Clarify the error from SecKeyCreateDecryptedData

Question

chapo81 OP

Created Feb ’21

Replies 1

Boosts 0

Views 1.6k

Participants 2

I'm running the following command that means to decrypt object from type CFDataRef using key object from type SecKeyRef

Code Block        CFDataRef encryptedCfData =
       SecKeyCreateDecryptedData(privateKeySecKey,  
             kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
             (__bridge CFDataRef)[NSData dataWithBytes:payloadBuff length:payloadLen], 
           &cfErr);

Unfortunately, on some scenarios it fails and I get the following errors :

Code Block Error Domain=NSOSStatusErrorDomain Code=-50 "RSAdecrypt wrong input (err -27)" (paramErr: error in user parameter list) UserInfo={NSDescription=RSAdecrypt wrong input (err -27)}

or this one :

Code Block Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_priv_crypt failed, ccerr=-23" (paramErr: error in user parameter list) UserInfo {NSDescription=rsa_priv_crypt failed, ccerr=-23}

I'm trying to understand their meaning, the -50 indicate the one or more of the params are invalid. But what about the inner error codes (-23 and -27) and the meaning of their related strings ("error in user parameter list" and "RSAdecrypt wrong input"). Perhaps someone already have encountered those error messages and can tell me their meaning ?

Thanks for the help !

Answered by DTS Engineer in 660325022

But what about the inner error codes (-23 and -27)

There errors are coming out of corecrypto, a library that lives at the heart of all of Apple’s crypto functionality. This isn’t a public API but it is open source (see the discussion of the bottom of the Security page on the developer web site). You can find the error codes in corecrypto/cc/corecrypto/cc_error.h. For example:

Code Block  // Program error: buffer too small or encrypted message is too small
CCRSA_INVALID_INPUT = -23,
…
// The data is invalid (we won't say more for security)
CCRSA_PRIVATE_OP_ERROR = -27,

Presumably the comment for error CCRSA_PRIVATE_OP_ERROR is about protecting you from padding oracle attacks.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’21

Accepted Answer

But what about the inner error codes (-23 and -27)

There errors are coming out of corecrypto, a library that lives at the heart of all of Apple’s crypto functionality. This isn’t a public API but it is open source (see the discussion of the bottom of the Security page on the developer web site). You can find the error codes in corecrypto/cc/corecrypto/cc_error.h. For example:

Code Block  // Program error: buffer too small or encrypted message is too small
CCRSA_INVALID_INPUT = -23,
…
// The data is invalid (we won't say more for security)
CCRSA_PRIVATE_OP_ERROR = -27,

Presumably the comment for error CCRSA_PRIVATE_OP_ERROR is about protecting you from padding oracle attacks.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

1