1 Reply
      Latest reply on Feb 16, 2017 2:22 PM by xwu
      xwu Level 1 Level 1 (0 points)


        I am building VPN client with Packet Tunnel Provider for macOS. The VPN profile configured by Apple Configurator 2 uses certificate p12 file as user authentication for connection, the profile installed on my Mac as well as the certificate was imported to keychain.

            The VPN extension is called once I try to connect the vpn, but I am not able to retrieve the private key with persistent reference of my VPN keychain item which comes within NETunnelProviderProtocol object. Below are things I did.

        1. Generate p12 file with certificate and RSA private key.

            openssl pkcs12 -export -out client.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt

        2. Try to retrieve the private key with persistent reference in NETunnelProviderProtocol object in Packet Tunnel Provider extension.

             SecIdentityRef  identity_ref = NULL;

             const void *keys[] =  { kSecClass, kSecReturnRef,  kSecValuePersistentRef };

             const void *values[] = { kSecClassIdentity, kCFBooleanTrue, persistent_ref };

             CFDictionaryRef dict = CFDictionaryCreate(NULL, keys, values, 3, NULL, NULL);

             if ( SecItemCopyMatching(dict, &identity_ref) == errSecSuccess)


                  SecItemImportExportKeyParameters params = {};

                  params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;

                  params.flags = kSecKeySecurePassphrase;

                  params.passphrase = CFStringCreateWithCString(kCFAllocatorDefault, "", kCFStringEncodingASCII);

                  status = SecItemExport(identity, kSecFormatPKCS12,0, &params, &exportResult);// error, not able to get the private key


        Addictionly I try to use  SecItemCopyMatching to retrieve the private key, I can get just only 96 bytes back, obviously, it is not correct.


        There should be something wrong with my code, please give me help.