Re: Getting key data out of the keychain

[Chris Ridd]

> On 1 Jan 2016, at 13:09, Andreas Mayer  wrote:
> 
> But I *still* don't know how to get at the key bytes of a SecKeyRef. :P

Try asking on the apple-cdsa mailing list. It covers the security frameworks in 
OS X, including (hence the historical name) CDSA.

Chris
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Getting key data out of the keychain

[Andreas Mayer]

Hello Marco,

> Am 31.12.2015 um 19:23 schrieb Marco S Hyman :
> 
> After much play, head scratching, and code that managed to add a bogus entry 
> to the keychain that couldn’t be deleted (time machine to the rescue) I came 
> up with one way to add an entry to the keychain and retrieve the entry: use 
> the Generic Password class.  In swift the code to fetch the password looked 
> like this -- password returned as NSData.

thanks, but that's not what I was looking for.

Actually, I am able to save and retrieve the key just fine. It's just that I 
only get a SecKeyRef, not the binary data.

The trick to put a valid key into the keychain is to use 
SecKeyGenerateSymmetric() and have it save the key in the keychain immediately. 
You will then be able to retrieve it normally using SecItemCopyMatching().
To have SecKeyGenerateSymmetric() put the key into the default keychain, add 
the attribute kSecAttrIsPermanent with a value of true.
Or you can add the kSecUseKeychain attribute and supply the keychain you want 
it to use.

For now, I decided to work around the key bytes extraction problem by using 
SecTransforms - which take a SecKeyRef - for encoding instead of CCCrypt().
The reason I went with CCCrypt() first is, that I had a problem with creating 
SHA1 hashes with SecTransform and running that parallel inside an NSOperation. 
My application actually locked up with dozens of those NSOperations waiting on 
some semaphore. So I had to use CommonCrypto for that.

I didn't run into any problems with the SecEncrypt/DecryptTransform.

Here is my code if anyone is interested:

static func encryptData(data: NSData, withKey key: SecKeyRef) throws -> 
NSData {
return try cryptData(data, withKey: key, transformCreate: 
SecEncryptTransformCreate)
}

static func decryptData(data: NSData, withKey key: SecKeyRef) throws -> 
NSData {
return try cryptData(data, withKey: key, transformCreate: 
SecDecryptTransformCreate)
}

static func cryptData(data: NSData, withKey key: SecKeyRef, 
transformCreate: (SecKey, UnsafeMutablePointer?>) -> 
SecTransform) throws -> NSData {
var result: NSData?
var transform: SecTransformRef?
var error: Unmanaged?

transform = transformCreate(key, &error)
if error != nil { let retainedError: ErrorType = 
error!.takeRetainedValue(); throw retainedError }

SecTransformSetAttribute(transform!, kSecPaddingKey, 
kSecPaddingPKCS7Key, &error);
if error != nil { let retainedError: ErrorType = 
error!.takeRetainedValue(); throw retainedError }

SecTransformSetAttribute(transform!, 
kSecTransformInputAttributeName,
data, &error);
if error != nil { let retainedError: ErrorType = 
error!.takeRetainedValue(); throw retainedError }

result = SecTransformExecute(transform!, &error) as? NSData;
if error != nil { let retainedError: ErrorType = 
error!.takeRetainedValue(); throw retainedError }

return result!
}


But I *still* don't know how to get at the key bytes of a SecKeyRef. :P


Andreas
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Getting key data out of the keychain

[Andreas Mayer]

I want to encrypt something inside my OS X application: So I thought I'd store 
the key inside the keychain.

After a *lot* of reading and tinkering I finally managed to create a new AES 
key and get it back out again (as a SecKeyRef).

Now I want to use it with CCCrypt()

That expects raw key data, not a SecKeyRef.

I tried to get the data by asking the keychain for a data blob with 
kSecReturnData.

And I do get back a CFDataRef. But it is 96 Bytes, which strikes me as odd for 
a 128 bit key. And the actual bytes don't seem to change much between different 
keys.


A bit more information:

I create the key using SecKeyGenerateSymmetric() and that seems to work fine as 
the key shows up in Keychain Access.

I get the key data out of the keychain using SecItemCopyMatching() which also 
seems to work fine. It's just that the data returned is not what I was 
expecting. Also, I'm using Swift, and working with C-APIs is quite terrible. 
After some research I came up with this code to get at the reference returned 
by the SecItemCopyMatching():

var temp: Unmanaged?
let status = withUnsafeMutablePointer(&temp) { 
SecItemCopyMatching(query, UnsafeMutablePointer($0)) }
if status == errSecSuccess {
result = temp!.takeRetainedValue()
}

As I said, that at least seems to work since I get the type of objects expected.
(A lot of seems, I realize. But clearly I'm missing something and I don't know 
what.)



So these are my questions:

I found a lot of code online that was promising, but nothing does quite what I 
need. Do I even have the right approach here?

Has anyone ever done this? Is there an easier method to get the actual bytes 
for an AES key out of a SecKeyRef?

Help!  :)


Andreas


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com