I've went through all the posts with similar info about signature or keys used not working with openssll. But I haven't been able to patch it all together.
I will use some sample keys for what I tried,
let privPem = """
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIUSrwhllMSminPZZ
Gx0YHUsL12IWIGI+4yhejpq90HihRANCAAT6pxKtIKm4VbfXeKpQ7rxITlC6b18Q
0X+Iz1UVDolyjx79bt5vUp0mPJ6hHBnK/Ap5gXpv89wmLPp7/O2NconE
-----END PRIVATE KEY-----
"""
let privKey = try! P256.Signing.PrivateKey(pemRepresentation: privPem)
let pubKey = privKey.publicKey
let challengeDev = "1122334455667788"
let dataToSignDev = challengeDev.hexadecimal
let digest = SHA256.hash(data: dataToSignDev!)
let signatureForDigest = try! privKey.signature(
for: digest)
let signature1 = try! P256.Signing.ECDSASignature(derRepresentation: signatureForDigest.derRepresentation)
let isValidSignature = pubKey.isValidSignature(signatureForDigest, for: digest)
I have tried the same using Security framework also to no avail.
What I tried is a direct application of what the openssl part does, So I have a device that will verify the signature that the iOS app will be sending. The public key is taken from a certificate I would share with the device. All data sent to the device including signature is in DER format.
openssl dgst -sha256 -sign app_private.key -out %OUT_RESOURCES_DIR%\signature.der -binary device_challenge.hex
openssl x509 -inform der -in cert.der -out cert.pem
openssl x509 -pubkey -noout -in cert.pem > public_key.pem
openssl dgst -sha256 -verify public_key.pem -signature signature.der challenge.hex
Here on the iOS side If I were to sign and verify everything is fine. But if the same signature is verified on OpenSSL it fails.
I tried to create a DER file on the terminal but asn1parse fails on it,
Test % echo 30450220198944e2a8352941036f227225940392cbd1bc720358ce29db29a2a85f2b2a30022100b4e75ceb0335e4b1955aab01edc8e7347f78dc627f8d02a78103cd9165571d57 > signature1.der
Test % openssl asn1parse -inform DER -in signature1.der
0:d=0 hl=2 l= 48 cons: PRINTABLESTRING
Error in encoding
140704639042368:error:0DFFF09B:asn1 encoding routines:CRYPTO_internal:too long:/AppleInternal/Library/BuildRoots/97f6331a-ba75-11ed-a4bc-863efbbaf80d/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/asn1/asn1_lib.c:143:
I'm assuming I need to manually do some changes to make them inter compatible?
Like this post
Can't export EC kSecAttrTokenIDSecureEnclave public key
Not sure how to get there though. All help appreciated.
Apple CryptoKit
RSS for tagPerform cryptographic operations securely and efficiently using Apple CryptoKit.
Posts under Apple CryptoKit tag
24 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I have a Build Phase which runs a script. The script is a swift file, which I have simplified to illustrate the crash, like so:
#!/usr/bin/env xcrun --sdk macosx swift
import Foundation
import CryptoKit
var sha256 = SHA256()
// Do other stuff...
All the Xcode 15 betas fail to build my app, instead throwing the error: Command PhaseScriptExecution failed with a nonzero exit code.
The logs:
JIT session error: Symbols not found: [ _$s9CryptoKit6SHA256VMa, _$s9CryptoKit6SHA256VACycfC ]
Failed to materialize symbols: { (main, { _$s20PropertyListModifier6sha2569CryptoKit6SHA256Vvp, _main, __swift_FORCE_LOAD_$_swiftDarwin_$_PropertyListModifier, __swift_FORCE_LOAD_$_swiftIOKit_$_PropertyListModifier, ___swift_project_value_buffer, __swift_FORCE_LOAD_$_swiftFoundation_$_PropertyListModifier, ___swift_allocate_value_buffer, __swift_FORCE_LOAD_$_swiftObjectiveC_$_PropertyListModifier, __swift_FORCE_LOAD_$_swiftXPC_$_PropertyListModifier, __swift_FORCE_LOAD_$_swiftCoreFoundation_$_PropertyListModifier, __swift_FORCE_LOAD_$_swiftDispatch_$_PropertyListModifier }) }
Does anyone know of a work-around or solution, or does this just look like nothing more than a bug in the betas, which I should "wait out"? It's had the same problem right from beta 1 to the current beta 5 so it's starting to look like it won't be fixed which is worrying me.
Hi, I am trying to implement encryption and decryption with EC signing keys. in the process I am getting the following error while creating a SecKey from the private key.
Error in creating a secKey Optional(Swift.Unmanaged<__C.CFErrorRef>(_value: Error Domain=NSOSStatusErrorDomain Code=-50 "EC private key creation from data failed" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=EC private key creation from data failed}))
Code snippet for decryption
func decrypt(data: Data, key: SecureEnclave.P256.Signing.PrivateKey) throws -> Data? {
var error: Unmanaged<CFError>?
let privateKeyData: CFData = key.dataRepresentation as CFData
let privateKeyAttributes = [kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
kSecAttrKeyClass: kSecAttrKeyClassPrivate] as CFDictionary
guard let SecKey = SecKeyCreateWithData(privateKeyData, privateKeyAttributes as CFDictionary, &error)
else {
print("Error in creating a secKey", error)
return nil
}
guard SecKeyIsAlgorithmSupported(SecKey, .decrypt, EncryptAndDecryptAlogrithm)
else {
print("Decryption algorithm is not supported", error)
return nil
}
guard let decryptedData = SecKeyCreateDecryptedData(SecKey, EncryptAndDecryptAlogrithm, data as CFData, &error) else {
print("Error in decryption", error)
return nil
}
return decryptedData as Data
}
let data = Data(base64Encoded: "BNtHrb1cZuflSDZz+E3PnIkLtYUQuBDW+ONlzuAypZcQa+5oKv0L0wSIBMMseMr0roloexPwTaVV26ddewTP0+vRt9v6uLOg366cElMo6P5nh2K7xKi1PMcRyBVel+Kq9WQWT/EkRIuUkHdq2KLXy/Q=")!
let alice = try SecureEnclave.P256.Signing.PrivateKey()
let decryptedData = try decrypt(data: data, key:alice)
Thank you in advance.
General:
Apple Platform Security support document
Security Overview
Cryptography:
DevForums tags: Security, Apple CryptoKit
Security framework documentation
Apple CryptoKit framework documentation
Common Crypto man pages — For the full list of pages, run:
% man -k 3cc
For more information about man pages, see Reading UNIX Manual Pages.
On Cryptographic Key Formats DevForums post
SecItem attributes for keys DevForums post
CryptoCompatibility sample code
Keychain:
DevForums tags: Security
Security > Keychain Items documentation
TN3137 On Mac keychain APIs and implementations
SecItem Fundamentals DevForums post
SecItem Pitfalls and Best Practices DevForums post
Investigating hard-to-reproduce keychain problems DevForums post
Smart cards and other secure tokens:
DevForums tag: CryptoTokenKit
CryptoTokenKit framework documentation
Mac-specific frameworks:
DevForums tags: Security Foundation, Security Interface
Security Foundation framework documentation
Security Interface framework documentation
Related:
Networking Resources — This covers high-level network security, including HTTPS and TLS.
Network Extension Resources — This covers low-level network security, including VPN and content filters.
Code Signing Resources
Notarisation Resources
Trusted Execution Resources — This includes Gatekeeper.
App Sandbox Resources
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"