Hello,
I'm getting the following error when attempting to generate a signature on phones running iOS >= 11.0:
CryptoTokenKit Code=-3 "setoken: unable to sign digest"
Here's the code I'm using to generate the signature:
var error: Unmanaged<CFError>?
guard let signData = SecKeyCreateSignature(
privateKey,
SecKeyAlgorithm.ecdsaSignatureMessageX962SHA256,
data as CFData, &error) else {
logger?.error("Unable to generate signature for data: \(base64Data) with private key ref: \(privateKey). Error is: \(error!.takeRetainedValue())")
return nil
}
I've also tried sending in a digest of the data instead and using SecKeyAlgorithm.ecdsaSignatureDigestX962SHA256 but the same issue occurs.
Here's the code I use to generate the keypair:
if let access = SecAccessControlCreateWithFlags(nil,
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
[.privateKeyUsage],
nil) {
let privateKeyAttrs = [kSecAttrIsPermanent : 1,
kSecAttrApplicationTag as String: applicationTag as AnyObject,
kSecAttrLabel as String: keyId,
kSecAttrAccessControl as String: access
] as NSDictionary
let publicKeyAttrs = [kSecAttrIsPermanent : 0,
kSecAttrLabel as String: keyId,
kSecAttrApplicationTag as String: applicationTag as AnyObject
] as NSDictionary
let keyPairAttrs = [kSecAttrKeySizeInBits : 256,
kSecAttrKeyType : kSecAttrKeyTypeEC,
kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave,
kSecPrivateKeyAttrs : privateKeyAttrs,
kSecPublicKeyAttrs : publicKeyAttrs] as NSDictionary
var error: Unmanaged<CFError>?
guard let privateKey = SecKeyCreateRandomKey(keyPairAttrs as CFDictionary, &error) else {
logger?.debug("Unabled to generate ECC Keypair. Error is: \(error!.takeRetainedValue())")
throw KeypairError.generateFailed
}
}
This same code works fine for phones running iOS 10. I've tried setting keySecAttrKeyType to kSecAttrKeyTypeECSECPrimeRandom but that didn't seem to do anything.
Any suggestions?
EDIT: After trying a few more things I noticed that by either changing the kSecAttrApplicationTag value to something different or by deleting all keys with that value, the operation succeeds. This provides me with a workaround, though I'm still not sure why that is.