I'm trying to write a proof-of-concept for using a key generated in the secure enclave, following the instructions from here: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
Using that, I have the following code:
import Foundation
import Security
let access =
SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleAlways,
.privateKeyUsage,
nil)!
let attributes: [String: Any] = [
kSecAttrKeyType as String: kSecAttrKeyTypeEC,
kSecAttrKeySizeInBits as String: 256,
kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave,
kSecPrivateKeyAttrs as String: [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: "com.example.keys.mykey".data(using: .utf8)!,
kSecAttrAccessControl as String: access
]
]
var error: Unmanaged<CFError>?
guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
throw error!.takeRetainedValue() as Error
}
print("Successfully generated private key!")
However, when running this I get the following error:
Fatal error: Error raised at top level: Error Domain=NSOSStatusErrorDomain Code=-50 "failed to generate asymmetric keypair" (paramErr: error in user parameter list) UserInfo={NSDescription=failed to generate asymmetric keypair}: file /BuildRoot/Library/Caches/com.apple.xbs/Sources/swiftlang/swiftlang-900.0.74.1/src/swift/stdlib/public/core/ErrorType.swift, line 187
2018-02-06 00:33:00.299731-0800 signit[16668:214771] Fatal error: Error raised at top level: Error Domain=NSOSStatusErrorDomain Code=-50 "failed to generate asymmetric keypair" (paramErr: error in user parameter list) UserInfo={NSDescription=failed to generate asymmetric keypair}: file /BuildRoot/Library/Caches/com.apple.xbs/Sources/swiftlang/swiftlang-900.0.74.1/src/swift/stdlib/public/core/ErrorType.swift, line 187
(lldb)
I checked out the system logs and see this line:
default 00:25:52.787319 -0800 secd signit[16635]/1#-1 LF=0 add Error Domain=NSOSStatusErrorDomain Code=-50 "storing items into kSecAttrAccessGroupToken is not allowed" (paramErr: error in user parameter list) UserInfo={NSDescription=storing items into kSecAttrAccessGroupToken is not allowed}
Is there something I'm missing to be able to generate persistant secure enclave keys?