2 Replies
      Latest reply: Oct 19, 2016 7:43 PM by loosegoose RSS
      loosegoose Level 1 Level 1 (0 points)

        I am trying to export a private key the is generated with SecKeyGeneratePair as a encrypted PKCS8. It fails with a bad access using the new SecItemExport. Here is my code. It works just fine when I use the SecKeychainItemExport but that is depricated.

         

            NSDictionary * privateKeyParameters = @{(id)kSecAttrIsPermanent:@YES,
                                                    (id)kSecAttrIsExtractable:@YES,
                                                    (id)kSecAttrCanDerive:@YES,
                                                    (id)kSecAttrCanDecrypt:@YES,
                                                    };
          
            NSDictionary * publicKeyParameters = @{(id)kSecAttrIsPermanent:@YES,
                                                   (id)kSecAttrIsExtractable:@YES,
                                                   (id)kSecAttrCanEncrypt:@YES,
                                                   };
          
            NSDictionary * parameters = @{(id)kSecAttrKeyType:(id)kSecAttrKeyTypeRSA,
                                          (id)kSecAttrKeySizeInBits:@4096,
                                          (id)kSecPrivateKeyAttrs:privateKeyParameters,
                                          (id)kSecPublicKeyAttrs:publicKeyParameters
                                          };
          
            SecKeyRef publicKey;
            SecKeyRef privateKey;
          
            CFDataRef privateBytes = NULL;
          
            if (SecKeyGeneratePair((__bridge CFDictionaryRef)parameters, &publicKey, &privateKey) == errSecSuccess) {
              
                SecItemImportExportKeyParameters params;
                params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
                params.flags = kSecKeyNoAccessControl;
                params.passphrase = CFSTR("Apass");
              
                OSStatus err = SecItemExport(privateKey, kSecFormatWrappedPKCS8, 0, &params, &privateBytes);
            }
        
        • Re: Exporting a Private Key with a passphrase
          eskimo Apple Staff Apple Staff (6,075 points)

          You’re not setting all the fields of the SecItemImportExportKeyParameters structure.  That structure contains various pointers; if those pointers contain junk values, that’d explain the crash.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Exporting a Private Key with a passphrase
              loosegoose Level 1 Level 1 (0 points)

              Thats weird cause those other fields are optional so I didn't think it mattered but it did. Here is the parameters I had to use to prompt the user to enter a passphrase and export the key as a PKCS8 key in case anyone has the same issue I did.

               

              SecItemImportExportKeyParameters params;
              params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
              params.flags = kSecKeySecurePassphrase;
              params.passphrase = NULL;
              params.alertTitle = CFSTR("Title");
              params.alertPrompt = CFSTR("Prompt");
              params.accessRef = NULL;
              params.keyAttributes = NULL;
              params.keyUsage = NULL;
              
              
              

               

              Thank you for your help