Im trying to generate a privatekey that only is accessible when either pincode or current set of biometrics( that is already registered on device) is used. It works when i have a finger registered on device, then its all good. But if i delete my registered "touchid-finger", and try to generate a new key, then it returns nil
Errorcode is -25293
func generateKey() -> SecKey?{
var error: Unmanaged?
let accessControl = SecAccessControlCreateWithFlags(
kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
[.devicePasscode,.or,.biometryCurrentSet],
nil)
let attributes:[String : Any] = [kSecAttrType as String: kSecAttrKeyTypeRSA,
kSecAttrKeySizeInBits as String:4096,
kSecPrivateKeyAttrs as String: [
kSecAttrIsPermanent:true,
kSecAttrCanSign: true,
kSecAttrApplicationTag: "yes.its.my.tag",
kSecAttrAccessControl:accessControl!]]
let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error)
if(error != nil || privateKey == nil) {
fatalError("explode Kittens")
}
return privateKey
}
Its actually works on simulators but not on real devices.
I do not want to use userPresence, since then one can add fingerprints and still be able to fetch the key.
Since its .OR , i would think it should be enough to have a pincode on device to generate key.
posted the question on stackoverflow also.. https://stackoverflow.com/questions/58445519/ios-not-able-to-create-privatekey-if-only-pincode-is-set-on-device