SecKeyCopyExternalRepresentation returns -25260
Do you mean “from the Keychain Access app”?which was previously added manually, from the keychain
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
The old school file-based keychain
The iOS-style keychain
What do you plan to do with the results of SecKeyCopyExternalRepresentation? This is relevant because the next step depends on whether you want to use the key for cryptographic operations or whether you’re actually exporting it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
We were able to actually get the data back by using the "SecItemExport" with a placeholder password. However, "SecItemExport" seems to return the private key without a -25260 error only if we use "SecExternalFormat.formatWrappedPKCS8" or "SecExternalFormat.formatPKCS12".
Do you know if there is anyway for us to get a PEM formatted or PKCS1 key back?
And what is it doing with it? Running a TLS connection? Or are you simply using OpenSSL as a crypto toolkit?We plan to pass the extracted private key data to an openssl API.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
My general advice is that you not use OpenSSL for TLS connections on Apple platforms. There’s a bunch of reasons for this, not least of which is that it’s a pain to integrate with the platform’s security architecture. The system has a built-in TLS stack and you should use that if you can (through high-level APIs like NSURLSession and Network framework).
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
OK, I’m going to presume you mean “because that’s what our existing OpenVPN implementation uses.” OpenVPN is a protocol and, while that protocol is based on TLS, it does not require that you to use one specific TLS implementation. Right?We need OpenSSL because we are trying to use OpenVPN protocol.
Anyway, this presents you with three choices:
You can fight macOS to export the data in the format that you need. This is challenging on two fronts. The first is that the Security framework is reluctant to export the raw key bits of a private key. The second is that, even if can get it to do that, it probably won’t be in the format required by OpenSSL and thus you’d need to massage it after (having said that, OpenSSL is a full-featured security toolbox and thus it’s generally good at such massaging).
You can configure OpenSSL to use the system’s crypto APIs in place of its built-in crypto. I say “configure” because I’m pretty sure that folks have done this before (in fact, ISTR that Apple did this at one point).
You can disconnect your OpenVPN implementation from OpenSSL. If, for example, you layered it on top of Network framework, you’d end up using the system’s built-in TLS which can work with key objects rather than key bytes.
I can help you with the bits of this that relate to Apple APIs, but the OpenVPN and OpenSSL stuff is beyond my remit.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
You are correct, that's what our existing implementation uses. Thank you for your response Quinn! We will look more into the 3 choices.OK, I’m going to presume you mean “because that’s what our existing OpenVPN implementation uses.” OpenVPN is a protocol and, while that protocol is based on TLS, it does not require that you to use one specific TLS implementation. Right?
https://developer.apple.com/forums/thread/658107
The above mentioned thread provides a solution to a similar issue.
You can export the private key in encrypted PEM format with the flag kSecItemPemArmour
and later decrypt it using OpenSSL APIs such as,
EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
Share and Enjoy
—
Subhash