SecureEnclaveCrypto icon indicating copy to clipboard operation
SecureEnclaveCrypto copied to clipboard

Published 20 hours ago verified publisher icon trailofbits

Use SecKeyCopyExternalRepresentation to export public keys

Open withzombies opened this issue 7 years ago • 12 comments

Apple added a new API to export keys in sane formats. We should use it.

https://developer.apple.com/reference/security/1643698-seckeycopyexternalrepresentation

withzombies avatar Dec 19 '16 16:12 withzombies

iOS 10 only. What's the benefit / difference?

hfossli avatar Dec 25 '16 18:12 hfossli

I'm ready to implement, but I don't see the added benefit here. Can you elaborate on why we should rather use that new API?

hfossli avatar Jan 02 '17 11:01 hfossli

If we're intending this to be a reference for other developers, then we should use the latest available APIs that produce the simplest code. We had to work around the lack of the SecKeyCopyExternalRepresentation API when we originally wrote this project and it required some hacks that we can eliminate by using it. Less code is better code.

dguido avatar Jan 02 '17 15:01 dguido

If I understand correctly: copying the external representation is only good for later importing that representation. That's not part of showcasing how to use the secure enclave IMHO. I don't think retreiving the bits/string of the public key is done hackish at all - at least not in the swift code.

Feels like I'm misunderstanding you guys.

hfossli avatar Jan 02 '17 18:01 hfossli

It's better to export a key that's directly applicable rather than one you have to run through an auxiliary ruby script. This API didn't exist before, so we had an awful workaround to make it viable for existing applications (e.g. OpenSSL, Python, etc) to use the exported key directly.

withzombies avatar Jan 02 '17 19:01 withzombies

I still don't get it. It seems to me that this api isn't making that easier. Maybe I'm missing something crucial. Lead the way.

hfossli avatar Jan 02 '17 19:01 hfossli

So how's the data structured in the output of this function?

hfossli avatar Jan 02 '17 19:01 hfossli

Exporting the key to an external representation such as PKCS1 allows digital signatures created by the TouchID interface to be validated by tools like openssl. Currently to solve this problem, we have key_builder.rb, but if we can do it without key_builder.rb, that'd be best.

Also, key_builder.rb assumes the key type will always be elliptic curve with the prime256v1 curve. Using the API provided by Apple means we don't have to rely on this assumption.

withzombies avatar Jan 02 '17 19:01 withzombies

Awesome. I'm ready to vet any swift pull requests.

hfossli avatar Jan 02 '17 19:01 hfossli

I don't see any difference. Base64 public key exported using old/current API

BDCvFO9AXGQAkjVrJaGE/mLiWlKLGzTo0n6sAUMrZac0dBdJS+mGFWK6rAtbnLAplXAqXR1wVTBcES9fhJRbKcM=

Base64 public key exported using new API (SecKeyCopyExternalRepresentation)

BDCvFO9AXGQAkjVrJaGE/mLiWlKLGzTo0n6sAUMrZac0dBdJS+mGFWK6rAtbnLAplXAqXR1wVTBcES9fhJRbKcM=

hfossli avatar Jan 12 '17 10:01 hfossli

One advantage IMO is that you wont (Apple actually recommends this) need to store the public key in the keychain. You'd use SecKeyCopyPublicKey to get a reference to it and then you can use SecKeyCopyExternalRepresentation to get the data.

oNaiPs avatar Sep 10 '18 06:09 oNaiPs

Almost 2 years has passed since this issue was opened. The SecKeyCopyPublicKey was quite new then and only available to ios 10. Now it might be possible drop support for iOS 9.

hfossli avatar Sep 10 '18 07:09 hfossli