search

agens-no / EllipticCurveKeyPair

Sign, verify, encrypt and decrypt using the Secure Enclave
Other
708 stars 114 forks source link

errSecItemNotFound after iCloud backup #36

Open giuseppeVacatello opened 5 years ago

giuseppeVacatello commented 5 years ago

Hi, after a backup from one iPhone to other, my app, throw this exception:

> Found public key, but couldn't find or access private key. The errSecItemNotFound error is sometimes wrongfully reported when LAContext authentication fails

I can not understand what the problem is. Some advice? thank you.

hfossli commented 5 years ago

Private keys can not be migrates. Public keys can. In this case you need to recreate the key pair.

Also you should configure the public key to not be possible to migrate using the flags.

giuseppeVacatello commented 5 years ago

What is the flag for public key to not migrate? Thank you

hfossli commented 5 years ago

Sorry, I meant protection id. You select one of the protection id's that fits your needs from here

https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values?language=objc#1679100 For example you can choose this one https://developer.apple.com/documentation/security/ksecattraccessibleafterfirstunlockthisdeviceonly?language=objc

Example with kSecAttrAccessibleAlwaysThisDeviceOnly

struct KeyPair {
    static let manager: EllipticCurveKeyPair.Manager = {
        let publicAccessControl = EllipticCurveKeyPair.AccessControl(protection: kSecAttrAccessibleAlwaysThisDeviceOnly, flags: [])
        let privateAccessControl = EllipticCurveKeyPair.AccessControl(protection: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, flags: [.userPresence, .privateKeyUsage])
        let config = EllipticCurveKeyPair.Config(
            publicLabel: "payment.sign.public",
            privateLabel: "payment.sign.private",
            operationPrompt: "Confirm payment",
            publicKeyAccessControl: publicAccessControl,
            privateKeyAccessControl: privateAccessControl,
            token: .secureEnclave)
        return EllipticCurveKeyPair.Manager(config: config)
    }()
}
giuseppeVacatello commented 5 years ago

My problem is in this method:

public func privateKey(context: LAContext? = nil) throws -> PrivateKey {
            do {
                if cachedPrivateKey?.context !== context {
                    cachedPrivateKey = nil
                }
                if let key = cachedPrivateKey {
                    return key
                }
                let key = try helper.getPrivateKey(context: context)
                cachedPrivateKey = key
                return key
            } catch EllipticCurveKeyPair.Error.underlying(_, let underlying) where underlying.code == errSecItemNotFound {
                if config.publicKeyAccessControl.flags.contains(.privateKeyUsage) == false, (try? helper.getPublicKey()) != nil {
                    **throw Error.probablyAuthenticationError(underlying: underlying)**
                }
                let keys = try helper.generateKeyPair(context: nil)
                cachedPublicKey = keys.public
                cachedPrivateKey = keys.private
                return keys.private
            } catch {
                throw error
            }
        }

Once I finish in the catch, the code throws "Error.probablyAuthenticationError(underlying: underlying)" and I can not recover the situation.

Thanks for the tips until now

hfossli commented 5 years ago

In the event of an itunes backup and you get this error

Found public key, but couldn't find or access private key. The errSecItemNotFound error is sometimes wrongfully reported when LAContext authentication fails

Then you need to delete the key (pseudo code)

do {
    let privateKey = try manager.privateKey()
} catch {
    if error == Error.probablyAuthenticationError {
        try? manager.deleteKeyPair()
    }
    do {
        let privateKey = try manager.privateKey()
    } catch {
        // this should be handled or reported back to user
    }
}

What is your minimum deployment target? If it is iOS 10 you are lucky, then I have another solution for you.

giuseppeVacatello commented 5 years ago

yes, it is iOS 10.

hfossli commented 5 years ago

Awesome. Then you may choose to not store the public key and instead just derive it from the private key when needed using SecKeyCopyPublicKey. Some modifications to the library is needed in order to get that to work. I want to create a pre-ios-10 version and a post-ios-10 version. Maybe I find time this week.

giuseppeVacatello commented 5 years ago

In the meantime of your changes how can I fix it? If I delete the keypair I do not have to regenerate the entire keypair? In your example above only the private key is regenerated

hfossli commented 5 years ago

You need to regenerate the entire keypair

giuseppeVacatello commented 5 years ago

I did it. Thank you. Wait for your modifications of library :)

muhamedhfayiz commented 3 years ago

I'm also facing the same issue after restoring the ios device. private key not found. able to get a public key. could you please share the code?

hfossli commented 3 years ago

It is not possible to restore a private key stored in the secure enclave

muhamedhfayiz commented 3 years ago

Thank you. After successful deletion of keypair its works.