Exporting symmetric keys fails [Mac OS]
Reported by snej | April 14th, 2009 @ 07:04 PM | in 0.3
Exporting a symmetric key in anything but raw format, using @-[MYSymmetricKey exportKeyInFormat:withPEM:]@, fails due to an error CSSMERR_CSP_INVALID_ALGORITHM returned from SecKeyExport.
The MYSymmetricKey test case shows this -- in its testSymmetricKey subroutine, there's a comment "Exporting symmetric keys isn't working. Temporarily making this optional." Taking out the following "if (exported)" workaround will cause the test to fail.
Comments and changes to this ticket
-
snej April 14th, 2009 @ 07:06 PM
- State changed from new to open
-
snej April 16th, 2009 @ 10:18 AM
I looked at this a bit last night and figured out a few things.
If I change the test case so the key is generated in a keychain, then the export is able to get to the point of prompting for a passphrase. So it seems that the passphrase functionality is tied to being in a keychain.
(To get this far I had to change
-[MYSymmetricKey _generateSymmetricKeyOfSize:...]
to not set the CSSM_KEYATTR_SENSITIVE bit; otherwise the prior calls to-keyData
in the test case fail, because sensitive keys don't permit direct access to their data. But that's just an issue for this test case; it's correct behavior in general.)Unfortunately the SecKeychainItemExport call still returns an error, now CSSMERR_CSP_INVALID_KEY_CLASS. If I break on C++ exceptions, there's one thrown at:
0 0x92e70201 in __cxa_throw () 1 0x95b682dc in Security::CssmError::throwMe () 2 0x95b60c9a in Security::SecurityServer::ClientSession::wrapKey () 3 0x95b3ee5c in cssm_WrapKey () 4 0x95ac1388 in CSSM_WrapKey () 5 0x95aae003 in impExpExportKeyCommon () 6 0x95aac637 in impExpPkcs8Export () 7 0x95aa9704 in SecExport::Key::exportRep () 8 0x95aa8cb1 in SecKeychainItemExport ()
-
snej April 20th, 2009 @ 07:50 AM
- Milestone set to 0.3
- State changed from open to resolved
Fixed in 0.3.
Turns out SecKeyImport/Export don't work for wrapped symmetric keys, so I had to drop down to CSSM_WrapKey.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.