macOS Sequoia beta 3: SecPKCS12Import failed with error - 23000

Privacy & Security General
lingesh OP
Created Jul ’24
Replies 7
Boosts 0
Views 449
Participants 4

In our App, we store identity in keychain in a specific path

    var keychain: SecKeychain?
    let status = SecKeychainCreate(path, UInt32(password.count), password, false, nil, &keychain)
    guard status == errSecSuccess else {
        logger.error("Error in creating keychain: \(String(describing: SecCopyErrorMessageString(status, nil)))")
        throw KeychainError.keychainCreationError
    }

Then later whenever process needs it. it open keychain, import it and uses it.

        status = SecPKCS12Import(identityData as CFData, [kSecImportExportPassphrase : password, kSecImportExportKeychain: keychain] as CFDictionary, &identityItems)
        authlog.info("Import status: \(status)")
        guard status == errSecSuccess else {
            authlog.error("Error in exporting identity : \(status) \(String(describing:SecCopyErrorMessageString(status, nil)))")
            throw ClientAuthError.identityFormationError
        }

This worked well till sequoia beta 2.

In Sequoia beta 3 and 4, this fails to import with error -25300 : The specified item could not be found in the keychain.

one thing I noticed is import succeeds if the keychain is freshly created. when tried to reuse existing keychain it fails in import error.

Is this a bug in beta or it any changes made in keychain level by Apple itself.

Please help with the solution

Log trace:

[ 24-07-2024 12:39:15:192 ] [INFO] Challenge delegate received [ 24-07-2024 12:39:15:192 ] [INFO] Client authentication challenge [ 2024-07-24 12:39:15 ] [INFO] retcode of "/bin/chmod -R 777 "/Library/<path>/data/agent-resource"" ::: 0 [ 24-07-2024 12:39:15:237 ] [INFO] Opening keychain... [ 24-07-2024 12:39:15:240 ] [NOTICE] Keychain open status: -25294 [ 24-07-2024 12:39:15:241 ] [ERROR] Keychain error: Optional(The specified keychain could not be found.) [ 24-07-2024 12:39:15:241 ] [INFO] Creating keychain.. [ 24-07-2024 12:39:15:448 ] [INFO] Import status: 0 [ 24-07-2024 12:39:15:448 ] [INFO] Identity: <SecIdentity 0x7ff3ec1f7df0 [0x7ff85540e9a0]> [ 24-07-2024 12:39:15:448 ] [INFO] Credential sent [ 24-07-2024 12:39:15:581 ] [INFO] Upload request completed.. [ 24-07-2024 12:39:15:583 ] [INFO] Status code: 200

[ 25-07-2024 12:24:55:300 ] [INFO] Client authentication challenge [ 25-07-2024 12:24:55:300 ] [INFO] Opening keychain... [ 25-07-2024 12:24:55:305 ] [NOTICE] Keychain open status: 0 [ 25-07-2024 12:24:55:439 ] [INFO] Import status: -25300 [ 25-07-2024 12:24:55:440 ] [ERROR] Error in exporting identity : -25300 Optional(The specified item could not be found in the keychain.) [ 25-07-2024 12:24:55:440 ] [CRITICAL] Error in getting identity: identityFormationError [ 25-07-2024 12:24:55:441 ] [ERROR] Error in obtaining identity [ 25-07-2024 12:24:55:513 ] [INFO] Download request complete... [ 25-07-2024 12:24:55:515 ] [INFO] Status code: 200

Answered by DTS Engineer in 797319022

If you have existing code that’s now broken in the latest betas, it’s definitely worth filing a bug about that.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  7
Boosts  0
Views  449
Participants  4
DTS Engineer OP
Apple
Jul ’24
Recommended

If you have existing code that’s now broken in the latest betas, it’s definitely worth filing a bug about that.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
magsan OP
Jul ’24

Facing the same issue.

0
lingesh OP
Jul ’24

Filed bug - FB14580386

0
Tralala OP
1w

Has anyone solved/found workaround for this?

I'm getting exactly the same error message when using SecKeychainCreate() with SecPKCS12Import() on macOS Sequoia 15.0 (24A335)

0
DTS Engineer OP
Apple
1d

It looks like FB14580386 wasn’t fixed in the released version of macOS 15.0 )-:

Let me see if I understand this issue correctly. I created a small test Mac app project with a button that:

  1. Opens the keychain ~/Test.keychain in my home directory, creating it if it’s not there.

  2. Imports a PKCS#12 into that keychain using SecPKCS12Import.

On macOS 14.6.1 I ran the app, clicked the Test button, and it created the keychain and imported the digital identity. If I dump the resulting keychain I see this:

% security dump-keychain ~/Test.keychain 
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x00000010 
attributes:
    …
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x80001000 
attributes:
    …

That is, it imported the private key and the certificate.

I then click the Test button again. This imports the digital identity a second time. Of course this doesn’t actually import anything, because both the private key and the certificate are already in the keychain. So the dump-keychain command prints the same result.

Now I run the same test on macOS 15.0. Everything works the same up to the point where I click the Test button for the second time. This time around the call to SecPKCS12Import fails with -25300 (errSecItemNotFound). Moreover, the keychain ends up with an extra private key in it:

% security dump-keychain ~/Test.keychain                   
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x00000010 
attributes:
    …
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x00000010 
attributes:
    …
keychain: "/Users/quinn/Test.keychain"
version: 256
class: 0x80001000 
attributes:
    …

Is that an accurate statement of the bug that we’re talking about here?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Tralala OP
1d

Yep, the description of the bug sounds accurate.

There is one interesting workaround (for anyone else, who is experiencing the same issue):

  1. Import PKCS#12 into the "Login" Keychain by opening .pk12 from Finder
  2. Delete the imported PKCS#12 from the "Login" Keychain
  3. At this point, it's possible to import PKCS#12 into Keychain, that is created in a, let's say, home directory.
0
DTS Engineer OP
Apple
21h

Well, I’d say that the macOS 15 behaviour is definitely a bug. Even if you ignore the macOS 14 compatibility aspects of this, it should handle duplicate items by either:

  • Doing nothing, as it did on macOS 14

  • Failing with errSecDuplicateItem

This ‘getting halfway and then failing with errSecItemNotFound’ is all sorts of wrong )-:

I’ve updated FB14580386 with my analysis.

On the workaround front, I guess my first question is why you’re getting into this situation? If the keychain already has the digital identity you need, why import it again? Perhaps you could change your code to:

  1. Search the keychain for the digital identity.

  2. Do the SecPKCS12Import thing only if it’s not present.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
macOS Sequoia beta 3: SecPKCS12Import failed with error - 23000
First post date Last post date
 
 
Q