Create a SecKey from PKCS#8 (.p8 file)

Question

Created Jun ’20

Replies 4

Boosts 0

Views 2.7k

Participants 2

Hi.

I am trying to create a SecKey from my PKCS#8 key—the one generated for Sign in with Apple. But, I keep getting nil and the error "EC private key creation from data failed".

The following is the openssl command that I used to convert from p8 -> der:

Code Block openssl ec -in key.p8 -outform der -out key.der

I encoded the content of key.der to base64 using the following:

Code Block let utf8str = derContent.data(using: .utf8)
if let base64Encoded = utf8str?.base64EncodedData(options: [.endLineWithLineFeed]) {
		print("keyBase64: \(String(data: base64Encoded, encoding: .utf8) ?? "NA")")
}

Code for creating a SecKey:

Code Block let keyBase64 = "..."
let keyData = Data(base64Encoded: keyBase64)!
var error: Unmanaged<CFError>?
let key = SecKeyCreateWithData(keyData as NSData, [
		 kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, 
		 kSecAttrKeyClass: kSecAttrKeyClassPrivate
] as NSDictionary, &error)

I am completely new to security, therefore I have limited knowledge on this topic. So far, the above code snippets are the ones I managed to research. But, I don't know what could be wrong with it.

Hoping someone could enlighten me on this security-related topic.

Thank you in advance!

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’20

I am trying to create a SecKey from my PKCS\#8 key

What platform are you targeting?

Share and Enjoy
—
Quinn “The Eskimo!” @ DTS @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 22 Jun through to Fri, 26 Jun. During that time all of DTS will be busy with conference duties.

0

Answer 2

failynsedik OP

Jun ’20

Hi Quinn, thanks for the swift response! I am targeting the iOS platform.

0

Answer 3

DTS Engineer OP

Apple

Jun ’20

iOS’s key import facilities are rather limited. Your only option (1) is SecKeyCreateWithData. That routine does not accept a general-purpose wrapper like PKCS#8. Rather, you have to undo the PKCS#8 wrapping to get to the raw key bytes and pass that to SecKeyCreateWithData. This isn’t a huge amount of fun (unless you’re in to ASN.1, which I am so, hey, it’s fun for me :-).

I’m confused by your goals though. If this is a Sign in with Apple key, why do you need to import it into an iOS app?

Share and Enjoy
—
Quinn “The Eskimo!” @ DTS @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 22 Jun through to Fri, 26 Jun. During that time all of DTS will be busy with conference duties.

(1) Technically, you can do a similar thing using SecItemAdd but the code is harder and it doesn’t buy you anything.

1

Answer 4

failynsedik OP

Jun ’20

Hi Quinn,

I needed to import it into our iOS app because, previously, I was asked to handle the authentication and token refresh on the frontend side. So that it was led me to this path.

However, by going through the Sign in with Apple steps again, I came to realize that there's no need for me to do the token refresh. I can just check the user's credentials upon app launch.

I still followed through getting the raw key bytes using an online tool (ASN.1 JavaScript decoder), but I was still unable to make it work. I believe I'm doing something wrong along the way but I just don't know which one.

Anyway, thanks a lot Quinn! Maybe I'll come back to this thread if I come across PKCS#8-related security topic again.

0