0 Replies
      Latest reply on Oct 19, 2019 5:40 AM by roykk
      roykk Level 1 Level 1 (0 points)

        Im trying to generate a privatekey that only is accessible when either pincode or current set of biometrics( that is already registered on device) is used. It works when i have a finger registered on device, then its all good. But if i delete my registered "touchid-finger", and try to generate a new key, then it returns nil

        Errorcode is -25293

        func generateKey() -> SecKey?{
          var error: Unmanaged?
          let accessControl = SecAccessControlCreateWithFlags(
          kCFAllocatorDefault,
          kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
          [.devicePasscode,.or,.biometryCurrentSet],
          nil)
        
          let attributes:[String : Any] = [kSecAttrType as String: kSecAttrKeyTypeRSA,
          kSecAttrKeySizeInBits as String:4096,
          kSecPrivateKeyAttrs as String: [
          kSecAttrIsPermanent:true,
          kSecAttrCanSign: true,
          kSecAttrApplicationTag: "yes.its.my.tag",
          kSecAttrAccessControl:accessControl!]]
          let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error)
          if(error != nil || privateKey == nil) {
               fatalError("explode Kittens")
          }
          return privateKey
        }


        Its actually works on simulators but not on real devices.
        I do not want to use userPresence, since then one can add fingerprints and still be able to fetch the key.


        Since its .OR , i would think it should be enough to have a pincode on device to generate key.

        posted the question on stackoverflow also.. https://stackoverflow.com/questions/58445519/ios-not-able-to-create-privatekey-if-only-pincode-is-set-on-device