I am wondering if anyone knows whether its possible to update the flags after the key creation inside the Secure Enclave or not?
Here's how I am creating the key:
let access = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
[SecAccessControlCreateFlags.userPresence,
SecAccessControlCreateFlags.privateKeyUsage],
nil)!
let attributes: [String: Any] = [
kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
kSecAttrKeySizeInBits as String: 256,
kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave,
kSecPrivateKeyAttrs as String: [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: "stacksometimesoverflow",
kSecAttrAccessControl as String: access
]
]
var error: Unmanaged<CFError>?
guard SecKeyCreateRandomKey(attributes as CFDictionary, &error) != nil else {
throw error!.takeRetainedValue() as Error
}
As you can see, the key is created with
SecAccessControlCreateFlags.userPresence, SecAccessControlCreateFlags.privateKeyUsage
My question is, is it possible to update the access flag of the key (same key), say I want to remove SecAccessControlCreateFlags.userPresence
All the best!
Johnny
I don't think that's possible. According to Apple's documentation:
... because its backing storage is physically part of the Secure Enclave, you can never inspect the key’s data.
I think the best way is to delete your key with SecItemDelete(_:) and then create new key without the .userPresence flag.
Related
I'm generating the private key in my iOS app for secure communication between server and app.
The private key is being stored in the keychain. In the new version of the app, I want to use the shared keychain group because of notification extensions. How do is transfer the private key that was stored in the app keychain to the shared group keychain. Below is the code I m using to generate the private key
func createPrivateKey(withLabel label: String) throws -> SecKey {
let privateKeyAttrs: [String: Any] = [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationLabel as String: label,
kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
]
let attributes: [String: Any] = [
kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
kSecAttrKeySizeInBits as String: 2048,
kSecPrivateKeyAttrs as String: privateKeyAttrs,
]
var error: Unmanaged<CFError>?
guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
// swiftlint:disable:next force_unwrapping
throw error!.takeRetainedValue() as Error
}
return privateKey
}
You'll have to specify the access group on creation, or update the existing keys with the new access groups. After you've done that, you should setup the entitlements correctly, so that apps and extensions you create can access the correct keychain access group. Read with care, as there is only a thin line between app groups and keychain sharing group. Make sure you set up the correct one (documentation here).
As for your query
let accessGroup = "<# Your Team ID #>.com.example.SharedItems"
let attributes: [String: Any] = [
kSecAttrKeyType as String: kSecAttrKeyTypeRSA,
kSecAttrKeySizeInBits as String: 2048,
kSecAttrAccessGroup as String: accessGroup,
kSecPrivateKeyAttrs as String: privateKeyAttrs
]
That should create the query for creating keys for the access group you specify. I suppose you can figure out the update query yourself.
I have the following code following this storing_keys_in_the_keychain.
func generateInitialKey() -> Data {
let key = AES256.randomKey()
let addQuery: Dictionary<String, Any> = [
kSecClass as String: kSecClassKey,
kSecAttrApplicationTag as String: applicationTag,
kSecValueRef as String: key
]
let status = SecItemAdd(addQuery as CFDictionary, nil)
print(errSecParam, status)
guard status == errSecSuccess else { fatalError("Can't save Key") }
return key
}
The function AES256.randomKey() generates Data of 64 bytes. The applicationTag is Data too:
let applicationTag = "example".data(using: .utf8)!
However, I do end up receiving the errSecParam(-50) error. Can someone help me out?
Read the documentation carefully. errSecParam(-50) means one or more parameters passed to the function were not valid. The link leads you to the site where you can see the description of the status.
At a minimum, you specify the type and size of keys to create using the kSecAttrKeyType and kSecAttrKeySizeInBits parameters, respectively.
This will result in you having the next problem: there is no kSecAttrKeyTypeAES. This is already discussed and answered on the Apple developer forums. The advice there is to use kSecClassGenericPassword.
For the past few days, I have been working on trying to delete a generated private key from the keychain. I have been doing my best to follow the documentation Apple provides to delete keys, which you can find here, but I haven't been able to figure out where I am going wrong. Below is my current code for it:
func deleteKey() {
var secret: AnyObject?
// Retrieve Private Key
let tag = "tag".data(using: .utf8)!
print(secret)
let getQuery: [String: Any] = [kSecClass as String: kSecClassKey, // This is a query we make to find the Private key in the key chain based of the input we put inside of it
kSecAttrApplicationTag as String: tag, // We use the tag to search for our saved Private key in the KeyChain as it is unique
kSecAttrKeyType as String: kSecAttrKeyTypeRSA, // This says the keychain will be of type RSA
kSecReturnRef as String: kCFBooleanTrue,// This says to return a reference to the key, and not the key data itself
]
let status = SecItemCopyMatching(getQuery as CFDictionary, &secret)
print(secret!)
let delQuery: [String: Any] = [
kSecMatchItemList as String: secret,// Key to delete
]
let delStatus = SecItemDelete(delQuery as CFDictionary)
guard delStatus == errSecSuccess || delStatus == errSecItemNotFound else {
print(delStatus)
print("Error")
return
}
print ("success")
My delStatus variable keeps on returning "-50", which I know means there is something wrong with my search parameters in the query, but I honestly can not figure it out. While I wait for an answer, I will keep trying to figure it out, but any help would be greatly appreciated. Thanks in advance.
I have the following code which creates a key pair in the secure enclave.
let access = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
.privateKeyUsage,
nil)!
var attributes: [String: Any] = [
kSecAttrKeyType as String: encryptionType,
kSecAttrKeySizeInBits as String: encryptionBits,
kSecPrivateKeyAttrs as String: [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: "abc".data(using: .utf8) as Any,
kSecAttrAccessControl as String: access,
],
]
if Device.hasSecureEnclave {
attributes[kSecAttrTokenID as String] = kSecAttrTokenIDSecureEnclave
}
var error: Unmanaged<CFError>?
SecKeyCreateRandomKey(attributes as CFDictionary, &error)
When running in a simulator or on the device it works just fine. But when I run it in a unit test, an error is returned from the SecKeyCreateRandomKey call:
Error Domain=NSOSStatusErrorDomain Code=-50
"Key generation failed, error -50" UserInfo={NSDescription=Key generation failed, error -50}
After trying a few things I found that the problem was the kSecAttrIsPermanent key in the attributes dictionary. If I remove it, the unit tests run fine.
All the doco I've read indicates it should be ok, but it's failing every time.
Anyone know why?
You may have already seen this:
http://www.openradar.me/36809637
I have the exact same issue and there was nothing in the Xcode 9.3 (beta) release notes to suggest it's been fixed.
I am trying to generate a public/private pair of keys on the device and store them in the keychain.
Since i am using swift i will use a library to interact with the keychain. This is the one i found for that https://github.com/matthewpalmer/Locksmith.
What i need to do after i generate the keys is to convert them both in base64 and then store them in the key chain and afterwards recreate both keys using the base64 string from the keychain.
Using the Locksmith library this should be something like this.
Locksmith.saveData(["publicKeyKey": "publicKeyBase64data"], forUserAccount: "myUserAccount")
To generate the keys i use the following code
public func GenerateKeys() -> [SecKeyRef]{
let keySize = 2048;
var publicKeyPtr, privateKeyPtr: Unmanaged<SecKeyRef>?
let publicKeyParameters: [String: AnyObject] = [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: "com.site.key.public"
]
let privateKeyParameters: [String: AnyObject] = [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: "com.site.key.private"
]
let parameters: [String: AnyObject] = [
kSecAttrKeyType as! String: kSecAttrKeyTypeRSA,
kSecAttrKeySizeInBits as! String: keySize,
kSecPublicKeyAttrs.takeUnretainedValue() as! String: publicKeyParameters,
kSecPrivateKeyAttrs.takeUnretainedValue() as! String: privateKeyParameters
]
let result = SecKeyGeneratePair(parameters, &publicKeyPtr, &privateKeyPtr)
let publicKey = publicKeyPtr!.takeRetainedValue()
let privateKey = privateKeyPtr!.takeRetainedValue()
let blockSize = SecKeyGetBlockSize(publicKey)
return [publicKey, privateKey];
}
I am able to generate the keys successfully but i can't figure out how to convert them to base64 and back. So i have the SecKeyRef objects but don't really know to continue.
Most of the code i have found already is in objective-c which i am not so familiar with.
Any kind of help is appreciated.
Thanks
You don't really need another keychain provider. You have set the kSecAttrIsPermanent parameter to true, so according to Apple doc the keyPair is already stored in default keychain.