This is not working on macOS for the given public and private keys about certificatesigningrequest HOT 10 CLOSED

I think it has something to do with how you are creating the keys in keychain. The examples given are for iOS, I believe the process is slightly different macOS. If you create the keys properly then the framework should work.

Issues with generating keys are not issues with this framework

from certificatesigningrequest.

Thanks.

Able to generate a valid csr if i use SecKeyCopyExternalRepresentation while sending public key bytes to buildcsr function

from certificatesigningrequest.

@murali238 thanks for sharing, I will see if I can add your updates into the testcases and readme, unless you see where to add them directly?

from certificatesigningrequest.

@cbaker6 ,

I have done below two changes on MacOS to generate a valid csr.

1. kSecAttrApplicationTag key value as Data instead of String
2. Replaced getPublicKeyBits with below function

 func getPublicKeyBits(_ algorithm: KeyAlgorithm, publicKey: SecKey, tagPublic: String)->(Data?,Int?) {
        
        //Set block size
        let keyBlockSize = SecKeyGetBlockSize(publicKey)
        
        //Ask keychain to provide the publicKey in bits
        let query: [String: AnyObject] = [
            String(kSecClass): kSecClassKey,
            String(kSecAttrKeyType): algorithm.secKeyAttrType,
            String(kSecAttrApplicationTag): tagPublic.data(using: .utf8) as AnyObject,
            String(kSecReturnRef): kCFBooleanTrue
        ]
        var tempPublicKeyBits:AnyObject?
        var _ = SecItemCopyMatching(query as CFDictionary, &tempPublicKeyBits)
        
        if tempPublicKeyBits != nil {
            var error:Unmanaged<CFError>? = nil
            guard let keyBits = SecKeyCopyExternalRepresentation(tempPublicKeyBits as! SecKey, &error) else {
                return (nil,nil)
            }
            return (keyBits as Data,keyBlockSize)
        }
        
        return (nil,nil)
    }

Hope it helps some one.

from certificatesigningrequest.

@murali238 I've added your recommendations, but for some reason the keys don't generate when I run the tests, swift test from command line.

Was there anything else you added?

The changes I made are here

from certificatesigningrequest.

@cbaker6
inside getPublicKeyBits function, instead of String(kSecReturnData): kCFBooleanTrue , Please use String(kSecReturnRef): kCFBooleanTrue in the query on macOS (kSecReturnData is fine on iOS)

from certificatesigningrequest.

I tried out your getPublicKeyBits function, but I still got the same errors.

Did you do anything different when creating the keys besides using query[String(kSecAttrApplicationTag)] = tagPublic.data(using: .utf8) as AnyObject?

The updated function I have is below:

The code to create the keys is below:

from certificatesigningrequest.

@murali238 you can see the errors in GitHub Actions here under "Build": https://github.com/cbaker6/CertificateSigningRequest/runs/1043401059?check_suite_focus=true

The error code is -25300, Error Domain=NSOSStatusErrorDomain Code=-50 "failed to generate asymmetric keypair" (paramErr: error in user parameter list) UserInfo={NSDescription=failed to generate asymmetric keypair}, keys weren't created

from certificatesigningrequest.

It turns out if the keychain parameters are switched to [String: Any], the only thing that needs to be fixed is String(kSecAttrApplicationTag): tagPublic.data(using: .utf8)!

This allows interoperability between iOS and macOS.

See the updates here:

from certificatesigningrequest.

@murali238, thank you so much. I ran into the same problem on macOS and looked for a solution for weeks.
The SecKeyCopyExternalRepresentation way solved it.

@cbaker6 By the way you can get rid of all the String conversions by bridge casting the type rather than annotating it.
For example

      let query = [ 
             kSecClass: kSecClassKey, 
             kSecAttrKeyType: algorithm.secKeyAttrType, 
             kSecAttrApplicationTag: tagPublic.data(using: .utf8)!, 
             kSecReturnData: true 
         ] as [String:Any]

from certificatesigningrequest.