堆栈内存溢出
  简体   繁体   English

kSecAttrTokenIDSecureEnclave在哪里记录?

[英]Where is kSecAttrTokenIDSecureEnclave documented?

 原文  2015-11-11 12:20:06       ios/ security/ keychain

问题描述

I'm banging my head trying to generate a private-public key pair with kSecAttrTokenIDSecureEnclave so that the private key is generated in the secure enclave. 我正试图用kSecAttrTokenIDSecureEnclave生成私钥 - 公钥对,以便在安全区中生成私钥。

Where is kSecAttrTokenIDSecureEnclave documented? kSecAttrTokenIDSecureEnclave在哪里记录? Below is my code, which fails with status code -50. 下面是我的代码,它的状态代码为-50失败。 

- (void)generateKeyPair {
    const UInt8 publicTagString[] = "public";
    const UInt8 privateTagString[] = "private";

    publicTag = CFDataCreate(0, publicTagString, sizeof(publicTagString));
    privateTag = CFDataCreate(0, privateTagString, sizeof(privateTagString));

    CFMutableDictionaryRef publicAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
    CFDictionaryAddValue(publicAttr, kSecAttrApplicationTag, publicTag);
    // CFDictionaryAddValue(publicAttr, kSecAttrIsPermanent, kCFBooleanTrue);
    CFDictionaryAddValue(publicAttr, kSecAttrCanEncrypt, kCFBooleanFalse);
    CFDictionaryAddValue(publicAttr, kSecAttrCanDecrypt, kCFBooleanFalse);
    CFDictionaryAddValue(publicAttr, kSecAttrCanDerive, kCFBooleanFalse);
    CFDictionaryAddValue(publicAttr, kSecAttrCanSign, kCFBooleanFalse);
    CFDictionaryAddValue(publicAttr, kSecAttrCanVerify, kCFBooleanTrue);
    CFDictionaryAddValue(publicAttr, kSecAttrCanUnwrap, kCFBooleanFalse);

    CFMutableDictionaryRef privateAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
    CFDictionaryAddValue(privateAttr, kSecAttrApplicationTag, privateTag);
    // CFDictionaryAddValue(privateAttr, kSecAttrIsPermanent, kCFBooleanTrue);
    CFDictionaryAddValue(privateAttr, kSecAttrCanEncrypt, kCFBooleanFalse);
    CFDictionaryAddValue(privateAttr, kSecAttrCanDecrypt, kCFBooleanFalse);
    CFDictionaryAddValue(privateAttr, kSecAttrCanDerive, kCFBooleanFalse);
    CFDictionaryAddValue(privateAttr, kSecAttrCanSign, kCFBooleanTrue);
    CFDictionaryAddValue(privateAttr, kSecAttrCanVerify, kCFBooleanFalse);
    CFDictionaryAddValue(privateAttr, kSecAttrCanUnwrap, kCFBooleanFalse);

    const void* parameterKeys[] = {
        kSecAttrKeyType,
        kSecAttrKeySizeInBits,
        kSecAttrTokenID,
        kSecPublicKeyAttrs,
        kSecPrivateKeyAttrs
    };

    int intKeySize = 512;
    CFNumberRef keySize = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &intKeySize);

    const void* parameterValues[] = {
        kSecAttrKeyTypeRSA,
        keySize,
        kSecAttrTokenIDSecureEnclave,
        publicAttr,
        privateAttr
    };

    CFDictionaryRef parameters = CFDictionaryCreate(
        kCFAllocatorDefault,
        parameterKeys,
        parameterValues,
        5, // ??? Make this programmatic
        NULL,
        NULL
    );

    OSStatus status = SecKeyGeneratePair(parameters, &publicKey, &privateKey);

    if(status != errSecSuccess) {
        [self logError:[NSString stringWithFormat:@"SecKeyGeneratePair status %d", (int)status] :nil];
        return;
    }
}

1 个解决方案

解决方案1
 7 已采纳  2015-12-01 21:26:21

The error you are getting, -50 , indicates a parameter error. 您获得的错误-50表示参数错误。 A parameter you are passing to the function is incorrect or inappropriate for the operation. 传递给函数的参数不正确或不适合该操作。 If you look at the SecItem header or the you will see: 如果您查看SecItem标题或您将看到:

kSecAttrTokenIDSecureEnclave Specifies well-known identifier of the token implemented using device's Secure Enclave. kSecAttrTokenIDSecureEnclave指定使用设备的Secure Enclave实现的令牌的众所周知的标识符。 The only keychain items supported by the Secure Enclave token are 256-bit elliptic curve keys (kSecAttrKeyTypeEC). Secure Enclave令牌支持的唯一钥匙串项是256位椭圆曲线键(kSecAttrKeyTypeEC)。 Keys must be generated on the secure enclave using SecKeyGenerateKeyPair call with kSecAttrTokenID set to kSecAttrTokenIDSecureEnclave in the parameters dictionary, it is not possible to import pregenerated keys to kSecAttrTokenIDSecureEnclave token. 必须使用SecKeyGenerateKeyPair调用在安全区域生成密钥,并在参数字典中将kSecAttrTokenID设置为kSecAttrTokenIDSecureEnclave,不能将预生成的密钥导入kSecAttrTokenIDSecureEnclave令牌。

RSA is not currently a supported cipher when generating a private key in the secure enclave. 在安全区域中生成私钥时,RSA当前不是受支持的密码。 Switch to a 256 bit EC key. 切换到256位EC密钥。

This was covered in the WWDC 2015 session 706 Security And Your Apps . 这已在WWDC 2015会议706 安全和您的应用程序中介绍 The Apple sample project "KeychainTouchID" shows the correct parameters for generating and using a key using the secure enclave. Apple示例项目“KeychainTouchID”显示使用安全区域生成和使用密钥的正确参数。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 UIView.init()在哪里记录? - Where is UIView.init() documented? > - 运算符在RxSwift中意味着什么?它在哪里记录? - What does the >- operator mean in RxSwift and where is it documented? NSRoundBankers 没有按照 Apple 记录的那样工作 - NSRoundBankers is not working as documented by Apple UIImageView的animationImages行为未记录 - UIImageView's animationImages behavior not as documented UserDefaults.setValue() 是否记录在任何地方? - Is UserDefaults.setValue() documented anywhere? UIApplicationDelegate:是否有其他应用程序对“注释”的使用记录? - UIApplicationDelegate: Is there any documented use of `annotation` by other applications? 如果一个类没有文档指定的初始化程序怎么办? - What if a class has no documented designated initializer? URLSession 缓存未按记录工作 - 我做错了什么? - URLSession caching not working as documented - what am I doing wrong? Apple记录的iOS底层用户级API - Apple-documented, low-level, userland API for iOS 存储工具包订阅沙箱时间似乎比记录的时间更长 - store kit subscription sandbox time seems longer than documented
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM