Retrieve non-extractable private key from macOS Keychain

App & System Services Core OS
akoshal OP
Created Nov ’21
Replies 2
Boosts 0
Views 643
Participants 2

I am working on macOS software agent implemented in C++. The agent communicates with the central controller over TLS. The agent and controller do mutual TLS authentication. The agent, which acts as a TLS client, requires a certificate and it's private key which are passed to OpenSSL to perform mutual TLS. I am trying to retrieve the certificate and its private key from the Keychain. But the problem is, private key extraction from Keychain fails if the private key is non-extractable or non-exportable.

Is there a way to retrieve the non-extractable private key from macOS Keychain using C++ or any other alternate option? Please suggest an option to solve this problem.

Replies  2
Boosts  0
Views  643
Participants  2
akoshal OP
Nov ’21

If extracting a non-extractable private key is not possible, is there a way to get a handle to the private key and use it for mTLS?

0
Systems Engineer OP
Apple
Nov ’21

or any other alternate option?

The first thing that comes to mind here is using Network Framework via nw_connection_t to extract a digital identity used for client authentication. You'll want to take a look at sec_protocol_options_t with sec_protocol_options_set_challenge_block to achieve this.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Retrieve non-extractable private key from macOS Keychain
First post date Last post date
 
 
Q