Adding keys to keychains won't work except for raw keys
Status: Abandoned
Brought to you by:
wadetregaskis
Menu
▾
▴
#10 Adding keys to keychains won't work except for raw keys
Line 1053 of Keychain.m inserts the new key into the receiver, copying it's data verbatim. If the given key is not a raw key, it's "data" will be the opaque handle. This appears to get inserted with the assumption that it is the raw data, so you end up with a key which looks correct - so far as it's attributes and whatnot go - but contains bogus data, and thus cannot be used for anything.
I hate this custom importing crap, because it's been buggy like this before and the Security guys don't like me doing it this way, but I know I've tried at least once before to get rid of it, and ended up having to keep it... I'll try again, since I can't remember why that was, but I expect I'll stumble upon the same roadblock.
A workaround, in the mean time, might be to detect non-raw keys and automatically try to null wrap them to get their real data.
I suspect in the specific case I'm debugging (CertificateGenerationTester) that the key is *already* in the keychain... I apparently still haven't figured out a way to map, transparently or otherwise, between CSSM_KEYs and keychain items... I don't think there is a way. Sod.
In any case, this should generally work, for any key from any source, where at all possible (I imagine if the key really is in another CSSM data store and marked non-extractable, then there's nothing I can do).
I'll use this bug to track my progress, and record notes as I debug.
Logged In: YES
user_id=735766
Originator: YES
I just verified that you can't null wrap the private key in question (in CertificateGenerationTester), so that approach is out.
Logged In: YES
user_id=735766
Originator: YES
I'm trying to use SecKeychainItemImport/Export, which is a relatively supported way of doing this, but unfortunately I'm stuck for the moment because the Keys in question are initialised from raw CSSM_KEYs, whereas SecKeychainItemImport requires a SecKeyRef.
I found an old email from Doug Mitchell on apple-cdsa where he mentions that you'd typically add raw CSSM_KEYs (from CSSM_GenerateKeyPair) to a keychain via CSSM_UpdateContextAttributes... so, I'll need to read up on how that all works and see if that's a useful way to go.