Sorry, I was mean to say "client" only. I'm working on a library to help setup network connection with TLS, and testing with a TLS client build upon it.

I'm a little confused about the keychain implementation here. As mentioned in On Mac Keychains: The Keychain and SecKeychain APIs only talk to the file-based keychain. The SecItem API talks to either implementation. Specifically, it talks to the data protection keychain if you supply either the kSecUseDataProtectionKeychain or the kSecAttrSynchronizable attribute. If not, it talks to the file-based keychain. The keychain should default to file-based, since I'm working with MacOS and I didn't set either kSecAttrSynchronizable or kSecUseDataProtectionKeychain. I didn't get why the keychain is considered as data protection here. However, inspired by the article, I manually set the above two attributes to false. And eventually I got the error: OSStatus -25304 : The specified item is no longer valid. It may have been deleted from the keychain. It seems like I did something wrong when I create the SecKeyRef, so it failed to find it. I applied SecKeyCreateWithData to create the SecKey as described here Storing CryptoKit Keys in the Keychain. Though the example is for CryptoKit, I assume the API should also work for pure data... or am I wrong here? Here is the implementation, and key_error returns NULL. I assume the key creation succeed. CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(my_alloc, 0, NULL, NULL); CFDictionarySetValue(parameters, kSecAttrKeyType, kSecAttrKeyTypeECSECPrimeRandom); CFDictionarySetValue(parameters, kSecAttrKeyClass, kSecAttrKeyClassPrivate); CFDictionarySetValue(parameters, kSecUseDataProtectionKeychain, kCFBooleanFalse); CFDictionarySetValue(parameters, kSecAttrSynchronizable, kCFBooleanFalse); CFDictionarySetValue(parameters, kSecUseKeychain, keychain); // Not sure if the keychain attribute works here ...? // key_data is the binary data read from ANSI file, which is a ECC key in X963 format. SecKeyRef privKey = SecKeyCreateWithData(key_data, parameters, &key_error);

Hi eskimo, You are right. I'm trying to build a client daemon which setup network connection with SSL. I'm trying to create an identity with the ECC key and the certificate (in RSA PEM format. I was able to setup the certificate with SecItemImport as it supports RSA PEM format) And setup the identity as following: // Add ECC Key to keychain (failed here) CFMutableDictionaryRef secItemParams = CFDictionaryCreateMutable(default_alloc, 0, NULL, NULL); CFDictionarySetValue(secItemParams, kSecClass, kSecClassKey); CFDictionarySetValue(secItemParams, kSecValueRef, privateKey); CFDictionarySetValue(secItemParams, kSecUseKeychain, import_keychain); OSStatus key_status = SecItemAdd(secItemParams, NULL); // setup identity SecIdentityCreateWithCertificate(keychain, certificate, &output_identity); identity = CFArrayCreate(default_alloc, (const void **)certs, 1L, &kCFTypeArrayCallBacks); // Set certificate using the identity SSLSetCertificate(ctx, identity);

Hi Quinn, thank you so much for the instruction. I was able to run the generic password sample. I created a simple C command line program, compiled and run with cmake/clang from terminal. (well, vscode terminal to be specific.) The program was able to run the generic password test after I switch to a machine I had full access permission. I assume the generic password was failed because of permission. However, adding the ECC key still failed with OSStatus -50 in the C program. I also tried with Objective-C in XCode, and got the same result. Also, I will get error "OSStatus -34018 : A required entitlement isn't present.", if I don't specify the keychain to add to. I'm not sure if that is one of the cause. I will continue to try out different attributes and keys to see if there is any inspiration. I would really appreciate if you have further suggestion about what should I do next. Thank you.

Thank you so much for the reply! As -50 is a vague error code, I'm lost what should I look into. I know that I got the error after I added the kSecUseKeychain attribute. And looking at the documentation, I failed to find more information related to the keychain attribute Item Attribute Keys and Values. Would you have any information related? Would you mind also providing more information about execution context? I'm not sure what is it about. For the password example, I tried with a generic password, it pop out the same error: errSecInteractionNotAllowed. I guess the issue was with the execution context?