iOS 13: SecAccessControl flag kSecAccessControlApplicationPassword internal error when used with SecureEnclave kSecAttrTokenID

When attempting to generate a key pair using SecKeyGeneratePair to be stored in SecureEnclave whilst also supplying an kSecAccessControlApplicationPassword, an error code 26276 (Internal Error) is returned.


A corresponding log:

[client] Unable to connect to com.apple.setoken even after retries


Keypair generation would work when:

1) kSecAccessControlApplicationPassword is omitted

2) keypair generation does not use the kSecAttrTokenIDSecureEnclave


Sample code:

NSError *secError = NULL;
    SecAccessControlCreateFlags flags =
    kSecAccessControlApplicationPassword
    ;
    SecAccessControlRef accessControlRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                                                           kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
                                                                           flags,
                                                                           (CFErrorRef*)(__bridge void*)secError);
    if (secError != NULL) {
        NSLog(@"ERRORRRRRR: %@", secError.localizedDescription);
        return;
    }
    CFMutableDictionaryRef privateKeyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
    CFDictionarySetValue(privateKeyParams, kSecAttrIsPermanent, kCFBooleanTrue);
    CFDictionarySetValue(privateKeyParams, kSecAttrAccessControl, accessControlRef);
    
    
    CFMutableDictionaryRef keygenParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
    CFDictionarySetValue(keygenParams, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave);
    CFDictionarySetValue(keygenParams, kSecAttrKeyType, kSecAttrKeyTypeEC);
    int size = 256;
    CFNumberRef sizeInBitsNumberRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &size);
    CFDictionarySetValue(keygenParams, kSecAttrKeySizeInBits, sizeInBitsNumberRef);
    CFDictionarySetValue(keygenParams, kSecClass, kSecClassKey);
    CFDictionarySetValue(keygenParams, kSecPrivateKeyAttrs, privateKeyParams);
    CFDictionarySetValue(keygenParams, kSecAttrLabel , (__bridge CFStringRef)@"abcde");
    
    _context = [[LAContext alloc]init];
    CFDictionarySetValue(keygenParams, kSecUseAuthenticationContext, (__bridge const void *)(_context));
    SecKeyRef publicKey = NULL;
    OSStatus generationStatus = SecKeyGeneratePair(keygenParams, &publicKey, NULL);
    
    NSLog(@"Generation Status: %d", (int) generationStatus);

Usage of the combination flags below would fail as well:

    SecAccessControlCreateFlags flags =
    kSecAccessControlApplicationPassword
    | kSecAccessControlAnd
    | kSecAccessControlPrivateKeyUsage
    ;


Works as intended on existing iOS. Tested on iOS 13 beta 2.


Any feedback / help / suggestion is much appreciated! Filed a Feedback too.

Up vote post of mervyn.ong Down vote post of mervyn.ong
1.8k views
Posted by
mervyn.ong
Reply
Add a Comment

Replies

Hi, Anyone has any update on this or facing similar issues?

Posted by
mervyn.ong
Up vote reply of mervyn.ong Down vote reply of mervyn.ong
Add a Comment

I am encountering the same. Any updates?

Posted by
Nili at WatchDox
Up vote reply of Nili at WatchDox Down vote reply of Nili at WatchDox
Add a Comment

Am still waiting on a reply for this as well. Have not received any feedback from Apple yet.

Posted by
mervyn.ong
Up vote reply of mervyn.ong Down vote reply of mervyn.ong
Add a Comment

This appears to be resolved in beta 5 (at least on the iPad pro I'm using for testing).

Posted by
mnem
Up vote reply of mnem Down vote reply of mnem
Add a Comment

yes the issue is now resolved on the beta 5 release.

The bug that I filed has also been updated in its status to (Potential Fix identified)

Posted by
mervyn.ong
Up vote reply of mervyn.ong Down vote reply of mervyn.ong
Add a Comment