How to add DSA key using SecKeyCreateWithData

Privacy & Security General
planasb OP
Created Oct ’18
Replies 1
Boosts 0
Views 1k
Participants 2

Hello


I'm writing app which uses RSA and DSA SSH keys in PEM format.

I figure out how to add RSA key. I just removed headers. And added base64 encoded key using SecKeyCreateWithData. Forum was helpfull.


But I can't find which format macOS security framework uses for DSA keys. I know DSA is deprecated, but I'm still want to support it for my app. Not only RSA. As it's now transition period.


So I'm doing. I remove headers (like '-----BEGIN DSA PRIVATE KEY-----'). And trying to add base64 encoded key using SecKeyCreateWithData. It don't works.


I get:

The operation couldn’t be completed. (OSStatus error -50 - EC public key creation from data failed)


And I'm not sure why 'EC' .. if I correcly specify kSecAttrKeyTypeDSA and kSecAttrKeyClassPrivate .. It's not EC or public key.


So anybody can point how correctly format DSA key to get key reference with SecKeyCreateWithData. I'm using OpenSSL.


Because RSA keys uses PKCS #1 format. And 'elliptic curve private key, the output is formatted as the public key concatenated with the big endian encoding of the secret scalar, or 

04 || X || Y || K
.'


So how to formst DSA key to make it work with SecKeyCreateWithData. Any hints would be helpfull.

Answered by DTS Engineer in 335083022 
SecKeyCreateWithData
does not support DSA keys. The doc comments for that routine say:

The requested data format depend on the type of key (kSecAttrKeyType) being created:

  • kSecAttrKeyTypeRSA …
  • kSecAttrKeyTypeECSECPrimeRandom …

and those are the only two key types supported.

How you proceed here depends on your requirements:

  • If you just want to store those keys in the keychain, you can do that using a 

    kSecClassGenericPassword
    keychain item. This just stores data; it doesn’t put any restrictions on the data’s format.

  • If you actually want to work with DSA keys — for example, you want to use that private key to decrypt some data — then you will need your own crypto code. Because of the limitation mentioned above, routines like 

    SecKeyCreateDecryptedData
    do not support DSA keys.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Replies  1
Boosts  0
Views  1k
Participants  2
DTS Engineer OP
Apple
Oct ’18
Accepted Answer 
SecKeyCreateWithData
does not support DSA keys. The doc comments for that routine say:

The requested data format depend on the type of key (kSecAttrKeyType) being created:

  • kSecAttrKeyTypeRSA …
  • kSecAttrKeyTypeECSECPrimeRandom …

and those are the only two key types supported.

How you proceed here depends on your requirements:

  • If you just want to store those keys in the keychain, you can do that using a 

    kSecClassGenericPassword
    keychain item. This just stores data; it doesn’t put any restrictions on the data’s format.

  • If you actually want to work with DSA keys — for example, you want to use that private key to decrypt some data — then you will need your own crypto code. Because of the limitation mentioned above, routines like 

    SecKeyCreateDecryptedData
    do not support DSA keys.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
How to add DSA key using SecKeyCreateWithData
First post date Last post date
 
 
Q