Is it possible to use Secure Enclave key pairs in an Authorization Plugin?

I attempted to write some code that would generate a private/public keypair using the Secure Enclave in the context of a trivial Authorization Plugin that does nothing else (based on this Apple sample code).

When I run the code, I get this error:

 Error Domain=NSOSStatusErrorDomain Code=-26276 "failed to generate asymmetric keypair" UserInfo={numberOfErrorsDeep=0, NSDescription=failed to generate asymmetric keypair}

Error -26276 is an errSecInternal and is described as "An internal error occurred in the Security framework."

The same error appears in this thread and the issue seems to be one of entitlements. The proposed solution in that case (which involves daemon code) is to rewrite the daemon as a Mac App and package up the entitlements, but that solution doesn't seem to be available for an Authorization Plugin.

Which leads me to my question: does anyone know if it's even possible to get key pairs out of the Secure Enclave in the context of an Authorization Plugin?

Thanks!

Up vote post of fxkelly Down vote post of fxkelly
588 views
Posted by
fxkelly
Reply
Add a Comment

Replies

does anyone know if it's even possible to get key pairs out of the Secure Enclave in the context of an Authorization Plugin?

It is not.

Secure Enclave (SE) integration is associated with the data protection keychain. Authorisation plug-ins run outside of a user context and thus can’t use the data protection keychain. For more background on this, see TN3137 On Mac keychain APIs and implementations.

Even if this weren’t the case, authorisation plug-ins are old school plug-ins that are loaded within a system process. That process’s main executable does not have the entitlements necessary to use the SE.

ps If you’re planning to create a product that relies on an authorisation plug-in, please drop me a line. My email address is in my signature. Make sure to reference this thread, ’cause I get a lot of email (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment