[英]iOS: Decryption not supported on key stored in secure enclave
Compiling for iOS 11 (which allegedly solves all the secure enclave related bugs), I'm trying to create a key pair stored in the secure enclave to use for encrypting/decrypting data, but somewhere along the line the key gets corrupted:为 iOS 11 编译(据称它解决了所有与安全飞地相关的错误),我正在尝试创建一个存储在安全飞地中的密钥对,用于加密/解密数据,但沿线某处密钥被损坏:
CFErrorRef error = NULL;
NSError *gen_error = nil;
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlBiometryAny, &error);
if (sacObject == NULL || error != NULL) { /* handled */ }
NSDictionary *keyAttributes = @{
(id)kSecClass: (id)kSecClassKey,
(id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC,
(id)kSecAttrKeySizeInBits: @256,
(id)kSecAttrTokenID: (id)kSecAttrTokenIDSecureEnclave,
(id)kSecAttrIsPermanent: @YES,
(id)kSecAttrApplicationTag: biometricKeyTag, //static between all calls
(id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,
};
SecKeyRef privateKey = (__bridge SecKeyRef) CFBridgingRelease(SecKeyCreateRandomKey((__bridge CFDictionaryRef)keyAttributes, (void *)&gen_error));
if (gen_error != nil || privateKey == nil) { /* handled */ }
SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
Boolean algorithmDSupported = SecKeyIsAlgorithmSupported(privateKey, kSecKeyOperationTypeDecrypt, kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
Boolean algorithmESupported = SecKeyIsAlgorithmSupported(publicKey, kSecKeyOperationTypeEncrypt, kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
// Returns true for both
// OK so far!
// Now retrieve the key just create to mock up using it later
NSDictionary *query = @{
(id)kSecClass: (id)kSecClassKey,
(id)kSecAttrApplicationTag: biometricKeyTag,
(id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC,
(id)kSecReturnRef: @YES,
(id)kSecUseOperationPrompt: @""
};
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&privateKey);
if (status != noErr || privateKey == NULL) { /* handled */ }
publicKey = SecKeyCopyPublicKey(privateKey);
Boolean algorithmDSupported2 = SecKeyIsAlgorithmSupported(privateKey, kSecKeyOperationTypeDecrypt, kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
Boolean algorithmESupported2 = SecKeyIsAlgorithmSupported(publicKey, kSecKeyOperationTypeEncrypt, kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
// Encryption on the public key is supported, but algorithmDSupported2 is false – cannot decrypt with the key any more
Using the key retrieved with SecItemCopyMatching
for encryption with SecKeyCreateEncryptedData
seems to work, but SecKeyIsAlgorithmSupported
on …TypeDecrypt
returns false for these keys, and attempts to decrypt anyway unsurprisingly crashes the app.使用通过SecKeyCreateEncryptedData
检索到的密钥用于使用SecItemCopyMatching
进行加密似乎可行,但…TypeDecrypt
SecKeyIsAlgorithmSupported
上的 SecKeyIsAlgorithmSupported 对这些密钥返回 false,并且无论如何尝试解密都会使应用程序崩溃。
How/why does the key not work after retrieval?检索后密钥如何/为什么不起作用?
What solved it in the end was最终解决的是
kSecAccessControlBiometryAny|kSecAccessControlPrivateKeyUsage
将 SecAccessControl 标志更改为kSecAccessControlBiometryAny|kSecAccessControlPrivateKeyUsage
kSecAttrKeyTypeECSECPrimeRandom
将密钥类型更改为kSecAttrKeyTypeECSECPrimeRandom
kSecPrivateKeyAttrs
key移动kSecPrivateKeyAttrs
键下的键属性No idea why Apple lets you shoot yourself in the foot and doesn't properly validate key generation parameters.不知道为什么 Apple 会让你在脚下开枪,并且没有正确验证密钥生成参数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.