EllipticCurveKeyPair icon indicating copy to clipboard operation
EllipticCurveKeyPair copied to clipboard

Published 20 hours ago verified publisher icon agens-no

Support application password

Open ma-pe opened this issue 6 years ago • 5 comments

Hey, it's me again :-)

Still happily using the master-branch. Lately, I wanted to try the application password method for devices that haven't set fingerprint or passcode.

I added the flag .applicationPassword resulting in: flags: EllipticCurveKeyPair.Device.hasSecureEnclave ? [.applicationPassword, .privateKeyUsage] : [.applicationPassword].

My understanding is, that I'd have to provide the actual password to the LAContext before key creation. Something like this: context.setCredential("passwordFromServer".data(using:String.Encoding.utf8)!, type: LACredentialType.applicationPassword)

Though, I don't pass the LAContext to key creation. Regarding your API I can only provide it when decrypting or signing.

ma-pe avatar Mar 07 '18 11:03 ma-pe

Interesting. I didn’t know you could pass a password. I thought it had to be done by the user first time upon key creation. If the api is limiting you I am open to change that. Let me know how it goes and please send me diffs :)

hfossli avatar Mar 07 '18 12:03 hfossli

You can prompt the user to enter a password and use this as the application password. Though, this is not automatically triggered by the key generation.

This is a good example for setting and getting secrets with .applicationPassword: https://macbirdie.net/2016/03/app-pwd

We don't need this at the moment. I just wanted to check how it works. Once we move forward in our development I check back and try to help, when we decide to use it.

ma-pe avatar Mar 07 '18 12:03 ma-pe

Thanks for sharing that useful article. I think as you, that changes is required in order to properly support this. I will have to think about this.

What’s needed to consider

  • should work well on devices that doesn’t support privateKeyUsage flag
  • should work well on devices that supports privateKeyUsage flag
  • api should be simple and clear

hfossli avatar Mar 07 '18 18:03 hfossli

Has this issue seen any progress? It seems like a really useful and popular feature, as Apps like Revolut use that kind of flow as well. Biometric or App password.

If it helps there an implementation here as well https://github.com/algrid/keychain-sample/blob/master/keychain-sample/KeychainHelper.swift

netgfx avatar Feb 18 '21 17:02 netgfx

Yep. It is possible to do this using a custom LAContext and application password flag.

I have been working on a renewed api. You can check it out here. Also has support for React Native. ES256.zip

hfossli avatar Feb 18 '21 21:02 hfossli