Security

RSS for tag

Secure the data your app manages and control access to your app using the Security framework.

Security Documentation

Pinned Posts

Posts under Security tag

262 Posts
Sort by:
Post not yet marked as solved
1 Replies
68 Views
I am trying to use SecItemUpdate in order to change the kSecAttrAccessControl value on a private key protected by the Secure Enclave as well as an .applicationPassword - which I want to change. I have been unsuccessful getting the query and attributesToUpdate dictionaries right though, with SecItemUpdate returning either errSecParam, errSecNoSuchAttr or errSecAuthFailed. Am I on the right track here or am I trying to do something that is not possible?
Posted
by jzilske.
Last updated
.
Post not yet marked as solved
0 Replies
60 Views
Hi guys! In my apps I used to enforce certificate trusting using Certificate Transparency (CT) throught NSRequiresCertificateTransparency plist attribute for NSAppTransportSecurity. Since iOS 16 the feature seems broken (I can intercept and read SSL network traffic of my apps). Reading the documentation the property is reported as "obsolete", saying the system enforces by default such type of check. Am I missing something? Thank you in advance
Posted
by mpataio86.
Last updated
.
Post not yet marked as solved
9 Replies
1.2k Views
I try to use SecPKCS12Import to retrieve SecIdentityRef from PKCS#12 blob and store SecCertificateRef & SecKeyRef into keychain separately, so that I can use kSecAttrAccessControl to only protect private key with TouchID. The same code works on iOS, but not on Mac. The problem is SecPKCS12Import already saved the identity into keychain. I tried to delete the stored identity, however, no matter using SecItemDelete with transient reference or persistent reference of identity or delete both SecCertficateRef and SecKeyRef, the record will be deleted from keychain -> My Certificates and keychain -> Keys, but alwasy leave the certficate in keychain -> Certificates. If I use SecItemAdd to add certificate back, I got errSecDuplicateItem, using SecItemCopyMatching or SecItemDelete, I got errSecItemNotFound. The strange part is, even I open keychain app to manually delete the cert, I got error prompt saying deleting item not found, but after that, the cert disppear from keychain -> Certificates.Since I cannot delete identity and the add it back with access control attributes. I tried to use SecItemImport to avoid saving identity into keychain. However, this API only returns list of SecCertificateRef instead of SecIdentityRef. I found similar issue discussed on https://forums.developer.apple.com/thread/31711Is there anyway to retreive identity from PKCS#12 blob and make kSecAttrAccessControl protect the private key only?
Posted
by yingha.
Last updated
.
Post not yet marked as solved
12 Replies
8.8k Views
Hey devs, I have a really weird issue and at this point I cannot determine is it a Big Sur 11.1 or M1 issue or just some macOS settings issue. Short description programatically (from node, electron) I'd like to store x509 cert to keychain. I got the following error message: SecTrustSettingsSetTrustSettings: The authorization was denied since no user interaction was possible. (1) I could reproduce this issue on: a brand new mac mini with M1 chip and Big Sur 11.1 another brand new mac mini with M1 chip and Big Sur 11.1 a 2018 MacBook pro with Intel chip and Big Sur 11.1 I couldn't reproduce this issue on: 2020 MacBook pro with intel i9 chip and Big Sur 11.1 2020 MacBook pro with intel i9 chip and Big Sur 11.0 How am I trying to store the cert node test.js test.js const { exec } = require('child_process') exec( 	`osascript -e 'do shell script "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/kotapeter/ssl/testsite.local.crt" with prompt "Test APP wants to store SSL certification to keychain." with administrator privileges'`, 	(error, stdout, stderr) => { 		if (error) { 			console.log(error.stack) 			console.log(`Error code: ${error.code}`) 			console.log(`Signal received: ${error.signal}`) 		} 		console.log(`STDOUT: ${stdout}`) 		console.log(`STDERR: ${stderr}`) 		process.exit(1) 	} ) testsite.local.crt: ----BEGIN CERTIFICATE MIIDUzCCAjugAwIBAgIUD9xMnL73y7fuida5TXgmklLswsowDQYJKoZIhvcNAQEL BQAwGTEXMBUGA1UEAwwOdGVzdHNpdGUubG9jYWwwHhcNMjEwMTE3MTExODU1WhcN NDEwMTEyMTExODU1WjAZMRcwFQYDVQQDDA50ZXN0c2l0ZS5sb2NhbDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANM08SDi06dvnyU1A6//BeEFd8mXsOpD QCbYEHX/Pz4jqaBYwVjD5pG7FkvDeUKZnEVyrsofjZ4Y1WAT8jxPMUi+jDlgNTiF jPVc4rA6hcGX6b70HjsCACmc8bZd+EU7gm4b5eL6exTsVzHc+lFz4eQFXgutYTL7 guDQE/gFHwqPkLvnfg3rgY31p3Hm/snL8NuD154iE9O1WuSxEjik65uOQaewZmJ9 ejJEuuEhMA8O9dXveJ71TMV5lqA//svDxBu3zXIxMqRy2LdzfROd+guLP6ZD3jUy cWi7GpF4yN0+rD/0aXFJVHzV6TpS9oqb14jynvn1AyVfBB9+VQVNwTsCAwEAAaOB kjCBjzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIC9DA7BgNVHSUENDAyBggrBgEFBQcD AQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgwHQYDVR0O BBYEFDjAC2ObSbB59XyLW1YaD7bgY8ddMBkGA1UdEQQSMBCCDnRlc3RzaXRlLmxv Y2FsMA0GCSqGSIb3DQEBCwUAA4IBAQBsU6OA4LrXQIZDXSIZPsDhtA7YZWzbrpqP ceXPwBd1k9Yd9T83EdA00N6eoOWFzwnQqwqKxtYdl3x9JQ7ewhY2huH9DRtCGjiT m/GVU/WnNm4tUTuGU4FyjSTRi8bNUxTSF5PZ0U2/vFZ0d7T43NbLQAiFSxyfC1r6 qjKQCYDL92XeU61zJxesxy5hxVNrbDpbPnCUZpx4hhL0RHgG+tZBOlBuW4eq249O 0Ql+3ShcPom4hzfh975385bfwfUT2s/ovng67IuM9bLSWWe7U+6HbOEvzMIiqK94 YYPmOC62cdhOaZIJmro6lL7eFLqlYfLU4H52ICuntBxvOx0UBExn----END CERTIFICATE testsite.local.key: ----BEGIN RSA PRIVATE KEY MIIEpQIBAAKCAQEA0zTxIOLTp2+fJTUDr/8F4QV3yZew6kNAJtgQdf8/PiOpoFjB WMPmkbsWS8N5QpmcRXKuyh+NnhjVYBPyPE8xSL6MOWA1OIWM9VzisDqFwZfpvvQe OwIAKZzxtl34RTuCbhvl4vp7FOxXMdz6UXPh5AVeC61hMvuC4NAT+AUfCo+Qu+d+ DeuBjfWnceb+ycvw24PXniIT07Va5LESOKTrm45Bp7BmYn16MkS64SEwDw711e94 nvVMxXmWoD/+y8PEG7fNcjEypHLYt3N9E536C4s/pkPeNTJxaLsakXjI3T6sP/Rp cUlUfNXpOlL2ipvXiPKe+fUDJV8EH35VBU3BOwIDAQABAoIBAQDDGLJsiFqu3gMK IZCIcHCDzcM7Kq43l2uY9hkuhltrERJNle70CfHgSAtubOCETtT1qdwfxUnR8mqX 15T5dMW3xpxNG7vNvD/bHrQfyc9oZuV6iJGsPEreJaV5qg/+E9yFzatrIam0SCS7 YL6xovPU58hZzQxuRbo95LetcT2dSBY33+ttY7ayV/Lx7k6nh0xU6RmTPHyyr8m7 yHpoJoSxdT/xv5iBSZ8mM9/2Vzhr14SWipVuwVVhDSfbn8ngHpIoQDkaJLMpWr+m 4z3PqfftAwR6s6i96HnhYLnRir618TQh4B9IEngeEwCMn4XAzE3L+VTaKU1hg9el aMfXzPERAoGBAPa+sJ2p9eQsv0vCUUL8KeRWvwjDZRTd+YAIfpLMWrb0tMmrBM4V V0L2joF76kdDxt1SAlHoYCT/3Rn8EPmK0TN3MEskiXQ7v57iv+LZOZcpe0ppG/4A ZihF9+wUjFCDw4ymnRQD463535O6BgZV+rcZksFRD2AwvEjt1nYm93VXAoGBANsh AYM+FPmMnzebUMB0oGIkNkE9nVb9MPbQYZjEeOeHJqmt1Nl6xLuYBWTmWwCy7J4e QPtnuMCdO6C1kuOGjQPBFIpeyFMzll+E3hKzicumgCpt5U8nTZoKc/jZckRD7n3p lbYYgHOR3A/3GCDK5L3rwziWpSRAGMSCQylvkOC9AoGBAKLfZL3t/r3LO8rKTdGl mhF7oUYrlIGdtJ/q+4HzGr5B8URdeyJ9u8gb8B1Qqmi4OIDHLXjbpvtFWbFZTesq 0sTiHCK9z23GMsqyam9XbEh3vUZ082FK6iQTa3+OYMCU+XPSV0Vq+9NPaWGeHXP5 NTG/07t/wmKASQjq1fHP7vCpAoGBAK4254T4bqSYcF09Vk4savab46aq3dSzJ6KS uYVDbvxkLxDn6zmcqZybmG5H1kIP/p8XXoKCTBiW6Tk0IrxR1PsPHs2D3bCIax01 /XjQ1NTcYzlYdd8gWEoH1XwbJQWxHINummBTyowXguYOhVhM9t8n+eWbn1/atdZF 2i+vS3fhAoGAYKw6rkJfTSEswgBKlQFJImxVA+bgKsEwUti1aBaIA2vyIYWDeV10 G8hlUDlxvVkfwCJoy5zz6joGGO/REhqOkMbFRPseA50u2NQVuK5C+avUXdcILJHN zp0nC5eZpP1TC++uCboJxo5TIdbLL7GRwQfffgALRBpK12Vijs195cc=----END RSA PRIVATE KEY What I've already found If I run the following command from terminal It asks my password first in terminal and after that It asks my password again in OS password prompt. sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/kotapeter/ssl/testsite.local.crt It looks like I'm getting the above error message because osascript hides the second password asking dialog. The cert always gets stored in keychain but when I get the error message the cert "Trust" value is not "Always Trust". References StackOverflow question: https://stackoverflow.com/questions/65699160/electron-import-x509-cert-to-local-keychain-macos-the-authorization-was-deni opened issue on sudo-prompt electron package: https://github.com/jorangreef/sudo-prompt/issues/137
Posted
by peterkota.
Last updated
.
Post not yet marked as solved
4 Replies
160 Views
I am using TLS 1.2 mutual authentication with Apache www server and self-signed CA. The authentication works fine, except iOS and MacOS ignore the "Acceptable client certificate CA names" returned by the server in the CertificateRequest. On my iOS app, I see empty distinguishedNames field on the AuthenticationChallenge, and on MacOS Safari I am given a choice of all installed user certificates. Detailed logging on Apache shows it is writing the CertificateRequest. Logging is raw so I can't see what all the encoded parameters are, but see the right ASCII for subject, etc. Are some special certificate attributes needed? I have: X509v3 Basic Constraints:  CA:TRUE
Posted
by timsm.
Last updated
.
Post not yet marked as solved
4 Replies
217 Views
Hello, before updating to MacOS Ventura (13.0.1) and Xcode 14.1 I was perfectly able to run a iOS application from Xcode on my Mac (so "My Mac (Designed for iPad)" is selected as a target). After these updates I can't access the keychain anymore, the following error is shown: OSStatus error: [-34018] Security error has occurred. In the console I see Entitlement com.apple.application-identifier=TEAM.com.NAME.APP is ignored because of invalid application signature or incorrect provisioning profile Entitlement com.apple.security.application-groups=(     "group.com.NAME.APP" ) is ignored because of invalid application signature or incorrect provisioning profile App[76770]/1#8 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier nor com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={numberOfErrorsDeep=0, NSDescription=Client has neither com.apple.application-identifier nor com.apple.security.application-groups nor keychain-access-groups entitlements} Checking the created *.app file with codesign -d --entitlements results in: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>application-identifier</key> <string>TEAM.com.NAME.APP</string> <key>aps-environment</key> <string>development</string> <key>com.apple.developer.team-identifier</key> <string>TEAM</string> <key>com.apple.developer.usernotifications.communication</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>group.com.NAME.APP</string> </array> <key>get-task-allow</key> <true/> </dict> </plist> So, the application identifier is actually there, as is the application-group. When I install the latest version of the app from the App Store, everything is working fine. Running the app on a real iOS device also works perfectly fine from Xcode, it's just running on Mac which isn't working properly. Has something changed with Ventura or Xcode 14.1? Any idea what I can do/try?
Posted
by Keeper.
Last updated
.
Post marked as solved
8 Replies
3.2k Views
Updated to Xcode 14.0 and built with iOS 16 device. In purple it says "[Security] This method should not be called on the main thread as it may lead to UI unresponsiveness." A warning is displayed. location is @UIApplicationMain class AppDelegate: UIResponder, UIApplicationDelegate {... There is a part where it is difficult to know exactly which function it is because a warning is displayed at the location. I also replaced the admob library with the latest version, but I have the same problem. Does anyone know the cause of this issue? I need help.
Posted Last updated
.
Post not yet marked as solved
8 Replies
498 Views
Hello, We already submitted a feedback through the assistant about that, but I'm not sure we will ever get an answer, and it might be interesting for other people as well. On MacOS Ventura, It seems like applications using the KeyChain services are unable to see certificates provided by CryptoTokenKit smart card token drivers. In order to reproduce, you need a CryptotokenKit smart card driver appex working under Big Sur or Monterey. Install the same appex on Ventura. You'll see that Safari does not see the certificates provided by the appex, and cannot perform SSL/TLS client authentications with them. Similar symptoms can be seen with other apps (Chrome, mail clients, or even custom apps that directly use the Keychain API: token instances cannot be obtained from the app). We tested with both our own CryptoTokenKit driver (a TKSmartCard driver, which worked well with all previous MacOS versions), and the CryptoTokenKit driver from another company (Yubico). Both work on older MacOS, but not on Ventura. Has something changed in the security framework between Monterey and Ventura? Do we need to change something in our CryptoTokenKit, or is it a bug from MacOS? If it's a bug, is Apple aware of it, and will it be fixed? This is a functionality that is largely used in enterprise environments.
Posted
by idopte.
Last updated
.
Post not yet marked as solved
4 Replies
280 Views
Hi Team, The user token/passwords and details are still available in memory after submission in my IOS mobile application. This allows for an attacker with physical access to the user's system to access the memory and steal the credentials. I was able to extract the user details with fridump. https://github.com/rootbsd/fridump3 The clear text details in the memory should be reset after computing the hash on the login function. A simple recommendation there is: It's recommended to clear sensitive values and set as the null values from application memory after they are used. Also, it's recommended to not store sensitive values (such as password) as plain text values, as a mitigation hash/XOR function can be used. Technically it makes sense (at least from my experience using other languages such as C / C++ / C# / Objective-C / Java etc..). However, apparently Swift has some strange runtime mechanism of caching strings in memory. Meaning that even if you remove the content or modify a string in memory, its content will still be cached somewhere in memory, either as leftovers or copies (see images below). I’m familiar with the concept of automatic reference counting in ObjC and Swift, but for Swift specifically it seems to be more than that. In Objective-C and C in general, I never had this issue, because it’s allowed to have more control from the developer perspective, such as writing C code in Objective-C (e.g. calling memset on a heap allocated string). Reading some threads: https://developer.apple.com/forums/thread/106405 https://developer.apple.com/forums/thread/44121 https://developer.apple.com/forums/thread/4879 https://stackoverflow.com/questions/60702113/how-to-remove-the-string-from-the-memory-for-security-reasons-in-ios-is-it-even/ The last comment there by eskimo from the 2nd thread is the same thought process I had. Eventually a Text Field requesting you to enter a password will return a copy. Even if we use Unsafe Swift features, eventually a Text Field will return a copy of a string from a safe context. I was thinking even creating a custom UI control where it will override some of the text change events and store them on a static buffer where each character is XORed, meaning that even if we get the text from the custom UI control somewhere in the consumer code, it will return a copy, but an encrypted XORed string of the user’s password. So, what's your thoughst? What's the solutions ?
Posted
by uceka.
Last updated
.
Post marked as solved
2 Replies
258 Views
Hi, I want to implement FIDO based biometric authentication in our app. I don't want to use passkeys because they are only compatible with iOS 16 and higher. Is there a way to use it through the SFSafariViewController, a web view, ASWebAuthenticationSession or any another method?
Posted
by SJose.
Last updated
.
Post not yet marked as solved
1 Replies
183 Views
I attempted to write some code that would generate a private/public keypair using the Secure Enclave in the context of a trivial Authorization Plugin that does nothing else (based on this Apple sample code). When I run the code, I get this error: Error Domain=NSOSStatusErrorDomain Code=-26276 "failed to generate asymmetric keypair" UserInfo={numberOfErrorsDeep=0, NSDescription=failed to generate asymmetric keypair} Error -26276 is an errSecInternal and is described as "An internal error occurred in the Security framework." The same error appears in this thread and the issue seems to be one of entitlements. The proposed solution in that case (which involves daemon code) is to rewrite the daemon as a Mac App and package up the entitlements, but that solution doesn't seem to be available for an Authorization Plugin. Which leads me to my question: does anyone know if it's even possible to get key pairs out of the Secure Enclave in the context of an Authorization Plugin? Thanks!
Posted
by fxkelly.
Last updated
.
Post not yet marked as solved
0 Replies
975 Views
IMPORTANT This post is now retired in favour of TN3137 On Mac keychain APIs and implementations. I’m leaving the original post here just for the record, but you should consider the official documentation authoritative. Greetings All I regularly talk to folks who are confused by keychains on the Mac. This is understandable as the Mac has three keychain APIs and two keychain implementations! This post is my attempt to describe how those fit together. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" On Mac Keychains macOS has three keychain APIs: Keychain (<KeychainCore.h>) — This originated on traditional Mac OS but was supported on Mac OS X (now macOS) as a compatibility measure. SecKeychain (<Security/SecKeychain.h>, <Security/SecKeychainItem.h>, <Security/SecKeychainSearch.h>) — This was introduced with Mac OS X [1] and was the standard macOS keychain API until recently. SecItem (<Security/SecItem.h>) — This was part of the original iOS SDK. It debuted on the Mac with macOS 10.6. The first API is now irrelevant. macOS has two keychain implementations: The file-based keychain The data protection keychain The file-based keychain has its origins on traditional Mac OS. The data protection keychain originated on iOS and came to macOS with the advent of iCloud Keychain on macOS 10.9. Note iOS and its child platforms only support the SecItem API with the data protection keychain implementation. The Keychain and SecKeychain APIs only talk to the file-based keychain. The SecItem API talks to either implementation. Specifically, it talks to the data protection keychain if you supply either the kSecUseDataProtectionKeychain or the kSecAttrSynchronizable attribute. If not, it talks to the file-based keychain. The file-based keychain is on the road to deprecation. It is not officially deprecated, but some of the APIs surrounding it are. For example, SecKeychainCreate was deprecated in macOS 12. Moreover, new features, like iCloud Keychain, are only supported by the data protection keychain. [1] Actually, I’m not 100% sure it was part of 10.0. The earliest macOS SDK that I have easy access to is the macOS 10.2 SDK, circa 2002, and it definitely has this API. API Differences The SecItem API is well aligned with the data protection keychain. When you use it to talk to the file-based keychain the API has to work through a shim. That shim has limitations. Some of those limitations are inherent to the keychain implementation. For example, the access control model of the file-based keychain is very different from that of the data protection keychain, and the shim can’t make up for that. However, some limitations are just bugs. If you’re porting iOS keychain code to the Mac, it’s best to target the data protection keychain. Mac Catalyst apps only have access to the data protection keychain. iOS Apps on Mac only have access to the data protection keychain. Implementation Differences Each keychain implementation uses its own access control model: The file-based keychain uses access control lists (SecAccess). The data protection keychain uses keychain access control groups, supplemented by an access control object (SecAccessControl). The keychain access control groups available to you in the data protection keychain are determined by code signing entitlements. See Sharing Access to Keychain Items Among a Collection of Apps. This means that the data protection keychain is only available to code that can carry an entitlement, that is, main executables like an app or an app extension. If you’re building library code then your data protection keychain access is determined by the app that loads your library. The data protection keychain is only available in a user login context. You cannot use it, for example, from a launchd daemon. The data protection keychain can hold all keychain item classes (Internet password, generic password, certificate, key). Only the password items are synchronised via iCloud Keychain. Modern keychain features are only supported by the data protection keychain, including: iCloud Keychain Protecting an item with biometrics (Touch ID and Face ID) Protecting a key with the Secure Enclave User Interface The Keychain Access application lets you manage both file-based keychains and the data protection keychain. The keychain list includes at least two file-based keychainS (login and System) and the data protection keychain (iCloud Keychain, if that’s enabled, otherwise Local Items). You can create, add, and remove keychains using commands on the File menu (New Keychain, Add Keychain, Delete Keychain). Keychain Access displays all keychain items in file-based keychains but only password items in the data protection keychain. The keychain support in the security command-line tool is primarily focused on the file-base keychain.
Posted
by eskimo.
Last updated
.
Post not yet marked as solved
1 Replies
172 Views
Referring to https://developer.apple.com/forums/thread/696431: The data protection keychain is only available in a user login context. You cannot use it, for example, from a launchd daemon. That's my scenario – I have a launchd privileged helper tool that needs access to keychain items (items that it creates and has exclusive access to, and items that may be required prior to user login). So this would appear to leave us with only one option – the System keychain. We can work with that (proof-of-concept shows that it works for us), but referencing the same forum post above: The file-based keychain is on the road to deprecation. So before I make a big migration to the System keychain, should I be concerned that the System keychain (being a file-based keychain) will go away in the future as well? If so, is there some other alternative that I should consider instead?
Posted
by bombich.
Last updated
.
Post not yet marked as solved
2 Replies
206 Views
Hello to the team, For almost one week we're trying to figure out, why trying to create a signature using SecKeyCreateSignature is working fine when we're using the same whole flow from UIKit and fails (return -3 and not presenting the FaceId view) when we're calling it from UIHostingController, using SwiftUI. This is the command that fails - the whole flow to this point is the same and is being running on an item that implement the same protocol extension. let signature = SecKeyCreateSignature(secKey, algorithm, data as CFData, &amp;error) as Data? Your help will be fully appreciated. Thanks a lot! Dudi
Posted
by dudisgFB.
Last updated
.
Post not yet marked as solved
1 Replies
196 Views
Hello all! From my customer got a question about ability to develop own VPN protocol adapter for customers own VPN logic on iPhone/iPad and maybe on MacOS. They using proprietary protocol that not in any list of public protocols. For this case got few questions: This protocol based on TCP socket, therefore all of traffic from must be redirected somehow into it and replies from servers forwarded back to device. What is the best way to do it? Which approach better to use for it: https://developer.apple.com/documentation/networkextension/app_proxy_provider?language=objc https://developer.apple.com/documentation/networkextension/packet_tunnel_provider?language=objc Is there any public examples of any of this approaches? Is there any extended public manuals or references of how it works on iOS? Will be there any troubles for submission at AppStore?
Posted
by a.bogong.
Last updated
.
Post not yet marked as solved
8 Replies
228 Views
The user interface for Fast User Switching on macOS Ventura appears to have changed and our authorization plugin is not being invoked. Previously FUS (system.login.fus in auth.db) would show our authorization plugin dialog with a “Switch User” button in the surrounding SFAuthorizationPluginView. In Ventura it first shows the login screen with the row of user avatars and then an animation appears as if the corresponding user from the FUS menu has been selected with a password input field. It looks like a normal login but it doesn’t invoke our authorization plugin like logging out and logging back in does. The other use cases for our authorization plugin continue to work as expected in macOS Ventura: system.login.console system.login.screensaver authenticate Is there a work around we can use? I submitted feedback using Apple's Feedback Assistant (FB11705643) a week ago but have yet to receive any response. I believe this is a security issue Apple may want to fix in a software update.
Posted Last updated
.
Post marked as solved
2 Replies
198 Views
I am using Elliptic Curve keys generated using SecKeyCreateRandomKey from the Security framework for performing Diffe Helman Key exchange in my app. After generating the key pair I am converting the Private key into data using SecKeyCopyExternalRepresentation(<myPrivateKey>,&error) and then store the base64 encoded string of this in the Keystore. To convert the Private key back I am using the following code  let priKeyData = Data(base64Encoded: priKeyStr) if(priKeyData != nil) { guard let dataPtr = CFDataCreate(kCFAllocatorDefault, UnsafePointer<UInt8>(Array(priKeyData!)), priKeyData!.count)           else {return (nil) } guard let priKey = SecKeyCreateWithData(dataPtr as CFData,attributes as CFDictionary,&error)           else {return (nil)} } This works totally fine on iOS version prior 16.1. But in devices with iOS 16.1 the conversion from data to SecKey is failing with the following error: Swift.Unmanaged<__C.CFErrorRef>(_value: Error Domain=NSOSStatusErrorDomain Code=-50 "EC private key creation from data failed" UserInfo={numberOfErrorsDeep=0, NSDescription=EC private key creation from data failed})) What could be the reason for this? is there any other way to store SecKey in the Keystore without doing the conversions?
Posted Last updated
.