How to export private key from Mac keychain to Dongle(example: Safenet Dongle) programmatically using Swift?

There are two parts to this:

• Exporting a private key from the keychain

• Importing a private key into your specific hardware token

Exporting a private key from the keychain is possible, but only under specific circumstances. You can get different behaviour for the two different keychain implementations.

Note For general information about keychain on the Mac, see TN3137 On Mac keychain APIs and implementations.

For the file-based keychain:

• The key must be marked as extractable.

• If the keys is marked as sensitive, you can only extract it in a wrapped form.

These flags are set when you create or import the key and can’t be changed afterwards. For example, when importing a key with SecItemImport you can control these flags using kSecAttrIsExtractable and kSecAttrIsSensitive.

The API to actually attempt the export is SecItemExport.

Private keys in the data protection keychain may be hosted in the standard keychain database or in a hardware token (the Secure Enclave, or one managed by a CryptoTokenKit appex). For standard keys you can get the raw key bytes using SecKeyCopyExternalRepresentation. For a hardware-bound key, it depends on the hardware. The SE does not let you extract a private key. Other tokens may or may not, depending on their implementation. You’d have to look at the details of the token. Regardless, there’s no API way to do that; it’d be token specific.

For importing a private key into a hardware token, there is no API for that. For the SE there’s a way to generate a hardware-bound key. For CryptoTokenKit you can only use the hardware-bound keys. The mechanism to manage the keys on the token in hardware specific. Some, but not all, CTK container apps support an import UI, a command-line tool, and so on.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"