iOS:存储在安全飞地中的密钥不支持解密
[英]iOS: Decryption not supported on key stored in secure enclave
问题描述
Compiling for iOS 11 (which allegedly solves all the secure enclave related bugs), I'm trying to create a key pair stored in the secure enclave to use for encrypting/decrypting data, but somewhere along the line the key gets corrupted:
为 iOS 11 编译(据称它解决了所有与安全飞地相关的错误),我正在尝试创建一个存储在安全飞地中的密钥对,用于加密/解密数据,但沿线某处密钥被损坏:
CFErrorRef error = NULL;
NSError *gen_error = nil;
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlBiometryAny, &error);
if (sacObject == NULL || error != NULL) { /* handled */ }
NSDictionary *keyAttributes = @{
(id)kSecClass: (id)kSecClassKey,
(id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC,
(id)kSecAttrKeySizeInBits: @256,
(id)kSecAttrTokenID: (id)kSecAttrTokenIDSecureEnclave,
(id)kSecAttrIsPermanent: @YES,
(id)kSecAttrApplicationTag: biometricKeyTag, //static between all calls
(id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,
};
SecKeyRef privateKey = (__bridge SecKeyRef) CFBridgingRelease(SecKeyCreateRandomKey((__bridge CFDictionaryRef)keyAttributes, (void *)&gen_error));
if (gen_error != nil || privateKey == nil) { /* handled */ }
SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
Boolean algorithmDSupported = SecKeyIsAlgorithmSupported(privateKey, kSecKeyOperationTypeDecrypt, kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
Boolean algorithmESupported = SecKeyIsAlgorithmSupported(publicKey, kSecKeyOperationTypeEncrypt, kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
// Returns true for both
// OK so far!
// Now retrieve the key just create to mock up using it later
NSDictionary *query = @{
(id)kSecClass: (id)kSecClassKey,
(id)kSecAttrApplicationTag: biometricKeyTag,
(id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC,
(id)kSecReturnRef: @YES,
(id)kSecUseOperationPrompt: @""
};
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&privateKey);
if (status != noErr || privateKey == NULL) { /* handled */ }
publicKey = SecKeyCopyPublicKey(privateKey);
Boolean algorithmDSupported2 = SecKeyIsAlgorithmSupported(privateKey, kSecKeyOperationTypeDecrypt, kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
Boolean algorithmESupported2 = SecKeyIsAlgorithmSupported(publicKey, kSecKeyOperationTypeEncrypt, kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
// Encryption on the public key is supported, but algorithmDSupported2 is false – cannot decrypt with the key any more
Using the key retrieved with SecItemCopyMatching for encryption with SecKeyCreateEncryptedData seems to work, but SecKeyIsAlgorithmSupported on …TypeDecrypt returns false for these keys, and attempts to decrypt anyway unsurprisingly crashes the app.使用通过SecKeyCreateEncryptedData检索到的密钥用于使用SecItemCopyMatching进行加密似乎可行,但…TypeDecrypt SecKeyIsAlgorithmSupported上的 SecKeyIsAlgorithmSupported 对这些密钥返回 false,并且无论如何尝试解密都会使应用程序崩溃。
How/why does the key not work after retrieval?检索后密钥如何/为什么不起作用?
1 个解决方案
解决方案1
0 已采纳 2021-03-03 12:16:21
What solved it in the end was最终解决的是
- Changing the SecAccessControl flags to
kSecAccessControlBiometryAny|kSecAccessControlPrivateKeyUsage将 SecAccessControl 标志更改为kSecAccessControlBiometryAny|kSecAccessControlPrivateKeyUsage - Changing key type to
kSecAttrKeyTypeECSECPrimeRandom将密钥类型更改为kSecAttrKeyTypeECSECPrimeRandom - Moving the key attributes under the
kSecPrivateKeyAttrskey移动kSecPrivateKeyAttrs键下的键属性
No idea why Apple lets you shoot yourself in the foot and doesn't properly validate key generation parameters.不知道为什么 Apple 会让你在脚下开枪,并且没有正确验证密钥生成参数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.