-34018 when using Secure Enclave

Question

Created Apr ’23

Replies 6

Boosts 0

Views 1.1k

Participants 3

I'm trying to modify Chromium to generate a key pair in the Secure Enclave on MacOS, but I'm always getting the following error

OSStatus error -34018 - failed to generate asymmetric keypair

from the following code.

  CFErrorRef access_error = NULL;
  SecAccessControlRef access_control = SecAccessControlCreateWithFlags(
    kCFAllocatorDefault,
    kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
    kSecAccessControlPrivateKeyUsage,
    &amp;access_error
  );

  NSDictionary *attributes = @{
    (__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeECSECPrimeRandom,
    (__bridge id)kSecAttrKeySizeInBits: @256,
    (__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
    (__bridge id)kSecPrivateKeyAttrs: @{
        (__bridge id)kSecAttrIsPermanent: @YES,
        (__bridge id)kSecAttrAccessControl: (__bridge id)access_control
    }
  };

  CFErrorRef creation_error = NULL;
  SecKeyRef key_ref = SecKeyCreateRandomKey((__bridge CFDictionaryRef)attributes, &amp;creation_error);
  if (creation_error != NULL)
    LOG(ERROR) &lt;&lt; "Failed to create key: " &lt;&lt; CFErrorCopyDescription(creation_error);

-34018 seems to map to errSecMissingEntitlement, but I'm not sure what the missing entitlement is. Chromium comes with several entitlements configured, and I've signed and notarized the app, but it still does not work with the installed app from the notarized .dmg file.

Running

codesign -d --entitlements - Chromium.app

returns

[Dict]
    [Key] com.apple.application-identifier
    [Value]
        [String] &lt;redacted-teamid>.&lt;redacted-bundleid>
    [Key] keychain-access-groups
    [Value]
        [Array]
            [String] &lt;redacted-teamid>.&lt;redacted-bundleid>.devicetrust
            [String] &lt;redacted-teamid>.&lt;redacted-bundleid>.webauthn

Checking the embedded .provisionprofile (and the DER encoded profile) per these instructions also shows these entitlements in the notarized .app.

The same code works in a local Xcode project, so I figure it must be how I've configured Chromium, but I can't figure out what the missing piece is.

I am able to create keys in the keychain, in Chromium, if I remove the kSecAttrAccessControl and kSecAttrTokenID attributes. It's only when I'm trying to access the secure enclave, it seems.

I've tried multiple things to find the issue:

I've read the docs * Protecting keys with the Secure Enclave | Apple Developer Documentation
I've tried setting different keychain-access-groups, using the default, and other suggestions, described here
- errSecMissingEntitlement | Apple Developer Documentation
I've searched online and found similar issues, but none of the solutions helped
I've read through Apple's OSS Distribution to see the implementation of SecCreateRandomKey
- Security/SecKey.cpp at 154ef3d9d6f57f0374aa5d6c4b412e8653c1eebe · apple-oss-distributions/Security (github.com)
I've reviewed the two existing implementations in Chromium, and tried to directly call them instead of rolling my own
- https://source.chromium.org/chromium/chromium/src/+/main:device/fido/mac/credential_store.mm
- https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/enterprise/connectors/device_trust/key_management/core/mac/secure_enclave_helper_impl.mm

Does anyone see what the issue could be? This is all running on my M2 MacBook Pro on Ventura 13.3, if it matters.

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’23

-34018 seems to map to errSecMissingEntitlement, but I'm not sure what the missing entitlement is.

It’s com.apple.application-identifier. Using the Secure Enclave requires that your app have a registered App ID, which means it must be signed with this entitlement and that entitlement must be authorised by a provisioning profile.

If you put your code into a small test app, does it have the same problem?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

auorion OP

Apr ’23

Thanks for the response, Quinn. I believe my app has the com.apple.application-identifier entitlement, and so does the provisioning profile, but I could be wrong as the code works in a small test app in Xcode. Is there a way to check that this entitlement is present in the signed and notarized app? I've been running the following commands, which lead me to believe that we have the entitlement and proper authorization.

% codesign -d --entitlements - Browser.app

returns

Executable=&#x2F;Applications&#x2F;Browser.app&#x2F;Contents&#x2F;MacOS&#x2F;Browser
[Dict]
	[Key] com.apple.application-identifier
	[Value]
		[String] TL6P21MQR.com.contoso.browser
	[Key] keychain-access-groups
	[Value]
		[Array]
			[String] TL6P21MQR.com.contoso.browser.devicetrust
			[String] TL6P21MQR.com.contoso.browser.webauthn

Inside of Browser.app I see the embedded.provisionprofile and looking in the DER encoded profile with these commands

% security cms -D -i embedded.provisionprofile -o Browser-payload.plist 
% plutil -extract DER-Encoded-Profile raw -o - Browser-payload.plist | base64 -D > Browser.der
% security cms -D -i Browser.der -o Browser-payload.der
% openssl asn1parse -in Browser-payload.der -inform der -i | cut -c 30-

Shows that the application-identifer entitlement is authorized by the provision profile, here are the seemingly relevant pieces of the output:

SET               
 SEQUENCE          
  UTF8STRING        :Version
  INTEGER           :01
...
SEQUENCE          
  UTF8STRING        :TeamIdentifier
  SEQUENCE          
   UTF8STRING        :TL6P21MQR
...
 SEQUENCE          
  UTF8STRING        :ApplicationIdentifierPrefix
  SEQUENCE          
   UTF8STRING        :TL6P21MQR
...
 SEQUENCE          
  UTF8STRING        :Entitlements
  appl [ 16 ]       
   INTEGER           :01
   cont [ 16 ]       
    SEQUENCE          
     UTF8STRING        :com.apple.application-identifier
     UTF8STRING        :TL6P21MQR.com.contoso.browser
    SEQUENCE          
     UTF8STRING        :com.apple.developer.team-identifier
     UTF8STRING        :TL6P21MQR
    SEQUENCE          
     UTF8STRING        :keychain-access-groups
     SEQUENCE          
      UTF8STRING        :TL6P21MQR.*

It seems to me like everything is in order, or am I missing something? Let me know if I left out any important details, and thanks again for your help.

0

Answer 3

DTS Engineer OP

Apple

Apr ’23

I've been running the following commands, which lead me to believe that we have the entitlement and proper authorization.

Right.

The first command is the one that matters here. It shows that you claim com.apple.application-identifier. And if you claimed it and your profile wasn’t up to snuff, the system would block your app from launching.

You’re not claiming com.apple.developer.team-identifier, which is weird. When you sign with Xcode, it usually treats those as a pair.

the code works in a small test app in Xcode.

If you dump the entitlements of your small test app, do you see any other differences?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

auorion OP

Apr ’23

I'm signing using a modified version of a script that comes with Chromium which uses codesign for signing. Is there some configuration that was missed that should cause this entitlement to be included?

I tried to add the entitlement manually, but it didn't seem to have an effect (still seeing -34018).

As for the local test app, not much seems different, it does have the team-identifier entitlement you mentioned. This is from the exported, notarized archive of my test app, which shares the same name as the Browser app, so the same provisioning profile would work:

[Dict]
	[Key] com.apple.application-identifier
	[Value]
		[String] TL6P21MQR.com.contoso.browser

	[Key] com.apple.developer.team-identifier
	[Value]
		[String] TL6P21MQR

	[Key] keychain-access-groups
	[Value]
		[Array]
			[String] TL6P21MQR.keychain

0

Answer 5

DTS Engineer OP

Apple

Apr ’23

Is there some configuration that was missed that should cause this entitlement to be included?

If you have questions about third-party tools or libraries, I recommend that you escalate them via the vendor’s support channel.

Are you sure that the code making the SecKeyCreateRandomKey call is in the main executable of your app? Browser frameworks often do networking in a secondary process, and their entitlements are controlled by their main executable, not by the main executable of the app itself.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

auorion OP

Apr ’23

Thank you for your help Quinn, your most recent reply put me on the right path. While the code is in the main executable, something is going wrong during the signing process. I found this article which shares some Swift code that lets you query for entitlements at runtime: https://developer.apple.com/documentation/Xcode/signing-a-daemon-with-a-restricted-entitlement

Once converted to Obj-C, I could see that I didn't have any entitlements at all. Even in the main function of the app, there were no entitlements. It's odd to me that codesign reports the correct entitlements for the .app file, but they aren't present at runtime. I'm fiddling with our signing script now, and am finally seeing success.

Thanks again for your help!

0