Hi everyone,
I’m working an Objective-C lib that performs Keychain operations, such as generating cryptographic keys and signing data. The lib will be used by my team in a Java program for macOS via JNI.
When working with the traditional file-based Keychain (i.e., without access control flags), everything works smoothly, no issues at all.
However, as soon as I try to generate a key using access control flags SecAccessControlCreateWithFlags, the Data Protection Keychain returns error -34018 (errSecMissingEntitlement) during SecKeyCreateRandomKey. This behavior is expected.
To address this, I attempted to codesign my native dynamic library (.dylib) with an entitlement plist specifying various combinations of:
- keychain-access-groups
- com.apple.security.keychain
- etc.
with:
- My Apple Development certificate
- Developer ID Application certificate
- Apple Distribution certificate
None of these combinations made a difference, the error persists.
I’d love to clarify:
- Is it supported to access Data Protection Keychain / Secure Enclave Keys in this type of use case?
- If so, what exact entitlements does macOS expect when calling SecKeyCreateRandomKey from a native library?
I’d really appreciate any guidance or clarification. Thanks in advance!
Best regards, Neil