macOS Sequoia beta 3: SecPKCS12Import failed with error - 23000

In our App, we store identity in keychain in a specific path

    var keychain: SecKeychain?
    let status = SecKeychainCreate(path, UInt32(password.count), password, false, nil, &keychain)
    guard status == errSecSuccess else {
        logger.error("Error in creating keychain: \(String(describing: SecCopyErrorMessageString(status, nil)))")
        throw KeychainError.keychainCreationError
    }

Then later whenever process needs it. it open keychain, import it and uses it.

        status = SecPKCS12Import(identityData as CFData, [kSecImportExportPassphrase : password, kSecImportExportKeychain: keychain] as CFDictionary, &identityItems)
        authlog.info("Import status: \(status)")
        guard status == errSecSuccess else {
            authlog.error("Error in exporting identity : \(status) \(String(describing:SecCopyErrorMessageString(status, nil)))")
            throw ClientAuthError.identityFormationError
        }

This worked well till sequoia beta 2.

In Sequoia beta 3 and 4, this fails to import with error -25300 : The specified item could not be found in the keychain.

one thing I noticed is import succeeds if the keychain is freshly created. when tried to reuse existing keychain it fails in import error.

Is this a bug in beta or it any changes made in keychain level by Apple itself.

Please help with the solution

Log trace:

[ 24-07-2024 12:39:15:192 ] [INFO] Challenge delegate received [ 24-07-2024 12:39:15:192 ] [INFO] Client authentication challenge [ 2024-07-24 12:39:15 ] [INFO] retcode of "/bin/chmod -R 777 "/Library/<path>/data/agent-resource"" ::: 0 [ 24-07-2024 12:39:15:237 ] [INFO] Opening keychain... [ 24-07-2024 12:39:15:240 ] [NOTICE] Keychain open status: -25294 [ 24-07-2024 12:39:15:241 ] [ERROR] Keychain error: Optional(The specified keychain could not be found.) [ 24-07-2024 12:39:15:241 ] [INFO] Creating keychain.. [ 24-07-2024 12:39:15:448 ] [INFO] Import status: 0 [ 24-07-2024 12:39:15:448 ] [INFO] Identity: <SecIdentity 0x7ff3ec1f7df0 [0x7ff85540e9a0]> [ 24-07-2024 12:39:15:448 ] [INFO] Credential sent [ 24-07-2024 12:39:15:581 ] [INFO] Upload request completed.. [ 24-07-2024 12:39:15:583 ] [INFO] Status code: 200

[ 25-07-2024 12:24:55:300 ] [INFO] Client authentication challenge [ 25-07-2024 12:24:55:300 ] [INFO] Opening keychain... [ 25-07-2024 12:24:55:305 ] [NOTICE] Keychain open status: 0 [ 25-07-2024 12:24:55:439 ] [INFO] Import status: -25300 [ 25-07-2024 12:24:55:440 ] [ERROR] Error in exporting identity : -25300 Optional(The specified item could not be found in the keychain.) [ 25-07-2024 12:24:55:440 ] [CRITICAL] Error in getting identity: identityFormationError [ 25-07-2024 12:24:55:441 ] [ERROR] Error in obtaining identity [ 25-07-2024 12:24:55:513 ] [INFO] Download request complete... [ 25-07-2024 12:24:55:515 ] [INFO] Status code: 200

Answered by DTS Engineer in 797319022

If you have existing code that’s now broken in the latest betas, it’s definitely worth filing a bug about that.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

If you have existing code that’s now broken in the latest betas, it’s definitely worth filing a bug about that.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Facing the same issue.

Filed bug - FB14580386

Has anyone solved/found workaround for this?

I'm getting exactly the same error message when using SecKeychainCreate() with SecPKCS12Import() on macOS Sequoia 15.0 (24A335)

It looks like FB14580386 wasn’t fixed in the released version of macOS 15.0 )-:

Let me see if I understand this issue correctly. I created a small test Mac app project with a button that:

  1. Opens the keychain ~/Test.keychain in my home directory, creating it if it’s not there.

  2. Imports a PKCS#12 into that keychain using SecPKCS12Import.


On macOS 14.6.1 I ran the app, clicked the Test button, and it created the keychain and imported the digital identity. If I dump the resulting keychain I see this:

% security dump-keychain ~/Test.keychain 
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x00000010 
attributes:
    …
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x80001000 
attributes:
    …

That is, it imported the private key and the certificate.

I then click the Test button again. This imports the digital identity a second time. Of course this doesn’t actually import anything, because both the private key and the certificate are already in the keychain. So the dump-keychain command prints the same result.


Now I run the same test on macOS 15.0. Everything works the same up to the point where I click the Test button for the second time. This time around the call to SecPKCS12Import fails with -25300 (errSecItemNotFound). Moreover, the keychain ends up with an extra private key in it:

% security dump-keychain ~/Test.keychain                   
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x00000010 
attributes:
    …
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x00000010 
attributes:
    …
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x80001000 
attributes:
    …

Is that an accurate statement of the bug that we’re talking about here?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yep, the description of the bug sounds accurate.

There is one interesting workaround (for anyone else, who is experiencing the same issue):

  1. Import PKCS#12 into the "Login" Keychain by opening .pk12 from Finder
  2. Delete the imported PKCS#12 from the "Login" Keychain
  3. At this point, it's possible to import PKCS#12 into Keychain, that is created in a, let's say, home directory.

Well, I’d say that the macOS 15 behaviour is definitely a bug. Even if you ignore the macOS 14 compatibility aspects of this, it should handle duplicate items by either:

  • Doing nothing, as it did on macOS 14

  • Failing with errSecDuplicateItem

This ‘getting halfway and then failing with errSecItemNotFound’ is all sorts of wrong )-:

I’ve updated FB14580386 with my analysis.


On the workaround front, I guess my first question is why you’re getting into this situation? If the keychain already has the digital identity you need, why import it again? Perhaps you could change your code to:

  1. Search the keychain for the digital identity.

  2. Do the SecPKCS12Import thing only if it’s not present.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Historically, importing multiple times wasn't an issue until now. I'd love it to do nothing as it was on macOS 14, mostly for user who are not up to date with our app.

With that being said, I don't see a reason why I couldn't search for the digital identity and then skip the import, if such identity exists.

Thanks.

It looks like, that the latest macOS 15.1 beta 6 includes a fix for this issue.

Thanks!

It looks like, that the latest macOS 15.1 beta 6 includes a fix for this issue.

I was chatting with the Security framework team about this and have a quick update. While we have made a number of fixes in this space in macOS 15.1 beta, we don’t think this is one of them!

According to our records FB14580386 is not fixed in macOS 15.1b6. We think you might have made a mistake in your testing, because the behaviour depends on whether the keychain is in the search list or not. Regardless, we’re still working on this bug.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

You are correct, clean install of macOS 15.1b6 with nothing just a test app and I'm still having this issue.

It seems, I did made a mistake when testing before or triggered one of the workarounds I know :)

Thanks for the update.

macOS Sequoia beta 3: SecPKCS12Import failed with error - 23000
 
 
Q