That was it, Quinn. Thanks for the response. The apex extension set the correct operation as you saw in the private key attributes but the missing implementation (within the CTK appex) was this: The delegate has to implement the tokenSession(_:supports:keyObjectID:algorithm:) method. This determines what algorithms it supports. In the Yubico Authenticator apex extension, that method only returned true for .signData. I added support for .signData and .decryptData. Now, when calling SecKeyCreateDecryptedData from a 3rd party app triggers the apex tokenSession(_:decrypt:keyObjectID:algorithm:) method correctly and shows the supported algorithms for that specific private key. The CTK appex is a game changer and is exactly what is needed to support an external PIV smart card like the YubiKey. The Yubico Authenticator handles all the operations with different limits on each certificate and performs the appropriate crypto actions (signing, decryption) within the various slots within the YubiKey without the associated private ever leaving the device. Thanks again. Resolved.

Thanks for the response. I should have clarified this earlier but we are using “persistent tokens” from a 3rd party Smart Card App Extension. In the code attached, I do make use of SecKeyCopyPublicKey. I retrieve a SecIdentity based on the certificate and associated private key (pointer) using SecItemCopyMatching from querying the keychain. I then use SecIdentityCopyPrivateKey to get the private key and then SecKeyCopyPublicKey to retrieve the public key. I use that public key to encrypt the message using SecKeyCreateEncryptedData. I then pass the private key reference and algorithm used to the decryption API SecKeyCreateDecryptedData. As for the Smart Card Token App Extension…We are using Yubico Authenticator (YA) Apple App Store application that acts as the 3rd party Smart Card App Extension. I’m building a solution to provide encryption/decryption based on those tokens generated by the 3rd party CTK Extension. The YA app, as a token extension, adds persistent tokens to the keychain and are made available (visible) to any 3rd party apps by adding an entitlement of **Keychain Access Group: com.apple.token ** The encryption/decryption app solution is treating Yubico Authenticator app as a 3rd party app and not in my APEX, but I do have access to the source code of the Yubico Authenticator Token Extension to make changes, if needed. BTW - The solution works great when calling SecKeyCreateSignature and passing the SAME private key reference from my app. Calling SecKeyCreateSignature immediately notifies the user to interact with the Yubico Authenticator app (via local push notifications) to perform the signing with the private key residing on the YubiKey. The signed blob is returned to the calling app. I'm 100% sure the private key is valid and capable of decryption because I can send the same private to for a signature but in the YA app, treat it like a decryption and the plain text is returned to the app. It's just not working with SecKeyCreateDecryptedData. Here's the attributes of the private key reference when I specify the kSecReturnAttributes in a SecItemCopyMatching query. // kSecReturnAttributes (true) Private key found: { UUID = "47DC7D0B-C97A-4FE6-8C56-B53EAF30E848"; accc = "<SecAccessControlRef: tkid(com.yubico.Authenticator.TokenExtension:972BC027C9E349CFA63856C2A2968F16XXXXX71564A94570EE131DEA92E9BB0F);od(true)>"; agrp = "com.apple.token"; atag = {length = 64, bytes = 0x39373242 43303237 43394533 34394346 ... 39324539 42423046 }; bsiz = 2048; cdat = "2025-04-11 20:06:11 +0000"; class = keys; crtr = 0; decr = 1; drve = 1; edat = "2001-01-01 00:00:00 +0000"; esiz = 0; kcls = 1; klbl = {length = 20, bytes = 0x550a1dc9b2030d43d574af1e156db84dd1c2ab53}; labl = 972BC027C9E349CFA63856C2A2968F16XXXXX71564A94570EE131DEA92E9BB0F; mdat = "2025-04-11 20:06:11 +0000"; musr = {length = 0, bytes = 0x}; pdmn = dk; priv = 1; sdat = "2001-01-01 00:00:00 +0000"; sha1 = {length = 20, bytes = 0xda1fe302bd2aeafdcfcb8cebe987e6520799a205}; sign = 1; sync = 0; tkid = "com.yubico.Authenticator.TokenExtension:972BC027C9E349CFA63856C2A2968F16XXXXX71564A94570EE131DEA92E9BB0F"; tomb = 0; type = 42; unwp = 1; "v_Ref" = "<SecKeyRef:('com.yubico.Authenticator.TokenExtension:972BC027C9E349CFA63856C2A2968F16XXXXX71564A94570EE131DEA92E9BB0F') 0x303ba4f10>"; }