Geek Answers Handbook

Where is kSecAttrTokenIDSecureEnclave registered?

I hit my head trying to generate a private public key pair with kSecAttrTokenIDSecureEnclave so that the private key is created in a secure enclave.

Where is kSecAttrTokenIDSecureEnclave documented? Below is my code that does not work with -50 status.

 - (void)generateKeyPair { const UInt8 publicTagString[] = "public"; const UInt8 privateTagString[] = "private"; publicTag = CFDataCreate(0, publicTagString, sizeof(publicTagString)); privateTag = CFDataCreate(0, privateTagString, sizeof(privateTagString)); CFMutableDictionaryRef publicAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL); CFDictionaryAddValue(publicAttr, kSecAttrApplicationTag, publicTag); // CFDictionaryAddValue(publicAttr, kSecAttrIsPermanent, kCFBooleanTrue); CFDictionaryAddValue(publicAttr, kSecAttrCanEncrypt, kCFBooleanFalse); CFDictionaryAddValue(publicAttr, kSecAttrCanDecrypt, kCFBooleanFalse); CFDictionaryAddValue(publicAttr, kSecAttrCanDerive, kCFBooleanFalse); CFDictionaryAddValue(publicAttr, kSecAttrCanSign, kCFBooleanFalse); CFDictionaryAddValue(publicAttr, kSecAttrCanVerify, kCFBooleanTrue); CFDictionaryAddValue(publicAttr, kSecAttrCanUnwrap, kCFBooleanFalse); CFMutableDictionaryRef privateAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL); CFDictionaryAddValue(privateAttr, kSecAttrApplicationTag, privateTag); // CFDictionaryAddValue(privateAttr, kSecAttrIsPermanent, kCFBooleanTrue); CFDictionaryAddValue(privateAttr, kSecAttrCanEncrypt, kCFBooleanFalse); CFDictionaryAddValue(privateAttr, kSecAttrCanDecrypt, kCFBooleanFalse); CFDictionaryAddValue(privateAttr, kSecAttrCanDerive, kCFBooleanFalse); CFDictionaryAddValue(privateAttr, kSecAttrCanSign, kCFBooleanTrue); CFDictionaryAddValue(privateAttr, kSecAttrCanVerify, kCFBooleanFalse); CFDictionaryAddValue(privateAttr, kSecAttrCanUnwrap, kCFBooleanFalse); const void* parameterKeys[] = { kSecAttrKeyType, kSecAttrKeySizeInBits, kSecAttrTokenID, kSecPublicKeyAttrs, kSecPrivateKeyAttrs }; int intKeySize = 512; CFNumberRef keySize = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &intKeySize); const void* parameterValues[] = { kSecAttrKeyTypeRSA, keySize, kSecAttrTokenIDSecureEnclave, publicAttr, privateAttr }; CFDictionaryRef parameters = CFDictionaryCreate( kCFAllocatorDefault, parameterKeys, parameterValues, 5, // ??? Make this programmatic NULL, NULL ); OSStatus status = SecKeyGeneratePair(parameters, &publicKey, &privateKey); if(status != errSecSuccess) { [self logError:[NSString stringWithFormat:@"SecKeyGeneratePair status %d", (int)status] :nil]; return; } }
+8
security ios keychain
source share
1 answer

The error you get, -50 , indicates a parameter error. The parameter you pass to the function is incorrect or inappropriate for the operation. If you look at the SecItem header or see:

kSecAttrTokenIDSecureEnclave Defines a known token identifier implemented using a Secure Enclave device. The only keychain objects supported by the Secure Enclave token are 256-bit elliptic curve keys (KSecAttrKeyTypeEC). Keys must be generated in a secure enclave using SecKeyGenerateKeyPair Call using kSecAttrTokenID set for kSecAttrTokenIDSecureEnclave in the parameter dictionary; it is not possible to import pre-generated keys into the kSecAttrTokenIDSecureEnclave token.

RSA is not currently supported by encryption when creating a private key in a secure enclave. Switch to the 256-bit EC key.

This was reviewed at the WWDC 2015 706 Security and Applications session. The Apple KeychainTouchID sample project shows the correct settings for generating and using a key using a secure enclave.

+5
source share

More articles:


All Articles