Hello everyone! I'm currently working on implementing a Secure Enclave to encrypt data from the Login Screen with my application. I've followed the guidelines outlined in the developer documentation, which you can find here: Secure Enclave Documentation. Despite following the documentation, I'm encountering issues with creating a key pair to encrypt data. I would appreciate any suggestions for necessary changes or additional permissions that might be required to address these challenges. Thanks!

Hello fellow developers, I'm currently working on an SDK involving the SECP256R1 standard and facing an interesting issue. My goal is to ensure the Swift implementation of SECP256R1 signatures matches that of Rust's FastCrypto implementation. The Issue: When running tests to compare signatures generated by Swift and Rust implementations, the signatures do not match. Despite this mismatch, verification tests still succeed. I've tried using both the P256 class from CryptoKit and SecKey from the Security SDK. The Swift code is being written in Xcode 15 Beta 8, Swift 5.9. Code Snippet: struct SECP256R1PrivateKey { /// Commented is P256, uncommented is SecKey // public init(key: Data) throws { // if let privateKey = try? P256.Signing.PrivateKey(rawRepresentation: key) { // self.key = privateKey // } else { // throw AccountError.invalidData // } // } public init(key: Data) throws { if let privateKeyP256 = try? P256.Signing.PrivateKey(rawRepresentation: key) { let attributes: [String: Any] = [ kSecAttrKeyClass as String: kSecAttrKeyClassPrivate, kSecAttrKeyType as String: kSecAttrKeyTypeECDSA, kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave, kSecAttrKeySizeInBits as String: 256 ] var error: Unmanaged<CFError>? guard let privateKey = SecKeyCreateWithData(privateKeyP256.rawRepresentation as CFData, attributes as CFDictionary, &error) else { throw error?.takeRetainedValue() as Error? ?? NSError(domain: NSOSStatusErrorDomain, code: Int(errSecParam), userInfo: nil) } self.key = privateKey } else { throw AccountError.invalidData } } // public func sign(data: Data) throws -> Signature { // let signature = try self.key.signature(for: data) // return Signature( // signature: signature.rawRepresentation, // publickey: try self.publicKey().key.compressedRepresentation, // signatureScheme: .SECP256R1 // ) // } public func sign(data: Data) throws -> Signature { let dataHash = Data(data.sha256) var error: Unmanaged<CFError>? guard let signature = SecKeyCreateSignature(self.key, .ecdsaSignatureMessageX962SHA256, dataHash as NSData, &error) as Data? else { throw error!.takeRetainedValue() as Error } guard let publicKey = SecKeyCopyExternalRepresentation(try self.publicKey().key, &error) as Data? else { throw AccountError.invalidData } return Signature( signature: signature, publickey: publicKey, signatureScheme: .SECP256R1 ) } } func testThatTheRustImplementationForSignaturesIsTheSame() throws { let account = try Account(privateKey: Data(self.validSecp256r1SecretKey), accountType: .secp256r1) guard let signData = "Hello, world!".data(using: .utf8) else { XCTFail("Unable to encode message"); return; } let signature = try account.sign(signData) XCTAssertEqual( try signature.hex(), "26d84720652d8bc4ddd1986434a10b3b7b69f0e35a17c6a5987e6d1cba69652f4384a342487642df5e44592d304bea0ceb0fae2e347fa3cec5ce1a8144cfbbb2" ) } The Core Question: How do I implement the R1 signature in Swift so that it matches the signature generated by Rust's FastCrypto? Any insights, suggestions, or sample code snippets that could guide me in the right direction would be immensely appreciated! Thank you in advance!

I am developing a cloud-based application and have integrated the FileProviderExtension. However, files larger than 20 MB are not downloading as it’s throwing a memory limit exception. In this process, I have downloaded the file data, but after downloading the data, I need to decrypt the data. I am getting a memory limit exception during decryption. I am using the below lines to decrypt the data. let symmetricKey = SymmetricKey(data: key) let sealedBox = try AES.GCM.SealedBox(combined: inputData) let decryptedData = try AES.GCM.open(sealedBox, using: symmetricKey) I am getting memory limit exception at AES.GCM.open(sealedBox, using: symmetricKey)

Hi there, I'm trying to do a raw signature but the SecKeyRawSign is deprecated, so I am wondering if there is any way to do it using SecKeyCreateSignature, and EC key and the kSecKeyAlgorithmECDSASignatureMessageX962SHA256 algo. I've noticed that this method applies a hash before signing the data, and I want to avoid that. Is that possible? If not, what other options do i have? Thanks in advance.

I've been reading information/signing data using keys in the file keychain without too many problems but the other day I tried to generate a private key in the file and the secure enclave keychains and I faced the -30418 error. I made sure that the entitlements were correct based on previous posts but still no luck. Code kind of based off this: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/protecting_keys_with_the_secure_enclave Do you actually need to pay for the $99/per year developer account to generate private keys inside the keychains ?

Hi, I'm having some trouble running a shell script that worked before I updated the Xcode and my MacOS. This is probably connected to the command line tools which were updated with these upgrades. I can't switch to an older version of the command line tools to verify this theory tho... The script uses CryptoKit to decrypt some data which was encrypted using a SymmetricKey. The script: #!/bin/bash # # DecryptScript.sh # # This script decrypts encrypted data using a symmetric key. # Check for the correct number of arguments if [ "$#" -ne 2 ]; then echo "Usage: $0 <encrypted_file_path> <decrypted_file_path>" exit 1 fi # Get the input arguments encryptedFilePath="$1" decryptedFilePath="$2" # Find the path to the script's directory scriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Check if the symmetric key file exists in the same directory symmetricKeyPath="$scriptDir/.sim.key" if [ ! -f "$symmetricKeyPath" ]; then echo "SymmetricKey file was not found in the same directory as the script." exit 1 fi # Decrypt the data swift - <<EOF import Foundation import CryptoKit let symmetricKeyURL = URL(fileURLWithPath: "$symmetricKeyPath") let encryptedDataURL = URL(fileURLWithPath: "$encryptedFilePath") let decryptedDataURL = URL(fileURLWithPath: "$decryptedFilePath") guard let symmetricKeyData = try? Data(contentsOf: symmetricKeyURL) else { fatalError("Failed to read symmetric key data") } guard let encryptedData = try? Data(contentsOf: encryptedDataURL) else { fatalError("Failed to read encrypted data") } do { // Decrypt the data using AES-GCM let decryptionKey = SymmetricKey(data: symmetricKeyData) let sealedBox = try AES.GCM.SealedBox(combined: encryptedData) let decryptedData = try AES.GCM.open(sealedBox, using: decryptionKey) // Write the decrypted data to a file try decryptedData.write(to: decryptedDataURL) print("Decryption successful. Decrypted file saved at \(decryptedDataURL)") } catch { print("Decryption failed: \(error.localizedDescription)") } EOF The code in the project which encrypts the data and retrieves the key: func encryptSymmetric(data: Data, password: String) throws -> (Data, Data) { let key = SymmetricKey(size: .bits256) guard let cipher = try? AES.GCM.seal(data, using: key).combined else { throw SomeCustomError.failedToEncryptData } let keyData = key.withUnsafeBytes { Data($0) } return (cipher, keyData) } The error I'm presented with in the terminal is JIT session error: Symbols not found: [ _$s9CryptoKit3AESO3GCMO4open_5using10Foundation4DataVAE9SealedBoxV_AA12SymmetricKeyVtKFZ, _$s9CryptoKit12SymmetricKeyVMa, _$s9CryptoKit3AESO3GCMO9SealedBoxV8combinedAGx_tKc10Foundation12DataProtocolRzlufC, _$s9CryptoKit12SymmetricKeyV4dataACx_tc10Foundation15ContiguousBytesRzlufC, _$s9CryptoKit3AESO3GCMO9SealedBoxVMa ] Failed to materialize symbols: { (main, { _$s4main16encryptedDataURL10Foundation0D0Vvp, _$s4main15symmetricKeyURL10Foundation0D0Vvp, _$s10Foundation4DataVAcA0B8ProtocolAAWL, _$s4main16decryptedDataURL10Foundation0D0Vvp, _$sSa12_endMutationyyF, _$ss5print_9separator10terminatoryypd_S2StFfA0_, _$ss27_finalizeUninitializedArrayySayxGABnlF, _main, _$s10Foundation4DataV15_RepresentationOWOe, _$sSSWOh, _$ss5print_9separator10terminatoryypd_S2StFfA1_, _$s10Foundation4DataV5write2to7optionsyAA3URLV_So20NSDataWritingOptionsVtKFfA0_, ___swift_allocate_value_buffer, __swift_FORCE_LOAD_$_swiftFoundation_$_main, _$s10Foundation4DataV10contentsOf7optionsAcA3URLVh_So20NSDataReadingOptionsVtKcfcfA0_, __swift_FORCE_LOAD_$_swiftXPC_$_main, _$s10Foundation4DataV15_RepresentationOWOy, ___swift_project_value_buffer, _$s10Foundation4DataVAcA0B8ProtocolAAWl, __swift_FORCE_LOAD_$_swiftIOKit_$_main, _$ss26DefaultStringInterpolationVWOh, __swift_FORCE_LOAD_$_swiftCoreFoundation_$_main, _$s10Foundation3URLVACs23CustomStringConvertibleAAWl, __swift_FORCE_LOAD_$_swiftDarwin_$_main, __swift_FORCE_LOAD_$_swiftObjectiveC_$_main, _$s10Foundation3URLVACs23CustomStringConvertibleAAWL, __swift_FORCE_LOAD_$_swiftDispatch_$_main }) } This leads me to believe that linking might not be working properly. I also found this thread where someone had the same issue but with a different framework. NOTE: If I try to decrypt the data in my project, it works without any issues even on Xcode 15. It only fails if I try to run this script which worked before when I had the previous version of command line tools. I even tried updating to Xcode 15.1 beta and its command line tools, without success. Any feedback is appreciated. Thank you.

Hello Here is a problem with creating SecKey for ios 10 after key derivation (HMAC + sha512) After derivation we get 32 bytes of private key and chainCode There is no problem to use this bytes to create P256 private key with function from iOS13 try? P256.Signing.PrivateKey(rawRepresentation: bytes) and then to get x963Representation to create a SecKey But on iOS10 - 12 we don't have an ability to use this function... So I have to convert 32 bites key to 97 somehow to represent it in ANSI x9.63 format Example of key bytes [110, 181, 159, 0, 54, 16, 25, 129, 87, 128, 85, 36, 192, 64, 195, 4, 20, 47, 243, 134, 160, 57, 30, 210, 89, 225, 223, 114, 11, 121, 57, 156] x963Representation [4, 37, 167, 241, 121, 238, 41, 22, 35, 158, 89, 144, 215, 243, 4, 91, 217, 243, 23, 42, 171, 228, 247, 89, 136, 123, 22, 71, 11, 205, 134, 29, 110, 83, 241, 239, 135, 37, 226, 40, 179, 11, 191, 193, 232, 124, 41, 160, 136, 53, 95, 33, 233, 207, 151, 83, 136, 234, 97, 4, 79, 115, 227, 69, 42, 252, 66, 68, 64, 32, 176, 11, 75, 206, 158, 228, 246, 9, 179, 36, 94, 186, 209, 125, 152, 192, 192, 141, 242, 200, 108, 181, 75, 103, 86, 171, 231] I see that x963Representation contains: header(04) + ? + ? + 32_Key_Bytes So the question is - how to count x and y to get the key form (04 || X || Y || K) to be able to create SecKey?

I try to use LAContext.evaluateAccessControl for LAAccessControlOperationUseKeyDecrypt operations using a Secure Enclave-based private key. The keys are created using SecKeyGeneratePair (ECDH + SETokenID). Access Control is then defined using kSecAccessControlBiometryAny | kSecAccessControlAnd | kSecAccessControlPrivateKeyUsage flags. By the time LAContext.evaluateAccessControl is called, SecAccessControlCreateWithFlags is used with flags kSecAccessControlBiometryAny | kSecAccessControlPrivateKeyUsage. Evaluation will fail with ACL error: Domain=com.apple.LocalAuthentication Code=-1009 "ACL operation is not allowed: 'od'" UserInfo={NSDebugDescription=ACL operation is not allowed: 'od’} The same process is fine for signature operations. I don't understand what 'od' stands for. If ACLs are the same for key creations and key usage, shouldn't it prompt TouchID and allow the operation ?

I've went through all the posts with similar info about signature or keys used not working with openssll. But I haven't been able to patch it all together. I will use some sample keys for what I tried, let privPem = """ -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIUSrwhllMSminPZZ Gx0YHUsL12IWIGI+4yhejpq90HihRANCAAT6pxKtIKm4VbfXeKpQ7rxITlC6b18Q 0X+Iz1UVDolyjx79bt5vUp0mPJ6hHBnK/Ap5gXpv89wmLPp7/O2NconE -----END PRIVATE KEY----- """ let privKey = try! P256.Signing.PrivateKey(pemRepresentation: privPem) let pubKey = privKey.publicKey let challengeDev = "1122334455667788" let dataToSignDev = challengeDev.hexadecimal let digest = SHA256.hash(data: dataToSignDev!) let signatureForDigest = try! privKey.signature( for: digest) let signature1 = try! P256.Signing.ECDSASignature(derRepresentation: signatureForDigest.derRepresentation) let isValidSignature = pubKey.isValidSignature(signatureForDigest, for: digest) I have tried the same using Security framework also to no avail. What I tried is a direct application of what the openssl part does, So I have a device that will verify the signature that the iOS app will be sending. The public key is taken from a certificate I would share with the device. All data sent to the device including signature is in DER format. openssl dgst -sha256 -sign app_private.key -out %OUT_RESOURCES_DIR%\signature.der -binary device_challenge.hex openssl x509 -inform der -in cert.der -out cert.pem openssl x509 -pubkey -noout -in cert.pem &gt; public_key.pem openssl dgst -sha256 -verify public_key.pem -signature signature.der challenge.hex Here on the iOS side If I were to sign and verify everything is fine. But if the same signature is verified on OpenSSL it fails. I tried to create a DER file on the terminal but asn1parse fails on it, Test % echo 30450220198944e2a8352941036f227225940392cbd1bc720358ce29db29a2a85f2b2a30022100b4e75ceb0335e4b1955aab01edc8e7347f78dc627f8d02a78103cd9165571d57 &gt; signature1.der Test % openssl asn1parse -inform DER -in signature1.der 0:d=0 hl=2 l= 48 cons: PRINTABLESTRING Error in encoding 140704639042368:error:0DFFF09B:asn1 encoding routines:CRYPTO_internal:too long:/AppleInternal/Library/BuildRoots/97f6331a-ba75-11ed-a4bc-863efbbaf80d/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/asn1/asn1_lib.c:143: I'm assuming I need to manually do some changes to make them inter compatible? Like this post Can't export EC kSecAttrTokenIDSecureEnclave public key Not sure how to get there though. All help appreciated.

Hello, I am attempting to perform a Diffie Hellman Keyexchange with a server running on .Net. However, the secretKey I am creating on the client side does not match with the secretKey on the server side, which I have for testing purposes. I can import the server secret key as a SymetricKey, and if I use it to seal and open a box, it works. However, if I seal the box with my client key, I can not open it with the server shared key. I create the SymetricKey like this: let sharedHash = SHA256.self let sharedInfo = serverPublicKey.rawRepresentation let sharedLength = 32 let symetricKey = sharedSecret.x963DerivedSymmetricKey( using: sharedHash, sharedInfo: Data(), outputByteCount: sharedLength) The server key is created using .Net like this: bob.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hash; bob.HashAlgorithm = CngAlgorithm.Sha256; bobPublicKey = bob.PublicKey.ToByteArray(); bobKey = bob.DeriveKeyMaterial(CngKey.Import(Alice.alicePublicKey, CngKeyBlobFormat.EccPublicBlob)); My assumption is the keys should be the same. Is that correct? How can I find out what format the server key is in? The .Net documentation is not particularly precise on that You can find a Playground of my code, and when you google for ECDiffieHellmanCng Class, you will find an example on what .Net does. Any help is appreciated

AES 128 CBC algorithm is not producing same results compared to Android code. We have all static strings for key, iv and salt, even then the IV we couldnt match and produce same output as android. This is the Android code, object AESEncyption { ​ fun encrypt(strToEncrypt: String) : String? { try { val cipher = Cipher.getInstance("AES/CBC/PKCS5Padding") val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1") val spec: KeySpec = PBEKeySpec(secretKey.toCharArray(), hex(salt), iterationCount, keySize) val key: SecretKey = SecretKeySpec(factory.generateSecret(spec).encoded, "AES") cipher.init(Cipher.ENCRYPT_MODE, key, IvParameterSpec(hex(iv))) ​ return base64(cipher.doFinal(strToEncrypt.toByteArray(Charsets.UTF_8))) } catch (e: Exception) { Log.i("Him","Error while encrypting: $e") } return null } ​ private fun base64(bytes: ByteArray?): String { return android.util.Base64.encodeToString(bytes, android.util.Base64.DEFAULT) } ​ /* fun base64(str: String?): ByteArray? { return Base64.decodeBase64(str) }*/ ​ fun hex(bytes: ByteArray?): String? { return Hex.encodeHexString(bytes) } ​ fun hex(str: String): ByteArray? { return try { Hex.decodeHex(str.toCharArray()) } catch (e: DecoderException) { throw IllegalStateException(e) } } } iOS code is let enc = try AES(key: keyVar2!.bytes, blockMode: CBC(iv: iv.base64FromHex.ivToUInt8Array), padding: .pkcs5).encrypt(value.bytes) let encryptedData = Data(enc)

I have a Build Phase which runs a script. The script is a swift file, which I have simplified to illustrate the crash, like so: #!/usr/bin/env xcrun --sdk macosx swift import Foundation import CryptoKit var sha256 = SHA256() // Do other stuff... All the Xcode 15 betas fail to build my app, instead throwing the error: Command PhaseScriptExecution failed with a nonzero exit code. The logs: JIT session error: Symbols not found: [ _$s9CryptoKit6SHA256VMa, _$s9CryptoKit6SHA256VACycfC ] Failed to materialize symbols: { (main, { _$s20PropertyListModifier6sha2569CryptoKit6SHA256Vvp, _main, __swift_FORCE_LOAD_$_swiftDarwin_$_PropertyListModifier, __swift_FORCE_LOAD_$_swiftIOKit_$_PropertyListModifier, ___swift_project_value_buffer, __swift_FORCE_LOAD_$_swiftFoundation_$_PropertyListModifier, ___swift_allocate_value_buffer, __swift_FORCE_LOAD_$_swiftObjectiveC_$_PropertyListModifier, __swift_FORCE_LOAD_$_swiftXPC_$_PropertyListModifier, __swift_FORCE_LOAD_$_swiftCoreFoundation_$_PropertyListModifier, __swift_FORCE_LOAD_$_swiftDispatch_$_PropertyListModifier }) } Does anyone know of a work-around or solution, or does this just look like nothing more than a bug in the betas, which I should "wait out"? It's had the same problem right from beta 1 to the current beta 5 so it's starting to look like it won't be fixed which is worrying me.

Hi guys, I need to use deterministic ECDSA (described in RFC 6979 article: https://www.rfc-editor.org/rfc/rfc6979) algorithm to calculate signature in iOS project. It is known that deterministic ECDSA is vulnerable to fault injection and side-channel attacks, so there is an updates for RFC 6979 described in following article (see section 4): https://www.ietf.org/archive/id/draft-mattsson-cfrg-det-sigs-with-noise-04.html#name-updates-to-rfc-6979-determi I tried to find any information related to deterministic ECDSA algorithm implementation and support in iOS ecosystem, but unfortunately found nothing Could you please provide me complete information whether the deterministic ECDSA with updates is implemented and provides by iOS API? Any guidance or information on this matter would be greatly appreciated. Looking forward for you soon. ))

I'm trying to implement client certificate authentication in the URLSessionDelegate.urlSession(:didReceive:completionHandler:) by using the URLCredential(identity:certificates:persistence:) and CryptoKit, but it appears this is currently not supported. On my client I generate a key and a CSR and after I sent that to the server, I receive an X.509 certificate which I store in the Keychain. I used to create the keys as SecKey objects, which were also stored in the Keychain; this works fine. Now I would like to use the CryptoKit keys, preferably the SecureEnclave.P256 ones. It appears that storing these keys, as suggested by Apple (generic passwords), does not create the SecIdentity I'm after that's needed to create the URLCredential, nor have I been able to transform a SecKey created in the Secure Enclave to a CryptoKit.SecureEnclave.P256 key. The SecKeyCopyExternalRepresentation function simply returns an error telling me that I cannot export Secure Enclave keys (which is weird, as CryptoKit's implementation does somewhat allow this). Also, the URLCredential.init does not allow you to add a private key directly, nor does the SecIdentity provide any way of manually creating it, by supplying the right keys and the right certificates. How can I use CryptoKit for client certificate authentication or how can I use CryptoKit or the older SecKey implementations to create SecIdentity or URLCredential objects that will work?

I am trying to build csr string from publickeyBits and signature from dongle. Below is the swift code portion for generating csr. public func buildCSRAndReturnStringUsingDongle(enrollmentId: String, password: String) -> String? { let tagPublic = "public" + enrollmentId self.dongle = DongleManager.getInstance() self.dongle?.generateKeyPair(enrollmentId: enrollmentId, password: password) let publicKeyFromDongle: String = (self.dongle?.getPublicKeyBits(enrollmentId: enrollmentId, password: password))! print("Public Key is: \n",publicKeyFromDongle) let keyDict: [NSString: Any] = [ kSecAttrKeyType: kSecAttrKeyTypeRSA, kSecAttrKeyClass: kSecAttrKeyClassPublic, kSecAttrKeySizeInBits: 2048 as Any, kSecAttrApplicationTag: tagPublic.data(using: .utf8), ] var error: Unmanaged<CFError>? let publicKeyFromDongleData = Data.init(base64Encoded: publicKeyFromDongle) guard let publicKeySecKey = SecKeyCreateWithData(publicKeyFromDongleData! as CFData, keyDict as CFDictionary, &error) else { print("Failed to create public key:", error!.takeRetainedValue()) return nil } let publickeyBits = KeyPairManager.getInstance().getPublicKeyBits(publicKey: publicKeySecKey, enrollmentId: enrollmentId).0 let certificationRequestInfo = buldCertificationRequestInfo(publickeyBits!) let bytes: [UInt8] = certificationRequestInfo.map { $0 } let certificationRequestStr = String(decoding: bytes, as: UTF8.self) let signaturedString = self.dongle?.sign(password: password, data : certificationRequestStr, enrollmentId: enrollmentId) var signature = [UInt8](repeating: 0, count: 256) var signatureLen: Int = signature.count let signatureData = signaturedString!.data(using: .hexadecimal) signatureData!.copyBytes(to: &signature, count: signatureData!.count) signatureLen = signatureData!.count print("signature length: " + String(signatureLen)) print("signature: "+signatureData!.base64EncodedString()) var certificationRequest = Data(capacity: 1024) certificationRequest.append(certificationRequestInfo) let shaBytes = keyAlgorithm.sequenceObjectEncryptionType certificationRequest.append(shaBytes, count: shaBytes.count) var signData = Data(capacity: 2049) let zero: UInt8 = 0 // Prepend zero signData.append(zero) signData.append(signature, count: signatureLen) appendBITSTRING(signData, into: &certificationRequest) enclose(&certificationRequest, by: sequenceTag) // Enclose into SEQUENCE let csrString = certificationRequest.base64EncodedString(options: NSData.Base64EncodingOptions(rawValue: 0)) .addingPercentEncoding(withAllowedCharacters: CharacterSet.urlQueryAllowed) print(csrString) let head = "-----BEGIN CERTIFICATE REQUEST-----\n" let foot = "-----END CERTIFICATE REQUEST-----\n" var isMultiple = false var newCSRString = head //Check if string size is a multiple of 64 if csrString!.count % 64 == 0 { isMultiple = true } for (integer, character) in csrString!.enumerated() { newCSRString.append(character) if (integer != 0) && ((integer + 1) % 64 == 0) { newCSRString.append("\n") } if (integer == csrString!.count-1) && !isMultiple { newCSRString.append("\n") } } newCSRString += foot return newCSRString } I wrote a Wrapper where sign function is as of given below. We had a getPublicBits() function here and i think that is working properly. So, I skip this here. - (NSString*) sign: (NSString*)password data: (NSString*)data enrollmentId: (NSString*)enrollmentId { Dongle *d = (Dongle*)****; char * pass = strdup([password UTF8String]); char * signDataStr = strdup([data UTF8String]); char * enId = strdup([enrollmentId UTF8String]); NSData* data2 = [data dataUsingEncoding:NSUTF8StringEncoding]; char *signData = (char *)[data2 bytes]; NSString* signaturedString = [NSString stringWithCString:d->sign(pass, signData, enId).c_str() encoding:[NSString defaultCStringEncoding]]; return signaturedString; } I used signUtil method from safenet sdk's library. std::string Dongle::signUtil(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPrivateKey, char* password, char* data) { //std::cout<<"data is: " << *data; CK_RV retCode = CKR_OK; int isPaddingRequired = 0; int isDataFromUser = 0; CK_MECHANISM mech; CK_BYTE pSigData[3000]; #ifndef PKCS11_V1 CK_ULONG usSigLen = sizeof(pSigData); #else CK_ULONG usSigLen = 0; #endif char *pInputData = 0; unsigned long ulInputDataLen = strlen(data); std::cout << "length: " << ulInputDataLen; CK_BYTE_PTR pInData = (CK_BYTE_PTR)data; std::cout << "Mechanism: [6]SHA256-RSA" <<std::endl; retCode = C_Login(hSession, CKU_USER, (CK_UTF8CHAR_PTR)password, strlen(password)); mech.mechanism = CKM_SHA256_RSA_PKCS; mech.pParameter = 0; mech.ulParameterLen = 0; isDataFromUser = 0; if( retCode == CKR_OK ) { if( isPaddingRequired ) { for(unsigned long ulLoop=ulInputDataLen; ulLoop<64; ++ulLoop) { pInData[ulLoop] = 0; } ulInputDataLen = 64; } } if (retCode == CKR_OK) { retCode = C_SignInit(hSession, &mech, hPrivateKey); } CK_ULONG usInLen = (CK_ULONG)ulInputDataLen; // get the signature length if(retCode == CKR_OK) { retCode = C_Sign(hSession, pInData, usInLen, (CK_BYTE_PTR)NULL_PTR, &usSigLen); } // get the signature if(retCode == CKR_OK) { retCode = C_Sign(hSession, pInData, usInLen, (CK_BYTE_PTR)pSigData, &usSigLen); } std::string returnSignature = ""; if( (retCode == CKR_OK) && usSigLen ) { std::cout << "Signed Data " << std::endl << "(hex) "; for(unsigned long ulLoop=0; ulLoop<usSigLen; ++ulLoop) { char pBuffer[25]; sprintf(pBuffer, "%02x", pSigData[ulLoop]); std::cout << pBuffer; returnSignature += pBuffer; } std::cout << std::endl; } // Release memory if( pInputData ) { delete pInputData; } return returnSignature; } I debug a lot and according to csr decoder, only the signature is invalid. public key and signature algorithm are valid.

Hi, I am trying to implement encryption and decryption with EC signing keys. in the process I am getting the following error while creating a SecKey from the private key. Error in creating a secKey Optional(Swift.Unmanaged&lt;__C.CFErrorRef&gt;(_value: Error Domain=NSOSStatusErrorDomain Code=-50 "EC private key creation from data failed" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=EC private key creation from data failed})) Code snippet for decryption func decrypt(data: Data, key: SecureEnclave.P256.Signing.PrivateKey) throws -&gt; Data? {     var error: Unmanaged&lt;CFError&gt;?     let privateKeyData: CFData = key.dataRepresentation as CFData     let privateKeyAttributes = [kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,                                 kSecAttrKeyClass: kSecAttrKeyClassPrivate] as CFDictionary     guard let SecKey = SecKeyCreateWithData(privateKeyData, privateKeyAttributes as CFDictionary, &amp;error)     else {         print("Error in creating a secKey", error)         return nil     }          guard SecKeyIsAlgorithmSupported(SecKey, .decrypt, EncryptAndDecryptAlogrithm)     else {         print("Decryption algorithm is not supported", error)         return nil     }          guard let decryptedData = SecKeyCreateDecryptedData(SecKey, EncryptAndDecryptAlogrithm, data as CFData, &amp;error) else {         print("Error in decryption", error)         return nil     }     return decryptedData as Data } let data = Data(base64Encoded: "BNtHrb1cZuflSDZz+E3PnIkLtYUQuBDW+ONlzuAypZcQa+5oKv0L0wSIBMMseMr0roloexPwTaVV26ddewTP0+vRt9v6uLOg366cElMo6P5nh2K7xKi1PMcRyBVel+Kq9WQWT/EkRIuUkHdq2KLXy/Q=")! let alice = try SecureEnclave.P256.Signing.PrivateKey() let decryptedData = try decrypt(data: data, key:alice) Thank you in advance.

I am slightly confused as to how I am supposed to maintain persistent access to a SecureEnclave.P256.Signing.PrivateKey. Do I have to persist the key myself (using its dataRepresentation property and code along the lines of Storing CryptoKit Keys in the Keychain or is there another persistent reference to the key inside the Secure Enclave that I can use later?

Hello, I'm working with Cryptokit and I'm currently unable to export a P256 ECDSA signature data to base64Encoding and convert it back to derRepresentation. Here is my code: let privateKey = P256.Signing.PrivateKey() //Generated successfully /* For example pemRepresentation: -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgK+lUhkqFo637XuvJ Q6YiqZx04c33UUyWnLnpwfTwrtChRANCAARy55pVFhjgq3jKnQTx7s1XDIaNm20m 29ZEiBJnvzYfQGUQ+4ldzJYm34z8W2X/waqTqXsY4/oSO1sDFSQ6XwrG -----END PRIVATE KEY----- */ let publicKey = privateKey.publicKey //Picked up successfully /* For example pemRepresentation: -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcueaVRYY4Kt4yp0E8e7NVwyGjZtt JtvWRIgSZ782H0BlEPuJXcyWJt+M/Ftl/8Gqk6l7GOP6EjtbAxUkOl8Kxg== -----END PUBLIC KEY----- */ //Basic message to test, "something" here let messageDigest = "something".data(using: .utf8)!                  let signature = try privateKey.signature(for: messageDigest) //Successfully generated                  //Now from the PublicKey, let's check the signature for the message let isValidSignature = publicKey.isValidSignature(signature, for: messageDigest) //Successfully Return true //So far everything works fine //Now lets try to export the derRepresentation of the signature we just created to a base64EncodedString and try to use it later let signDataDerRepresentation = signature.derRepresentation //Here the signDataDerRepresentation is 70 bytes length //Here we get the signature derRepresentation to base64EncodedString, perfect to export let signDataDerRepresentationBase64String = signature.derRepresentation.base64EncodedString() /* "MEQCIGVC/zOGKEauy9AetVViTZiMTtFIeNtW9xALMTu6aIjSAiB+QPz9nGwzy51k3p3osu9OY6oQXkuLHTPoSWxPorg8GA==" */ //Here the signDataDerRepresentationBase64String is 96 bytes length //Now when I try to create a signature from a derRepresentation it works fine when I use the original derRepresentation data: let signature1 = try! P256.Signing.ECDSASignature(derRepresentation: signDataDerRepresentation) //signature1 is created //But when I try to create exactly the same signature from the base64EncodedString, an exception is throw //Convert base64String to Data let signDataDerRepresentationBase64StringData = signDataDerRepresentationBase64String.data(using: .utf8)! do { //Try to create a signature from the base64EncodedData of de the derRepresentation let signature2 = try P256.Signing.ECDSASignature(derRepresentation: signDataDerRepresentationBase64StringData) //Here it fails, signature2 is not created }catch{ //It fails with error: invalidASN1Object print("Signature failed \(error)") /* Signature failed invalidASN1Object */ } So now, I would like to know how to convert de derRepresentation of the signature I created into a base64EncodedString to the derRepresentation the ECDSASignature(derRepresentation:) func is looking for to create a signature from derRepresentation? I don't understand how I can convert my base64 String into that derRepresentation this func is looking for, I can't find the doc : /// An ECDSA (Elliptic Curve Digital Signature Algorithm) Signature @available(iOS 13.0, macOS 10.15, watchOS 6.0, tvOS 13.0, *) extension P256.Signing {     public struct ECDSASignature : ContiguousBytes {         /// Returns the raw signature.         /// The raw signature format for ECDSA is r || s         public var rawRepresentation: Data         /// Initializes ECDSASignature from the raw representation.         /// The raw signature format for ECDSA is r || s         /// As defined in https://tools.ietf.org/html/rfc4754         public init<D>(rawRepresentation: D) throws where D : DataProtocol         /// Initializes ECDSASignature from the DER representation.         public init<D>(derRepresentation: D) throws where D : DataProtocol         /// Calls the given closure with the contents of underlying storage.         ///         /// - note: Calling `withUnsafeBytes` multiple times does not guarantee that         ///         the same buffer pointer will be passed in every time.         /// - warning: The buffer argument to the body should not be stored or used         ///            outside of the lifetime of the call to the closure.         public func withUnsafeBytes<R>(_ body: (UnsafeRawBufferPointer) throws -> R) rethrows -> R         /// A DER-encoded representation of the signature         public var derRepresentation: Data { get }     } } Thank you for your help. Hélie