Is Decrypt transform only able to decrypt data created from the Encrypt transform?

I am working with data encrypted outside of the SecurityFramework, from another platform using Go libs.

I am able to decrypt this on Win10 using the BCRYPT lib, but on Mac I am failing.


When I run the decrypt transform on data that is AES256 CBC encrypted, I receive an error on line 36 below

""CSSMERR_CSP_INVALID_DATA" UserInfo={NSDescription=CSSMERR_CSP_INVALID_DATA}"


Can the Decrypt transform in the Security Framework only decrypt data created from the Encrypt transform in the Security Framework?

All the examples that I found use cipher data that was created within the macOS frameworks.


    // ------------------ CREATE input data ------------------
    cfEncryptedData = CFDataCreate( kCFAllocatorDefault, (const UInt8*)externalBinaryData, externalBinaryDataSize);

    // ------------------ CREATE key object from data ------------------
    cfParameters = CFDictionaryCreateMutable( kCFAllocatorDefault, 0,
                                            &kCFTypeDictionaryKeyCallBacks,
                                            &kCFTypeDictionaryValueCallBacks);
    
    CFDictionarySetValue(cfParameters, kSecAttrKeyType, kSecAttrKeyTypeAES);

    int keySizeInBits = kSecAES256;
    cfKeySizeInBits = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &keySizeInBits);
    CFDictionarySetValue(cfParameters, kSecAttrKeySizeInBits, cfKeySizeInBits);
    
    cfAesKey = CFDataCreate( kCFAllocatorDefault, (const UInt8*)aes_key, aes_keySize);
    secAesBlob = SecKeyCreateFromData(cfParameters, cfAesKey, &error);
    if (error) { CFShow(error); ret = -1; goto cleanup; }

    // ------------------ CREATE decryption transform ------------------
    secDecryptTransform = SecDecryptTransformCreate(secAesBlob, &error);
    if (error) { CFShow(error); ret = -1; goto cleanup; }
    SecTransformSetAttribute(secDecryptTransform, kSecTransformInputAttributeName, cfEncryptedData, &error);
    if (error) { CFShow(error); ret = -1; goto cleanup; }

    // ------------------ SET attributes ------------------
    SecTransformSetAttribute( secDecryptTransform, kSecInputIsAttributeName, kSecInputIsRaw, &error);
    if (error) { CFShow(error); ret = -1; goto cleanup; }
    SecTransformSetAttribute( secDecryptTransform, kSecEncryptionMode, kSecModeCBCKey, &error);
    if (error) { CFShow(error); ret = -1; goto cleanup; }
    cfIV = CFDataCreate( kCFAllocatorDefault, (const UInt8*)iv, 16);
    SecTransformSetAttribute( secDecryptTransform, kSecIVKey, cfIV, &error);
    if (error) { CFShow(error); ret = -1; goto cleanup; }

    // ------------------ RUN decryption transform ------------------
    cfDecryptedData = (CFDataRef)SecTransformExecute(secDecryptTransform, &error);
    if (error) { CFShow(error); ret = -1; goto cleanup; }

Accepted Reply

Can the Decrypt transform in the Security Framework only decrypt data created from the Encrypt transform in the Security Framework?

No. These transforms implement industry standard algorithms.

i saw documentation that indicated that this was deprecated

No, you have this backwards. The SecTransform API is effectively deprecated, and has been so since 10.12. Unfortunately it’s taken a while for us to formally deprecate it (r. 25183002).

CommonCrypto is still the best way to perform certain crypto operations. However, if:

  • You’re working in Swift, and

  • You have a deployment target of macOS 10.15 (or iOS 13 and friends), and

  • You’re using a recommended crypto algorithm (in the AES space, this means AES-GCM)

then you can take advantage of Apple CryptoKit, which is much nicer than the older APIs (like SecKey and CommonCrypto).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

my current working version uses CCCrypt from CommonCrypto, but i saw documentation that indicated that this was deprecated

Can the Decrypt transform in the Security Framework only decrypt data created from the Encrypt transform in the Security Framework?

No. These transforms implement industry standard algorithms.

i saw documentation that indicated that this was deprecated

No, you have this backwards. The SecTransform API is effectively deprecated, and has been so since 10.12. Unfortunately it’s taken a while for us to formally deprecate it (r. 25183002).

CommonCrypto is still the best way to perform certain crypto operations. However, if:

  • You’re working in Swift, and

  • You have a deployment target of macOS 10.15 (or iOS 13 and friends), and

  • You’re using a recommended crypto algorithm (in the AES space, this means AES-GCM)

then you can take advantage of Apple CryptoKit, which is much nicer than the older APIs (like SecKey and CommonCrypto).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

thank you 🙂