SecKeyCopyExternalRepresentation returns -25260

which was previously added manually, from the keychain

Do you mean “from the Keychain Access app”?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, the user manually adds the cert & private key to the Keychain Access app (more specifically, the login keychain) and we are trying to extract the cert and the private key data from there.

macOS supports two styles of keychain:

• The old school file-based keychain

• The iOS-style keychain

Items you import in Keychain Access go into the file-based keychain. That keychain is reluctant to export key material without some sort of password protection.

What do you plan to do with the results of SecKeyCopyExternalRepresentation? This is relevant because the next step depends on whether you want to use the key for cryptographic operations or whether you’re actually exporting it.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for the information Quinn. We plan to pass the extracted private key data to an openssl API.

We were able to actually get the data back by using the "SecItemExport" with a placeholder password. However, "SecItemExport" seems to return the private key without a -25260 error only if we use "SecExternalFormat.formatWrappedPKCS8" or "SecExternalFormat.formatPKCS12".

Do you know if there is anyway for us to get a PEM formatted or PKCS1 key back?

We plan to pass the extracted private key data to an openssl API.

And what is it doing with it? Running a TLS connection? Or are you simply using OpenSSL as a crypto toolkit?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, we are trying to run a connection with certificate authentication.

Are you’re using OpenSSL because?

My general advice is that you not use OpenSSL for TLS connections on Apple platforms. There’s a bunch of reasons for this, not least of which is that it’s a pain to integrate with the platform’s security architecture. The system has a built-in TLS stack and you should use that if you can (through high-level APIs like NSURLSession and Network framework).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We need OpenSSL because we are trying to use OpenVPN protocol.

We need OpenSSL because we are trying to use OpenVPN protocol.

OK, I’m going to presume you mean “because that’s what our existing OpenVPN implementation uses.” OpenVPN is a protocol and, while that protocol is based on TLS, it does not require that you to use one specific TLS implementation. Right?

Anyway, this presents you with three choices:

• You can fight macOS to export the data in the format that you need. This is challenging on two fronts. The first is that the Security framework is reluctant to export the raw key bits of a private key. The second is that, even if can get it to do that, it probably won’t be in the format required by OpenSSL and thus you’d need to massage it after (having said that, OpenSSL is a full-featured security toolbox and thus it’s generally good at such massaging).

• You can configure OpenSSL to use the system’s crypto APIs in place of its built-in crypto. I say “configure” because I’m pretty sure that folks have done this before (in fact, ISTR that Apple did this at one point).

• You can disconnect your OpenVPN implementation from OpenSSL. If, for example, you layered it on top of Network framework, you’d end up using the system’s built-in TLS which can work with key objects rather than key bytes.

Note that the last two options will result in a product that works with secure tokens (keys managed by the Secure Enclave or by third-party CryptoTokenKit app extension). The first option will not because, by definition, a secure token won’t export the raw key bits.

I can help you with the bits of this that relate to Apple APIs, but the OpenVPN and OpenSSL stuff is beyond my remit.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

OK, I’m going to presume you mean “because that’s what our existing OpenVPN implementation uses.” OpenVPN is a protocol and, while that protocol is based on TLS, it does not require that you to use one specific TLS implementation. Right?

You are correct, that's what our existing implementation uses. Thank you for your response Quinn! We will look more into the 3 choices.