We are trying to retrieve a certificate and private key pair from keychain . These may not be generated locally on the Mac machine but added to the keychain by some MDM product like Jamf etc. Initially I tried to retrieve using identity, but couldn’t search with identity, and as per the notes from other discussions, how the identity is calculated is different in Mac OS, so I couldn’t retrieve it.
Then I tried to retrieve the key first, but even for that, I couldn’t see any attributes I can use to select specific parameter like issued by etc. So I tried to retrieve one seckeyref object and use it as shown below
[queryPrivateKey setObject:(id)kSecClassKey forKey:(id)kSecClass];
[queryPrivateKey setObject:(id)kSecAttrKeyTypeRSA forKey:(id)kSecAttrKeyType];
[queryPrivateKey setObject:[NSNumber numberWithBool:YES] forKey:(id)kSecReturnRef];
sanityCheck = SecItemCopyMatching((CFDictionaryRef)queryPrivateKey, (CFTypeRef *)&privateKeyReference);
if (sanityCheck != noErr)
{
privateKeyReference = NULL;
return;
}
signedHashBytesSize = SecKeyGetBlockSize(privateKeyReference);
SecKeyRef publicKey = SecKeyCopyPublicKey(privateKeyReference);
And signedHashBytesSize is showing as 256 and publicKey is also not null, but I couldn’t export any of the above using SecItemExport or convert private key to NSData using SecKeyCopyExternalRepresentation etc.
So could you please let me know how to search for a specific identity or a specific key, from which we can export both public key and private key in some openssl format so that this can be used to sign.
Post
Replies
Boosts
Views
Activity
I am trying to retrieve public key and private key from Mac key chain and convert it into PEM format, which will be used by another process.
I am using the following code snippet to retrieve the private key:
OSStatus status;
NSMutableDictionary *query = [NSMutableDictionary dictionary];
[query setObject:(id)kSecClassKey forKey:(id)kSecClass];
[query setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnRef];
[query setObject:(id)kSecMatchLimitAll forKey:(id)kSecMatchLimit];
[query setObject:@"<label> forKey:(id)kSecAttrLabel]
SecKeyRef keyRef = NULL;
status = SecItemCopyMatching((_bridge CFDictionaryRef)query, (void *)&keyRef);
if (status != errSecSuccess) {
CFStringRef errorRef = SecCopyErrorMessageString(status, NULL);
NSLog(@"%s: %@", FUNCTION, (bridge NSString *)errorRef);
CFRelease(errorRef);
return ;
}
I got a Non-Null SecKeyRef object, and no error. I verified the label previously by printing attributes.
But I cannot use this SecKeyRef for any other operations like getting public key using SecKeyCopyPublicKey, or I cannot convert into openssl format using SecKeyCopyExternalRepresentation or SecItemExport.
For SecKeyCopyExternalRepresentation, I am getting the error that "export not implemented for key" error
And with SecItemExport I am getting -25260 error.
NSData *data = NULL;
SecItemImportExportKeyParameters params;
params.version = SECKEYIMPORTEXPORTPARAMSVERSION;
params.passphrase = CFSTR("<pwd>");
status = SecItemExport(keyRef, kSecFormatPEMSequence, kSecItemPemArmour, ¶ms, (__bridge CFDataRef)&data);
Could you please let me know If I am missing some other code causing the issue.
In a bigsur Machine, we have a local proxy running and we are using manual system proxy settings (127.0.0.1 and port) to redirect the connections to the local proxy. The redirection is working fine for chrome, Firefox and majority of the apps. But Safari and few apps connections are not being redirected to the local proxy, and in safari for any website access we straight away see cannot find server error.
But if the proxy settings are added in a local pac file
function FindProxyForURL(url, host) {
return "PROXY 127.0.0.1:<port number>";
}
and use this pac file Automatic Proxy configuration URL, (instead of manual settings)then everything works fine, including Safari and other apps.