I initiated the Passkey CTAP process after establishing an internet connection on my smartphone (authentication device) using Wi-Fi. Once the client PC and the smartphone established a TCP connection and were in the midst of the CTAP process, I attempted to switch the internet connection to a different Wi-Fi network or transition to mobile data. As a result, I was unable to log in with the Passkey. (There was no observable change on the client PC screen; it did not transition to a success/failure screen, leading me to believe that no packets were transmitted.) I initially thought that performing a network handover after the TCP connection might have caused the connection to be severed, resulting in the absence of packet transmission. However, I discovered that if I established the authentication device's internet connection using mobile data and then, in the middle of the CTAP process, turned off the mobile data to automatically switch back to Wi-Fi, the Passkey login process succeeded. What is the reason behind this outcome? Can you explain the technical factors that contribute to this behavior?

Hi, I'm working on trying to generate RSA keys using the SecCreateWithData API given the key's components. I've had success with generating public keys given the modulus and exponent. However, while creating the RSA private key, I observed that the API requires all parameters including the optional parameters like exponent1, exponent2 and coefficient. I've tried passing in just 5 components - the modulus, public key exponent, private key exponent, P & Q, but the API returns a nil key and logs an error. It works only when the NSData passed to the API has all 8 parameters formatted in ASN.1. (I can provide a sample project if my question is not clear) I have a few questions: Is there support for providing a partial set of parameters for private key generation to the SecCreateWithData API? If so, what are the required minimum? SecAsn1 objects and APIs show a warning that they are deprecated. What is the alternate API on MacOS? Is there any support on iOS for ASN1 encoding? Note: Linking to OpenSSL is not a route that I'd like to pursue

Hi everyone. I trying to implement some drag and drop functionality together with SwiftData. That requires my model to conform Transferable. And Transferable requires to conform Codable. My code doesn't compile with this error: Type 'Item' does not conform to protocol 'Decodable/Encodable'. The error appears right after I add @Model macro. Is there a solution or a workaround? Here's my code: @Model final class Item: Transferable, Codable { let createdAt: Date static var transferRepresentation: some TransferRepresentation { CodableRepresentation(contentType: .myCustomType) } init() { self.createdAt = .now } } extension UTType { static let myCustomType = UTType(exportedAs: "com.olexgreen.mytype") } Thank you very much

I've went through all the posts with similar info about signature or keys used not working with openssll. But I haven't been able to patch it all together. I will use some sample keys for what I tried, let privPem = """ -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIUSrwhllMSminPZZ Gx0YHUsL12IWIGI+4yhejpq90HihRANCAAT6pxKtIKm4VbfXeKpQ7rxITlC6b18Q 0X+Iz1UVDolyjx79bt5vUp0mPJ6hHBnK/Ap5gXpv89wmLPp7/O2NconE -----END PRIVATE KEY----- """ let privKey = try! P256.Signing.PrivateKey(pemRepresentation: privPem) let pubKey = privKey.publicKey let challengeDev = "1122334455667788" let dataToSignDev = challengeDev.hexadecimal let digest = SHA256.hash(data: dataToSignDev!) let signatureForDigest = try! privKey.signature( for: digest) let signature1 = try! P256.Signing.ECDSASignature(derRepresentation: signatureForDigest.derRepresentation) let isValidSignature = pubKey.isValidSignature(signatureForDigest, for: digest) I have tried the same using Security framework also to no avail. What I tried is a direct application of what the openssl part does, So I have a device that will verify the signature that the iOS app will be sending. The public key is taken from a certificate I would share with the device. All data sent to the device including signature is in DER format. openssl dgst -sha256 -sign app_private.key -out %OUT_RESOURCES_DIR%\signature.der -binary device_challenge.hex openssl x509 -inform der -in cert.der -out cert.pem openssl x509 -pubkey -noout -in cert.pem > public_key.pem openssl dgst -sha256 -verify public_key.pem -signature signature.der challenge.hex Here on the iOS side If I were to sign and verify everything is fine. But if the same signature is verified on OpenSSL it fails. I tried to create a DER file on the terminal but asn1parse fails on it, Test % echo 30450220198944e2a8352941036f227225940392cbd1bc720358ce29db29a2a85f2b2a30022100b4e75ceb0335e4b1955aab01edc8e7347f78dc627f8d02a78103cd9165571d57 > signature1.der Test % openssl asn1parse -inform DER -in signature1.der 0:d=0 hl=2 l= 48 cons: PRINTABLESTRING Error in encoding 140704639042368:error:0DFFF09B:asn1 encoding routines:CRYPTO_internal:too long:/AppleInternal/Library/BuildRoots/97f6331a-ba75-11ed-a4bc-863efbbaf80d/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/asn1/asn1_lib.c:143: I'm assuming I need to manually do some changes to make them inter compatible? Like this post Can't export EC kSecAttrTokenIDSecureEnclave public key Not sure how to get there though. All help appreciated.

AES 128 CBC algorithm is not producing same results compared to Android code. We have all static strings for key, iv and salt, even then the IV we couldnt match and produce same output as android. This is the Android code, object AESEncyption { ​ fun encrypt(strToEncrypt: String) : String? { try { val cipher = Cipher.getInstance("AES/CBC/PKCS5Padding") val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1") val spec: KeySpec = PBEKeySpec(secretKey.toCharArray(), hex(salt), iterationCount, keySize) val key: SecretKey = SecretKeySpec(factory.generateSecret(spec).encoded, "AES") cipher.init(Cipher.ENCRYPT_MODE, key, IvParameterSpec(hex(iv))) ​ return base64(cipher.doFinal(strToEncrypt.toByteArray(Charsets.UTF_8))) } catch (e: Exception) { Log.i("Him","Error while encrypting: $e") } return null } ​ private fun base64(bytes: ByteArray?): String { return android.util.Base64.encodeToString(bytes, android.util.Base64.DEFAULT) } ​ /* fun base64(str: String?): ByteArray? { return Base64.decodeBase64(str) }*/ ​ fun hex(bytes: ByteArray?): String? { return Hex.encodeHexString(bytes) } ​ fun hex(str: String): ByteArray? { return try { Hex.decodeHex(str.toCharArray()) } catch (e: DecoderException) { throw IllegalStateException(e) } } } iOS code is let enc = try AES(key: keyVar2!.bytes, blockMode: CBC(iv: iv.base64FromHex.ivToUInt8Array), padding: .pkcs5).encrypt(value.bytes) let encryptedData = Data(enc)

I am currently not able to change the ulimit on my machine. As of the newest MacOs releases (11.7.9, 12.6.8, and 13.5) I am no longer able to increase the ulimit of my computer using the strategies outlined here: https://wilsonmar.github.io/maximum-limits/ https://apple.stackexchange.com/questions/453050/how-to-increase-global-maxfiles-ulimit-on-osx-13-1-ventura?newreg=44fe471004094ccdb3ba51c1c3f9f84a Running sudo launchctl limit maxfiles 65536 200000 returns Could not set resource limits: 150: Operation not permitted while System Integrity Protection is engaged. This is relevant for me as I am using Vite which is currently broken and blocks me from developing locally. It is mentioned in their troubleshooting page (https://vitejs.dev/guide/troubleshooting.html#requests-are-stalled-forever) that Vite causes a large number of open files and how to increase the limit. There are similar comments in the Ruby Vite troubleshooting page (https://vite-ruby.netlify.app/guide/troubleshooting.html#requests-to-vite-sporadically-return-a-500-error-response). I have added a comment in the Vite discussion board about this issue. There is a discussion the Apple Stack Exchange that reports this problem but no one has provided a solution yet (https://apple.stackexchange.com/questions/462489/how-to-increase-global-max-opened-files-limit-on-osx-13-5-ventura)

As the description in the demo, if there is no credentials, will receive the same error code (ASAuthorizationErrorCanceled) as if the user canceled. In this case, Is there a way to distinguish whether the error is canceled by the user or no credentials? if authorizationError.code == .canceled { // Either the system doesn't find any credentials and the request ends silently, or the user cancels the request. // This is a good time to show a traditional login form, or ask the user to create an account. } else { // Another ASAuthorization error. // Note: The userInfo dictionary contains useful information. logger.error("Error: \((error as NSError).userInfo)") } }

From this document Note : You only need to supply NSPrivacyAccessedAPITypes for apps and third-party SDKs on iOS, iPadOS, tvOS, visionOS, and watchOS. From this video iOS 17 automatically blocks connections to tracking domains that have been specified in any privacy manifest included in your app It seems iOS needs NSPrivacyTrackingDomains to block connections when user has NOT provided tracking permission. But the document says only needs NSPrivacyAccessedAPITypes to supply. As a SDK(for iOS) developer, I would like to know which keys to provide for Privacy Manifest. Also, I made an app including xcprivacy to test NSPrivacyTrackingDomains to block connections but it connected to the domain. Is this feature already available in Xcode15 beta 5 (iOS 17 beta 5)?

We are working on developing an Authorization Plugin and I'm wondering if there is any way to automate the testing of the macOS login flow. In other words, something like Selenium for the login flow. I'm fairly certain the answer is "no" and that we need to any automated testing using a testing harness that runs our Auth Plugin. I'm basically doing due diligence on this now, so if anyone (especially from Apple) to weigh in, I'd be very grateful. Thanks, Francis

Hi all, I am trying to build endpoint security demo app, so far, I have been granted access to, the ES entitlement, and I enabled it, the app runs without error, when I run the app, it says "Successfully installed the extension" I granted full disk access to the extension and the app, but when I use "sudo launchctl list 3FB5******.com.example.apple-samplecode.SampleEndpointApp.Extension" Could not find service "3FB5******.com.example.apple-samplecode.SampleEndpointApp.Extension" in domain for system even though app runs without error, "auth_demo" function such as prevent opening textedit does not work. can I get any help from here? thanks!

We are trying to implement the new feature that was introduced in iOS 17, Passkeys Autofill Provider. We've created a new 'AutoFill Credential Provider' target and embedded it into our host app. We've implemented the 'CredentialProviderViewController,' which is inherited from 'ASCredentialProviderViewController.' When we go to 'https://webauthn.io' to trigger the passkeys view, everything is working as expected when we press 'Register.' The function 'override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest)' is called, but... We know that we need to call 'self.extensionContext.completeRegistrationRequest(using:)' but we don't know how to construct the response. We didn't find any examples or explanations of how to use this API. Can someone help us with this? Thank you.

When passkey authentication failed, we need to use corresponding logic to handle user cancellation and no credential error respectively. Does Apple have a plan to use different errorcodes to distinguish these two types of errors? refer to : https://developer.apple.com/forums/thread/735867?answerId=762182022#762182022

I try to use LAContext.evaluateAccessControl for LAAccessControlOperationUseKeyDecrypt operations using a Secure Enclave-based private key. The keys are created using SecKeyGeneratePair (ECDH + SETokenID). Access Control is then defined using kSecAccessControlBiometryAny | kSecAccessControlAnd | kSecAccessControlPrivateKeyUsage flags. By the time LAContext.evaluateAccessControl is called, SecAccessControlCreateWithFlags is used with flags kSecAccessControlBiometryAny | kSecAccessControlPrivateKeyUsage. Evaluation will fail with ACL error: Domain=com.apple.LocalAuthentication Code=-1009 "ACL operation is not allowed: 'od'" UserInfo={NSDebugDescription=ACL operation is not allowed: 'od’} The same process is fine for signature operations. I don't understand what 'od' stands for. If ACLs are the same for key creations and key usage, shouldn't it prompt TouchID and allow the operation ?

We are writing an Authorization Plugin to add an additional factor to macOS desktop login. We're experiencing an issue when we run our code using the UTM VM. The plugin calls context.setResult(.allow) and de-initializes the mechanism (as indicated by log statements), but the login itself never succeeds. The desktop hangs showing a progress spinner and the user icon, but never transitions to the desktop. This problem doesn't happen consistently using UTM nor have we seen it using bare metal, but it's concerning all the same. If anyone has experienced this and has any insight into this, I'd be very grateful. Thanks, Francis

We are trying to support Passkey Management in our app with the latest iOS 17 Passkey Autofill. During this process, we have a few doubts and queries: First, we have configured the AutoFill extension for external passkey management Next we used the 'prepareInterface(forPasskeyRegistration:' delegate for passkey generation We are facing an issue on creating the attestationObject for ‘ASPasskeyRegistrationCredential’. Here, we’re not sure if we need to create the attestationObject [if so any documentation or help regarding this] or is there any API to get the attestationObject which we are missing. override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest) { let request = registrationRequest as! ASPasskeyCredentialRequest let passkeyRegistration = ASPasskeyRegistrationCredential(relyingParty: request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data(UUID().uuidString.utf8), attestationObject: "????") extensionContext.completeRegistrationRequest(using: passkeyRegistration) } Even we have tried passing the hardcoded attestationObject[we used the existing attestationObject received using icloud keychain] , still we got empty ‘ClientDataJSON’ on ‘authorizationController(controller:’ delegate.

Apple's passkeys page at - https://developer.apple.com/passkeys/ now says - Passkeys can now be synced using external providers What is that supposed to mean and how it can be implemented? Are there any APIs provided by the iOS SDK for the same?

Snyk and Fortify (3rd party security scanning software) scans have flagged our auth code when using evaluatePolicy for LaContext. Our app is an iOS only app. "Avoid using evaluatePolicy for local user authentication. The API can be hooked and thus the return value can be changed leading to a potential authentication bypass on jailbroken devices. Consider using iOS keychain APIs." Has anyone encountered this issue in their security scans and we're you able to mediate with the suggested fix using the keychain APIs.

It appears that this method from ASCredentialProviderViewController is not being called at all. I am unable to trigger it. Ref func prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters) I expected it to be triggered when RP has a list of allowCredentials, but I still get: override func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) Am I missing something?

Hi, I have beta 17 installed on my iPhone. A new software update has been released 16.6.1 for the current security risks. I have not seen or read anything providing information on whether beta 17 is safe from the issue. Has anyone received insight on this?

I suspect this is an issue with Google’s passkey implementation, but it might not be, and if there is a solution I suspect this post will be useful for all other third-party passkey providers encountering the same issue. I have implemented Passkeys in our password manger using the new APIs introduced in iOS17. Passkey attestation and assertion works as expected with every service we’ve tested that supports Passkeys (I.e Webauthn.io, GitHub, etc). However the only service that doesn‘t work is Google. I can create a passkey for Google using iCloud Keychain just fine, but for some reason, although my app successfully creates the passkey, Google is rejecting it. I suspect this is a security measure on Google’s side, but it will be a UX nightmare for users of third-party passkey managers on iOS 17, as they won’t be able to create or sign in with a passkey for Google (which will probably be the number 1 use-case for using passkeys). When using iCloud Keychain to create a passkey, unlike other services, I noticed that Google actually recognises that I’ve used iCloud Keychain to create the Passkey, and labels the Passkey with “iCloud Keychain”. Is Apple sending some additional identifying info in their attestation statement that I’m not sending? If not, how is Google able to identify the passkey provider (in this case “iCloud Keychain”) by name? Could it be that Google has somehow whitelisted iCloud Keychain for Passkey creation, while disallowing third-party providers? Assuming it is the latter, unfortunately there is no way to reach out to Google about this. I suspect Apple would need to advocate on the behalf of third-party providers running on apple platforms, that they be allowed to provide passkeys for Google sign in. Its a shame to hit this type of road block so close to the iOS 17 release candidate.