errSecItemNotFound after iCloud backup about ellipticcurvekeypair HOT 13 OPEN

Private keys can not be migrates. Public keys can. In this case you need to recreate the key pair.

Also you should configure the public key to not be possible to migrate using the flags.

from ellipticcurvekeypair.

What is the flag for public key to not migrate? Thank you

from ellipticcurvekeypair.

Sorry, I meant protection id. You select one of the protection id's that fits your needs from here

https://developer.apple.com/documentation/security/keychain_services/keychain_items/item_attribute_keys_and_values?language=objc#1679100
For example you can choose this one https://developer.apple.com/documentation/security/ksecattraccessibleafterfirstunlockthisdeviceonly?language=objc

Example with kSecAttrAccessibleAlwaysThisDeviceOnly

struct KeyPair {
    static let manager: EllipticCurveKeyPair.Manager = {
        let publicAccessControl = EllipticCurveKeyPair.AccessControl(protection: kSecAttrAccessibleAlwaysThisDeviceOnly, flags: [])
        let privateAccessControl = EllipticCurveKeyPair.AccessControl(protection: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, flags: [.userPresence, .privateKeyUsage])
        let config = EllipticCurveKeyPair.Config(
            publicLabel: "payment.sign.public",
            privateLabel: "payment.sign.private",
            operationPrompt: "Confirm payment",
            publicKeyAccessControl: publicAccessControl,
            privateKeyAccessControl: privateAccessControl,
            token: .secureEnclave)
        return EllipticCurveKeyPair.Manager(config: config)
    }()
}

from ellipticcurvekeypair.

My problem is in this method:

public func privateKey(context: LAContext? = nil) throws -> PrivateKey {
            do {
                if cachedPrivateKey?.context !== context {
                    cachedPrivateKey = nil
                }
                if let key = cachedPrivateKey {
                    return key
                }
                let key = try helper.getPrivateKey(context: context)
                cachedPrivateKey = key
                return key
            } catch EllipticCurveKeyPair.Error.underlying(_, let underlying) where underlying.code == errSecItemNotFound {
                if config.publicKeyAccessControl.flags.contains(.privateKeyUsage) == false, (try? helper.getPublicKey()) != nil {
                    **throw Error.probablyAuthenticationError(underlying: underlying)**
                }
                let keys = try helper.generateKeyPair(context: nil)
                cachedPublicKey = keys.public
                cachedPrivateKey = keys.private
                return keys.private
            } catch {
                throw error
            }
        }

Once I finish in the catch, the code throws "Error.probablyAuthenticationError(underlying: underlying)" and I can not recover the situation.

Thanks for the tips until now

from ellipticcurvekeypair.

In the event of an itunes backup and you get this error

Found public key, but couldn't find or access private key. The errSecItemNotFound error is sometimes wrongfully reported when LAContext authentication fails

Then you need to delete the key (pseudo code)

do {
    let privateKey = try manager.privateKey()
} catch {
    if error == Error.probablyAuthenticationError {
        try? manager.deleteKeyPair()
    }
    do {
        let privateKey = try manager.privateKey()
    } catch {
        // this should be handled or reported back to user
    }
}

What is your minimum deployment target? If it is iOS 10 you are lucky, then I have another solution for you.

from ellipticcurvekeypair.

yes, it is iOS 10.

from ellipticcurvekeypair.

Awesome. Then you may choose to not store the public key and instead just derive it from the private key when needed using SecKeyCopyPublicKey. Some modifications to the library is needed in order to get that to work. I want to create a pre-ios-10 version and a post-ios-10 version. Maybe I find time this week.

from ellipticcurvekeypair.

In the meantime of your changes how can I fix it?
If I delete the keypair I do not have to regenerate the entire keypair?
In your example above only the private key is regenerated

from ellipticcurvekeypair.

You need to regenerate the entire keypair

from ellipticcurvekeypair.

I did it.
Thank you.
Wait for your modifications of library :)

from ellipticcurvekeypair.

I'm also facing the same issue after restoring the ios device. private key not found. able to get a public key. could you please share the code?

from ellipticcurvekeypair.

It is not possible to restore a private key stored in the secure enclave

from ellipticcurvekeypair.

Thank you.
After successful deletion of keypair its works.

from ellipticcurvekeypair.