Can't generate keypair through SecKeyCreateRandomKey() on macOS Sequoia - internal error

Question

spidersec11 OP

Created 3w

Replies 7

Boosts 0

Participants 2

I generate a keys using :

let attributes: NSDictionary = [
        kSecAttrLabel: label,
        kSecUseKeychain: getSystemKeychain()!,
        kSecAttrKeyType: kSecAttrKeyTypeEC,
        kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
        kSecAttrKeySizeInBits: 256,
        kSecPrivateKeyAttrs: [
            kSecAttrIsPermanent: true,
            kSecAttrApplicationTag: tag,
        ] as [CFString : Any]
    ]
    var error: Unmanaged<CFError>?
    // Generate a new private key
    guard let privateKey = SecKeyCreateRandomKey(attributes, &error) else {
        logger.error("failed to create a keypair \(String(describing: error))")
        return (nil, nil)
    }

I keep getting this error :

failed to create a keypair Optional(Swift.Unmanaged<__C.CFErrorRef>(_value: Error Domain=NSOSStatusErrorDomain Code=-2070 "internal error" (internalComponentErr) UserInfo={numberOfErrorsDeep=0, NSDescription=internal error}))

The above code works absolutely fine on macOS Sonoma and older OS. This looks like a regression in the Apple API SecKeyCreateRandomKey(). What is a good workaround for this ?

Boost

Answer 1

DTS Engineer OP

Apple

3w

Can your reproduce this on the just-released macOS 15.1?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

spidersec11 OP

3w

Same result on :

% sw_vers
ProductName:		macOS
ProductVersion:		15.1
BuildVersion:		24B83

0

Answer 3

DTS Engineer OP

Apple

3w

Thanks for confirming.

As you say, this is probably a regression, and hence bugworthy, but I want to ask you more about the context in which this code is running. Presumably this isn’t running in an app, because you seem to be targeting the system keychain. Where is this code running?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

spidersec11 OP

3w

The code is running as a CLI binary with sudo to add the keys and its certificate to the system keychain. I have filed FB15634465 for this issue.

0

Answer 5

DTS Engineer OP

Apple

2w

Ah, yes, sudo. It’s a source of ongoing grief when it comes to Security framework because your code ends up running in a mixed execution context.

Can you expand on the workflow here? Is this tool only used internally? If not, why do you customers end up running it?

I have filed FB15634465 for this issue.

Thanks.

Please attach a sysdiagnose log to that bug report, one taken immediately after seeing the problem. That’s important, even if the problem is 100% reproducible, because it helps with the triage.

Also, if you can put your code into a small test project, that’d be grand. But that’s less important that the sysdiagnose log.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

spidersec11 OP

2w

We had to use sudo to be able to store the corresponding certificate and its keys in the system keychain for MDM access. Since the certificate is for the device, login keychain was not suitable. I guess this is using legacy keychain. The code works if I use kSecUseDataProtectionKeychain as true in the attributes parameter which is using modern iOS style keychain. I wish the error is message from the API is clear whats not supported / incorrect. I have attached sysdiagnose to the FB15634465.

0

Answer 7

DTS Engineer OP

Apple

2w

I have attached sysdiagnose to the FB15634465.

Thanks.

We had to use sudo to be able to store the corresponding certificate and its keys in the system keychain for MDM access.

OK. Can you expand on that? Who is consuming the key that you generate?

I’m trying to get a sense of the overall workflow so that I can suggest an alternative path that might work better in the long term.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0