2 Replies
      Latest reply on May 1, 2019 10:52 PM by yo77
      AvaloqKent Level 1 Level 1 (0 points)

        I am trying to create a private key using SecKeyCreateRandomKey() and every time I attempt to create the key the Security framework returns with an error "-25293"  errSecAuthFailed                         = -25293,    /* The user name or passphrase you entered is not correct. */


        the code looks like this:


             keysize = 521

             keyid = (unique UUID)

             and self.applicationContext returns the valid LAContext with the application password verifiably correctly set.


            SecAccessControlCreateFlags sacFlags = kSecAttrAccessibleWhenUnlocked;
            sacFlags |= kSecAccessControlAnd;
            sacFlags |= kSecAccessControlPrivateKeyUsage;
            sacFlags |= kSecAccessControlApplicationPassword;
            SecAccessControlRef accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
            if( !accessControl ) {
                *error = CFBridgingRelease(cferror);
                log(@"Security", @"error creating access control: [%@]",[*error localizedDescription]);
            else {
                NSData* tag = [keyid dataUsingEncoding:NSUTF8StringEncoding];  
                NSDictionary* attributes =  @{ (id)kSecAttrKeyType:             (id)kSecAttrKeyTypeECSECPrimeRandom,
                                               (id)kSecAttrKeySizeInBits:       @(keysize),
                                               (id)kSecAttrLabel:               keyid,
                                                   @{ (id)kSecAttrIsPermanent:    @YES,
                                                      (id)kSecAttrApplicationTag: tag,
                                                      (id)kSecUseAuthenticationContext : self.applicationContext,
                                                      (id)kSecAttrAccessControl:  (__bridge id)accessControl,
                                                      (id)kSecAttrEffectiveKeySize:   @(keysize),
                                                      (id)kSecAttrCanEncrypt      :   @NO,
                                                      (id)kSecAttrCanDecrypt      :   @YES,
                                                      (id)kSecAttrCanDerive       :   @YES,
                                                      (id)kSecAttrCanSign         :   @YES,
                                                      (id)kSecAttrCanVerify       :   @NO,
                                                      (id)kSecAttrCanWrap         :   @NO,
                                                      (id)kSecAttrCanUnwrap       :   @YES,
                SecKeyRef privateKey = SecKeyCreateRandomKey((__bridge CFDictionaryRef)attributes,


        I could sure use some assistance,

        thanks in advance,



        • Re: Help needed creating EC key for JWT signing
          eskimo Apple Staff Apple Staff (11,325 points)

          I recommend that you start by radically simplifying your code, then build up the extra features you need from there.  The doc comments for SecKeyCreateRandomKey indicate that only two properties are needed:

          • kSecAttrKeyType, which should be `kSecAttrKeyTypeECSECPrimeRandom

          • kSecAttrKeySizeInBits, and you should start out with 256

          Try calling SecKeyCreateRandomKey with just those two properties and see what happens.  If it works, you can add in your other parameters until things start to fail, starting with changing the key size to 521.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          • Re: Help needed creating EC key for JWT signing
            yo77 Level 1 Level 1 (0 points)

            Ndyejsneu Hensjdirnbd