Home/ Questions/Q 7001907
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T20:51:44+00:00

I am trying to import RSA private keys into the keychain using my application.

  • 0

I am trying to import RSA private keys into the keychain using my application. The first time I import a key using SecKeychainImport() the operation is successful, a subsequent import gives me an EINVAL (100022) error.

This does not happen if I quit and relaunch the app between two imports. I am including the source code below.

    CFArrayRef array = (CFArrayRef)[NSMutableArray array];

    SecExternalFormat format = kSecFormatUnknown;

    //We are always storing a private key…
    SecExternalItemType type = kSecItemTypePrivateKey;

    SecKeyImportExportParameters params;

    SecKeychainRef keychain;

    SecKeychainCopyDefault(&keychain);

    memset(&params, 0, sizeof(params));

    params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
    params.flags = kSecKeyNoAccessControl;
    params.keyUsage = CSSM_KEYUSE_ANY;
    params.keyAttributes = CSSM_KEYATTR_EXTRACTABLE;

    err = SecKeychainItemImport((CFDataRef)data,
                                         (CFStringRef)@"pem",
                                         &format,
                                         &type,
                                         0,
                                         NULL,
                                         keychain,
                                         &array);
    if(err == noErr)
    {
        //Change the kSecKeyPrintName attribute of the keychain item.
    }

    else
    {
        //Handle the error by displaying appropriate alert.
    }

Am I missing anything obvious?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Try setting the CSSM_KEYATTR_PERMANENT bit in params.keyAttribute. On Lion, I can import multiple PEM-armoured RSA private keys (generated with openssl genrsa) into a keychain if I explicitly set this attribute. If I don’t, I get errSecItemNotFound (-25300) when importing the very first key.

    (Don’t forget to remove kSecKeyNoAccessControl before deploying this code in production. Also, if you generate the key yourself, consider using SecKeyGenerate/SecKeyGenerateSymmetric instead.)

    • 0