My code called SecKeyCreateRandomKey() to generate a RSA private key. I want this generated key cannot be exportable. So I set kSecAttrIsExtractable to @NO. But I am still able to export the private key.
What should I set to make the newly generated private key not exportable or extractable?
My sample code:
NSDictionary* attributes =
@{ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA,
(id)kSecAttrKeySizeInBits: @2048,
(id)kSecUseKeychain: (__bridge id)keychainRef,
(id)kSecPrivateKeyAttrs:
@{ (id)kSecAttrIsPermanent: @YES,
(id)kSecAttrIsExtractable: @NO,
(id)kSecAttrCanDerive: @NO,
},
};
CFErrorRef error = NULL;
SecKeyRef privateKey = SecKeyCreateRandomKey((__bridge CFDictionaryRef)attributes,
if(privateKey) {
CFDataRef exportPrivateKeyData = NULL;
OSStatus result = SecItemExport(privateKey, kSecFormatUnknown, 0, NULL, &exportPrivateKeyData);
Note: SecItemExport() return errSecSuccess (0) and the exportPrivateKeyData contains data. I was hoping the SecItemExport() will fail since kSecAttrIsExtractable was set to @NO when generating the private key.