SecKeyCreateDecryptedData fails with "Error Domain=CryptoTokenKit Code=-3 "setoken: unable to compute shared secret" UserInfo={NSLocalizedDescription=setoken: unable to compute shared secret"

Hi,


Our application predominantly uses the keychain and the secure enclave to generate asymmetric keys and decrypt using the secure enclave.


When testing our application against iOS 13 beta for any compatibilty issues, we encounted a problem while decrypting using the Secure Enclave.


We use SecAccessControlCreateFlags.biometryAny constraint to restrict accessing the private key only with a valid biometric registered on the device, and, this is what is actually causing the problem. When SecAccessControlCreateFlags.biometryAny is not set, the decryption succeeds.


Below is the error that is thrown:


Error Domain=CryptoTokenKit Code=-3 "setoken: unable to compute shared secret" UserInfo={NSLocalizedDescription=setoken: unable to compute shared secret}


keyType: kSecAttrKeyTypeECSECPrimeRandom

accessibilityProtection: kSecAttrAccessibleWhenUnlockedThisDeviceOnly

accessControlFlags: SecAccessControlCreateFlags.biometryAny.rawValue

Decryption Algorithm: eciesEncryptionCofactorX963SHA256AESGCM


This whole feature works perfectly on all other versions of iOS below 13.0.


Please let us know if this is a known issue, or, if you have any suggestions to overcome this.


Thanks,

Aravind Vaidhyanathan

Up vote post of aravind_v Down vote post of aravind_v
1.3k views
Posted by
aravind_v
Reply
Add a Comment

Replies

This whole feature works perfectly on all other versions of iOS below 13.0.

My general advice in situations like this, where you have existing code that’s failing on a pre-release system, is to file a bug. It’s possible that you’re doing something wrong that just happened to work on previous systems, but it’s just as likely that this is a bug in the system itself.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks, Quinn.


I have filed a bug:

https://feedbackassistant.apple.com/feedback/7002453


Thanks,

Aravind Vaidhyanathan

Posted by
aravind_v
Up vote reply of aravind_v Down vote reply of aravind_v
Add a Comment

The issue seems to have been fixed in the latest beta 13.0(17a5556d).


Thanks,

Aravind Vaidhyanathan

Posted by
aravind_v
Up vote reply of aravind_v Down vote reply of aravind_v
Add a Comment