#5 ✓resolved

Exporting symmetric keys fails [Mac OS]

Reported by snej | April 14th, 2009 @ 07:04 PM | in 0.3

Exporting a symmetric key in anything but raw format, using @-[MYSymmetricKey exportKeyInFormat:withPEM:]@, fails due to an error CSSMERR_CSP_INVALID_ALGORITHM returned from SecKeyExport.

The MYSymmetricKey test case shows this -- in its testSymmetricKey subroutine, there's a comment "Exporting symmetric keys isn't working. Temporarily making this optional." Taking out the following "if (exported)" workaround will cause the test to fail.

Comments and changes to this ticket

  • snej

    snej April 14th, 2009 @ 07:06 PM

    • State changed from “new” to “open”
  • snej

    snej April 16th, 2009 @ 10:18 AM

    I looked at this a bit last night and figured out a few things.

    If I change the test case so the key is generated in a keychain, then the export is able to get to the point of prompting for a passphrase. So it seems that the passphrase functionality is tied to being in a keychain.

    (To get this far I had to change -[MYSymmetricKey _generateSymmetricKeyOfSize:...] to not set the CSSM_KEYATTR_SENSITIVE bit; otherwise the prior calls to -keyData in the test case fail, because sensitive keys don't permit direct access to their data. But that's just an issue for this test case; it's correct behavior in general.)

    Unfortunately the SecKeychainItemExport call still returns an error, now CSSMERR_CSP_INVALID_KEY_CLASS. If I break on C++ exceptions, there's one thrown at:

    0  0x92e70201 in __cxa_throw ()
    1  0x95b682dc in Security::CssmError::throwMe ()
    2  0x95b60c9a in Security::SecurityServer::ClientSession::wrapKey ()
    3  0x95b3ee5c in cssm_WrapKey ()
    4  0x95ac1388 in CSSM_WrapKey ()
    5  0x95aae003 in impExpExportKeyCommon ()
    6  0x95aac637 in impExpPkcs8Export ()
    7  0x95aa9704 in SecExport::Key::exportRep ()
    8  0x95aa8cb1 in SecKeychainItemExport ()
  • snej

    snej April 20th, 2009 @ 07:50 AM

    • Milestone set to 0.3
    • State changed from “open” to “resolved”

    Fixed in 0.3.

    Turns out SecKeyImport/Export don't work for wrapped symmetric keys, so I had to drop down to CSSM_WrapKey.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

A high-level cryptography API for Mac OS X and iPhone.

People watching this ticket