21 Replies
      Latest reply: Feb 23, 2017 1:25 PM by eskimo RSS
      jerryc Level 1 Level 1 (0 points)

        This particular piece of code (minus the setup code)  generate a 2048 key pair

         

          sanityCheck = SecKeyGeneratePair((__bridge CFDictionaryRef)keyPairAttr, &publicKeyRef, &privateKeyRef);

         

        It works wonderfully on iOS 9 simulator, iOS 9 device, iOS 10 device, but not iOS 10 simulator.

         

        Was there any change in the iOS 10 simulator prevent it from working?

         

        The error while calling this function on iOS 10 simulator is -34018

         

        thanks

        jerry

        • Re: iOS 10 crypto not working on simulator
          eskimo Apple Staff Apple Staff (6,995 points)

          -34018 is errSecMissingEntitlement, indicating an entitlements problem.  However, the simulator doesn’t support entitlements, so this is clearly a bug and I’ve filed it as such (r. 28297379).

          ps Here’s the code I was testing with.

          func SecKeyGeneratePair(_ parameters: [String:AnyObject]) throws -> (publicKey: SecKey, privateKey: SecKey) {
              var publicKey: SecKey? = nil
              var privateKey: SecKey? = nil
              let err = Security.SecKeyGeneratePair(parameters as CFDictionary, &publicKey, &privateKey)
              guard err == errSecSuccess else {
                  print(err)
                  throw NSError(domain: NSOSStatusErrorDomain, code: Int(err), userInfo: nil)
              }
              return (publicKey!, privateKey!)
          }
          
          let keyID = UUID().uuidString
          let keyPair = try? SecKeyGeneratePair([
              kSecAttrKeyType as String:      kSecAttrKeyTypeRSA,
              kSecAttrKeySizeInBits as String: 2048 as NSNumber,
              kSecAttrIsPermanent as String:  true as NSNumber,
              kSecAttrLabel as String:        keyID as NSString
          ])
          print(keyPair)
          

          Built with Xcode 8, it works on the iOS 9 simulator but fails on the iOS 10 simulator.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: iOS 10 crypto not working on simulator
              eskimo Apple Staff Apple Staff (6,995 points)

              -34018 is errSecMissingEntitlement, indicating an entitlements problem.  However, the simulator doesn’t support entitlements, so this is clearly a bug and I’ve filed it as such (r. 28297379).

              OK, that was interesting.  My bug has come back to me as Behaves Correctly.  It seems that the iOS 10 and related simulators do support entitlements.  As such, you should fix this problem by code signing your app for the simulator, just like you do for the device.  I tried this out myself and it works a treat.

              I’ve filed a new bug against Xcode to get the project templates updated to reflect this reality (r. 28338972).

              Share and Enjoy

              Quinn “The Eskimo!”
              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
              let myEmail = "eskimo" + "1" + "@apple.com"

                • Re: iOS 10 crypto not working on simulator
                  johncch Level 1 Level 1 (0 points)
                  As such, you should fix this problem by code signing your app for the simulator, just like you do for the device.  I tried this out myself and it works a treat.
                  

                   

                  Do you mind elaborating what you mean by code signing for the simulator? Is this invoked via the console codesign tool?

                    • Re: iOS 10 crypto not working on simulator
                      Totem Level 1 Level 1 (0 points)

                      Just go into your Project Build Settings and switch Code Signing Identity -> Debug -> Any iOS SDK to "Don't Code Sign".

                      • Re: iOS 10 crypto not working on simulator
                        eskimo Apple Staff Apple Staff (6,995 points)

                        A newly created Xcode project for iOS has the Code Signing (`CODESIGNIDENTITY) build setting set like this:

                        //:configuration = Debug
                        CODE_SIGN_IDENTITY[sdk=iphoneos*] = iPhone Developer
                        
                        //:configuration = Release
                        CODE_SIGN_IDENTITY[sdk=iphoneos*] = iPhone Developer
                        
                        //:completeSettings = some
                        CODE_SIGN_IDENTITY
                        

                        This only signs the app if you’re building for the device.  I set it to this:

                        //:configuration = Debug
                        CODE_SIGN_IDENTITY = iPhone Developer
                        
                        //:configuration = Release
                        CODE_SIGN_IDENTITY = iPhone Developer
                        
                        //:completeSettings = some
                        CODE_SIGN_IDENTITY
                        

                        This signs the app for both device and simulator builds.

                        Share and Enjoy

                        Quinn “The Eskimo!”
                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                        let myEmail = "eskimo" + "1" + "@apple.com"

                          • Re: iOS 10 crypto not working on simulator
                            mkaralek Level 1 Level 1 (0 points)

                            This wasn't enough for me. I also had to enable the "Keychain Sharing" capability as suggested here:

                            https://forums.developer.apple.com/thread/60617

                            • Re: iOS 10 crypto not working on simulator
                              johncch Level 1 Level 1 (0 points)

                              Thanks, I did get it to work. I had to delete and reinstall the app (to trigger the keychain item being stored in our app's scenario) though because I'm assuming the Keychain items stored before code signing will not be visible.

                              • Re: iOS 10 crypto not working on simulator
                                DamienP Level 1 Level 1 (0 points)

                                That doesn't solve the problem at all when you are using the keychain with Unit Testing inside a Framework which is NOT included inside an app.

                                There is no workaround this so far ....

                                 

                                And over it, I get an error message that logic test can't run on the device and I should use the simulator instead. Neato.

                                 

                                OSStatus: The operation couldn’t be completed. (OSStatus error -34018.)

                                  • Re: iOS 10 crypto not working on simulator
                                    eskimo Apple Staff Apple Staff (6,995 points)

                                    Right.  That’s a separate problem, caused by the fact that unit test are actually run by an executable embedded within Xcode (xctest) and that that process does not have entitlements.  Previously this only inconvenienced folks using interesting entitlements, but now it applies to the keychain as well.

                                    There’s a bug on file about this (r. 14493584) but feel free to file your own bug describing your own specific requirements.

                                    I believe you can work around this by creating a dummy app target that has the appropriate entitlements and then hosting your tests within that (via the Host Application popup in the General tab of the unit test’s target editor).  I haven’t tried to do this myself yet; I ran out of time and just decided to run my unit tests in the iOS 9 simulator for the moment )-:

                                    Share and Enjoy

                                    Quinn “The Eskimo!”
                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                    let myEmail = "eskimo" + "1" + "@apple.com"

                          • Re: iOS 10 crypto not working on simulator
                            EvergreenCoder Level 1 Level 1 (0 points)

                            For those still struggling with this, particularly those who have required adding keychain sharing to workaround, here is what has been working for me.

                             

                            The issue seems to be that there must be at least one entitlement in order for Xcode to properly add the "application-identifier" enttilement to the built application.  This is why keychain sharing seems to be a solution but it is only indirectly so:  any other entitlement seems to work fine.

                             

                            Take a vanilla application and do a build.  During the "Process Product Packaging" build step it will not show any entitlements.  Any attempt to use the keychain in the simulator with that application will fail with the -34018 error.

                             

                            You could add keychain sharing to work around this, as this adds an entitlement, and the final application will contain the keychain-access-group and the application-identifier entitelments.  If you do not want to enable keychain sharing you can simply add another entitlement.

                             

                            For example, I created an entitlements.plist and configured by project to use it for CODE_SIGN_ENTITLEMENTS for a simulator build.  This enttilements plist simply adds the get-task-allow (allow a debugger to be attached)

                             

                            <?xml version="1.0" encoding="UTF-8"?>
                            <!DOCTYPE plist PUBLIC "-/
                            <plist version="1.0">
                                <dict>
                                    <key>get-task-allow</key>
                                    <true/>
                                </dict>
                            </plist>
                            
                            

                             

                            By adding this entitlement, which is a bit unnecessary for a simulator build, the keychain access will work correctly.  During the "Process Product Packaging" step you will see output that contains the get-task-allow and application-identifier entitlements now.  Abbreviated output from this step show below..

                             

                            ...
                            
                            Entitlements:
                            {
                                "application-identifier" = "AAABBBCCDDD.com.company.MyBundleID";
                                "get-task-allow" = 1;
                            }
                            
                            ...
                            
                            

                             

                            You can now successfully run your application in the simualtor and you did not have to configure any unwanted entitlements such as keychain sharing.

                             

                            This strikes me as a bug in Xcode 8 whereby it should always be adding the application-identifier entitlement for simulator builds.

                              • Re: iOS 10 crypto not working on simulator
                                eskimo Apple Staff Apple Staff (6,995 points)

                                The issue seems to be that there must be at least one entitlement in order for Xcode to properly add the "application-identifier" enttilement to the built application.

                                Right.

                                This strikes me as a bug in Xcode 8 whereby it should always be adding the application-identifier entitlement for simulator builds.

                                Right.  Since I last posted on this thread I’ve been back and forth with both Security and Xcode engineering about this issue, and I eventually uncovered a bug report (r. 26953315) that’s exactly this.

                                Share and Enjoy

                                Quinn “The Eskimo!”
                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                let myEmail = "eskimo" + "1" + "@apple.com"

                                  • Re: iOS 10 crypto not working on simulator
                                    rahusing Level 1 Level 1 (0 points)

                                    Hi Eskimo

                                    We have an sdk which uses this feature(keychain). Our product (which is out there) is breaking on ios10 simulators. Can we know what are the timelines when we can expect this to get fixed?

                                     

                                    Thanks

                                    Rahul

                                      • Re: iOS 10 crypto not working on simulator
                                        eskimo Apple Staff Apple Staff (6,995 points)

                                        Can we know what are the timelines when we can expect this to get fixed?

                                        I can’t speculate about the future.

                                        Presumably your SDK has instructions that tell your clients how to integrate the SDK into their product; if I were in your shoes I’d update those instructions to account for this issue.

                                        Share and Enjoy

                                        Quinn “The Eskimo!”
                                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                        let myEmail = "eskimo" + "1" + "@apple.com"

                                          • Re: iOS 10 crypto not working on simulator
                                            eskimo Apple Staff Apple Staff (6,995 points)

                                            I can’t speculate about the future.

                                            I just noticed that the release notes for the Xcode 8.1 GM seed now touches on this issue:

                                            Keychain APIs may fail to work in the Simulator if your entitlements file doesn’t contain a value for the application-identifier entitlement. (28338972)

                                            Workaround: Add a user-defined build setting to your target named ENTITLEMENTS_REQUIRED and set the value to YES. This will cause Xcode to automatically insert an application-identifier entitlement when building.

                                            I haven’t tried this myself yet.

                                            Share and Enjoy

                                            Quinn “The Eskimo!”
                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                            let myEmail = "eskimo" + "1" + "@apple.com"

                                              • Re: iOS 10 crypto not working on simulator
                                                jrouge Level 1 Level 1 (0 points)

                                                Hi Eskimo,

                                                I also need to execute unit tests inside a framework and I still encounter the problem with xcode 8.1.

                                                Thanks

                                                Jeremie

                                                  • Re: iOS 10 crypto not working on simulator
                                                    eskimo Apple Staff Apple Staff (6,995 points)

                                                    I also need to execute unit tests inside a framework and I still encounter the problem with xcode 8.1.

                                                    Right.  This is a well-known issue with library tests (sometimes called logic tests by Xcode).  Those tests are run by a tool (xctest) that does not have entitlements.  Historically this caused problems for folks using custom entitlements (to access CloudKit, for example) but now it affects folks using the keychain as well.

                                                    AFAIK there’s no direct workaround.  However, I believe you can avoid the problem by running this test code within your app (in the docs this is called an app test).  Because these run inside your app, they get the app’s entitlements.

                                                    If you don’t have an app handy, you can create a dummy one just to host the tests.

                                                    Please try this out and let us know if you hit any snags.

                                                    Oh, and don’t let the availability of a workaround prevent you from filing a bug about this.  Xcode should be able to run library tests with entitlements, and this recent keychain change makes this even more important.

                                                    Share and Enjoy

                                                    Quinn “The Eskimo!”
                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                      • Re: iOS 10 crypto not working on simulator
                                                        elektrojunge Level 1 Level 1 (0 points)

                                                        Hy Eskimo,

                                                        I just installed the latest Xcode 8.2 beta (beta 2) and was hoping it would fix the issue for library tests/logic tests, too. Unfortunately, the issues seems to be still around, our logic tests continue to fail if they try to access the keychain.

                                                         

                                                        Any pointes when/if we can expect a fix for this?

                                                         

                                                        Thanks 

                                                        Benny

                                                          • Re: iOS 10 crypto not working on simulator
                                                            eskimo Apple Staff Apple Staff (6,995 points)

                                                            Unfortunately, the issues seems to be still around, our logic tests continue to fail if they try to access the keychain.

                                                            Correct.

                                                            Any pointes when/if we can expect a fix for this?

                                                            I can’t comment on The Future™ but I will repeat my advice from earlier:

                                                            • You can avoid the problem by running your tests within an app, creating a dummy app if you don’t have one handy.

                                                            • Feel free to file your own bug about this limitation.

                                                            Share and Enjoy

                                                            Quinn “The Eskimo!”
                                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                            let myEmail = "eskimo" + "1" + "@apple.com"

                                                              • Re: iOS 10 crypto not working on simulator
                                                                aventurella Level 1 Level 1 (0 points)

                                                                Do you have any documentation, maybe it's simple enough to provide right here, where you take an existing Framework target's tests and add them to a dummy app to be executed?  Or do I have the wrong idea about this dummy app?

                                                                  • Re: iOS 10 crypto not working on simulator
                                                                    eskimo Apple Staff Apple Staff (6,995 points)

                                                                    I think it’s as simple as:

                                                                    1. Creating a new app target for the appropriate platform.

                                                                    2. In the target editor for the test target, go to the General tab and select that as the host application.

                                                                    I recently did this for the CryptoCompatibility sample code and it didn’t cause me any grief (be aware that’s not in the current public release of the sample, but something internal).

                                                                    Share and Enjoy

                                                                    Quinn “The Eskimo!”
                                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                    let myEmail = "eskimo" + "1" + "@apple.com"