Merge pull request #758 from smallstep/mariano/mackms-public-key

maraino · web-flow · commit ba42b525e0ff · 2025-04-28T11:59:19.000-07:00
Extract public key from private
diff --git a/kms/mackms/mackms.go b/kms/mackms/mackms.go
@@ -826,29 +826,30 @@ func extractPublicKey(secKeyRef *security.SecKeyRef) (crypto.PublicKey, []byte,
 	if publicKey, err := security.SecKeyCopyPublicKey(secKeyRef); err == nil {
 		defer publicKey.Release()
 
-		data, err := security.SecKeyCopyExternalRepresentation(publicKey)
-		if err != nil {
-			return nil, nil, fmt.Errorf("macOS SecKeyCopyExternalRepresentation failed: %w", err)
-		}
-		defer data.Release()
+		// For an unknown reason this sometimes fails with the error -25293
+		// (errSecAuthFailed). If this happens attempt to extract the key from
+		// the private key.
+		if data, err := security.SecKeyCopyExternalRepresentation(publicKey); err == nil {
+			defer data.Release()
+
+			derBytes := data.Bytes()
+			// ECDSA public keys are formatted as "04 || X || Y"
+			if derBytes[0] == 0x04 {
+				pub, err := parseECDSAPublicKey(derBytes)
+				if err != nil {
+					return nil, nil, fmt.Errorf("error parsing ECDSA key: %w", err)
+				}
+				return pub, hash, nil
+			}
 
-		derBytes := data.Bytes()
-		// ECDSA public keys are formatted as "04 || X || Y"
-		if derBytes[0] == 0x04 {
-			pub, err := parseECDSAPublicKey(derBytes)
+			// RSA public keys are formatted using PKCS #1
+			pub, err := x509.ParsePKCS1PublicKey(derBytes)
 			if err != nil {
-				return nil, nil, fmt.Errorf("error parsing ECDSA key: %w", err)
+				return nil, nil, fmt.Errorf("error parsing RSA key: %w", err)
 			}
-			return pub, hash, nil
-		}
 
-		// RSA public keys are formatted using PKCS #1
-		pub, err := x509.ParsePKCS1PublicKey(derBytes)
-		if err != nil {
-			return nil, nil, fmt.Errorf("error parsing RSA key: %w", err)
+			return pub, hash, nil
 		}
-
-		return pub, hash, nil
 	}
 
 	// At this point we only have the private key.
