Cannot access shared keychain from NE System Extension

Is there any way to pass SecKey to the Extension, or to access it directly from there?

Do you have the key bytes and the key attributes (ala SecKeyCopyAttributes) and then are you creating a SecKey with SecKeyCreateFromData? Try this in your container app first, if there is no problem there, then something else might be going on when you pass this info to the System Extension.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks for the answer Matt! I already have the key at the Containing app, I got it with SecIdentityCopyPrivateKey() (I have the SecIdentity so I can use this func). My question was about the 'next step' - I want to send this key to the System-Extension. I can I do it?

(OR how can I get this key directly via the sys-ext, instead of getting it at the containing app and sending it, but I guess this is not possible because the app runs under user, and sys-ext runs by root).

I guess this is not possible because the app runs under user, and sys-ext runs by root

Right, this will be the challenge because the two app groups would be running as different users.

Regarding:

My question was about the 'next step' - I want to send this key to the System-Extension. I can I do it?

Right, so you can use sendProviderMessage to communicate back and forth. Or, you can use a System Daemon that manages the Keychain assets for both the Container and System Extension. That way, whenever you need an SecItem, you can call over to the daemon and ask for the item you need, no matter if the container app is running or not. Check out the article Quinn wrote on Signing a Daemon with a Restricted Entitlements. This should allow you to add Keychain entitlements to the Daemon.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks again for the answer! One question though - "so you can use sendProviderMessage to communicate back and forth" - this is exactly what I want to do, but AFAIK, I can send only NSData via this function, and I have no idea how to convert SecKey to a Data object. Can you please advise on how to do it?

Can you please advise on how to do it?

Great question. If the SecKey is created in the Secure Enclave, or is tied to a smart card, then this will not be possible. If the key pair that you generate can be copied externally, then you could try using SecKeyCopyExternalRepresentation and pass in the private key to generate the data.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

First - thank you for your time answering those questions! Regarding the SecKey - the key was stored at the Keychain via a profile created at Apple Configurator - I filled the VPN and the Certificate payloads, and installed the profile. I can get the SecKey at the containing app, but when trying to call SecKeyCopyExternalRepresentation, it returns nil. It's not tied to a smart card..Any idea why SecKeyCopyExternalRepresentation returns nil?

the key was stored at the Keychain via a profile created at Apple Configurator - I filled the VPN and the Certificate payloads, and installed the profile. I can get the SecKey at the containing app, but when trying to call SecKeyCopyExternalRepresentation, it returns nil.

Hmm... it sounds like your key is most likely stored in the System Keychain and that is why you are not able to export it with SecKeyCopyExternalRepresentation.

It does sound like the container app is where you will need to work with the SecKey, as I suspect this is the place where you have added the entitlement to be able to access this asset from the System Keychain. I'm going to ping Quinn to see if he has any other insight on this one...

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

I spoke with Quinn regarding this incident and we'd like to do some more digging on what is going on here. Please open up a TSI with a focused sample project so that we can dig into this further.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com