Using Secure Enclave in Chromium

[Austin Orion]

I'm trying to generate a key pair in the Secure Enclave on MacOS, but I'm always getting 

"OSStatus error -34018 - failed to generate asymmetric keypair" 

as an error from the following code:

CFErrorRef access_error = NULL;
SecAccessControlRef access_control = SecAccessControlCreateWithFlags(
   kCFAllocatorDefault,
   kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
   kSecAccessControlPrivateKeyUsage,
   &access_error
);

NSDictionary *attributes = @{
   (__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeECSECPrimeRandom,
   (__bridge id)kSecAttrKeySizeInBits: @256,
   (__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
   (__bridge id)kSecPrivateKeyAttrs: @{
       (__bridge id)kSecAttrIsPermanent: @YES,
       (__bridge id)kSecAttrAccessControl: (__bridge id)access_control
   }
};

CFErrorRef creation_error = NULL;
SecKeyRef key_ref = SecKeyCreateRandomKey((__bridge CFDictionaryRef)attributes, &creation_error);
if (creation_error != NULL)
   LOG(ERROR) << "Failed to create key: " << CFErrorCopyDescription(creation_error);

-34018 seems to map to errSecMissingEntitlement, but I'm not sure what the missing entitlement is. Chromium comes with several entitlements configured, and I've signed and notarized via sign_chrome.py, but it still does not work with the installed app from the notarized .dmg file.

 Running

 codesign -d --entitlements - /Applications/Chromium.app 

returns

[Dict]
   [Key] com.apple.application-identifier
   [Value]
       [String] <redacted-teamid>.<redacted-bundleid>
   [Key] keychain-access-groups
   [Value]
       [Array]
           [String] <redacted-teamid>.<redacted-bundleid>.devicetrust
           [String] <redacted-teamid>.<redacted-bundleid>.webauthn

Checking the embedded .provisionprofile (and the DER encoded profile) per these instructions also shows these entitlements in the notarized .app.

 

The same code works in a local Xcode project, so I figure it must be how I've configured Chromium, but I can't figure out what the missing piece is.

 

I can create keys in the keychain, in Chromium, if I remove the kSecAttrAccessControl and kSecAttrTokenID attributes.

 

I've tried multiple things to find the issue:

• I've read the docs
  • Protecting keys with the Secure Enclave | Apple Developer Documentation
• I've tried setting different entitlements, described here
  • errSecMissingEntitlement | Apple Developer Documentation
• I've searched online and found similar issues, but none of the solutions helped
  • SecItemAdd results in 34018 | Apple Developer Forums
  • Keychain error -34018 (errSecMissi… | Apple Developer Forums
  • Error -34018 errSecMissingEntitlem… | Apple Developer Forums
  • Troubleshooting -34018 Keychain Er… | Apple Developer Forums
• I've read through Apple's OSS Distribution to see the implementation of SecCreateRandomKey
  • Security/SecKey.cpp at 154ef3d9d6f57f0374aa5d6c4b412e8653c1eebe · apple-oss-distributions/Security (github.com)
• I've reviewed the two existing implementations in Chromium, and tried to directly call them instead of rolling my own
  • secure_enclave_helper_impl.mm - Chromium Code Search
  • credential_store.mm - Chromium Code Search

 

This is all running on my M2 MacBook Pro on Ventura 13.3, if it matters.