algorithm: algorithm, keySize: keySize, publicKey: publicKey)
+        }
+        secrets.append(contentsOf: wrapped)
+    }
+
+}
+
+extension TKTokenWatcher {
+
+    fileprivate var nonSecureEnclaveTokens: [String] {
+        tokenIDs.filter { !$0.contains("setoken") }
+    }
+
+}
+
+extension SmartCard {
+
+    public struct KeychainError: Error {
+        public let statusCode: OSStatus
+    }
+
+    public struct SigningError: Error {
+        public let error: SecurityError?
+    }
+
+}
+
+extension SmartCard {
+
+    public typealias SecurityError = Unmanaged<CFError>
+
+}