is private key extraction allowed?

As I read the apple documentation on secure enclave and key chain, extraction of private key is not allowed. following is the reference:

"Can’t import preexisting keys. You must create keys directly inside the Secure Enclave. Not having a mechanism to transfer key data into or out of the Secure Enclave is fundamental to its security." Link: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave

But after loading the key using "SecItemCopyMatching" and then passing the object into "SecKeyCopyAttributes" gives us a dictionary of key value pairs. I believe that the private key was part of the value for key "toid" of that dictionary.

is my understanding correct or, am I missing something?

I couldn't find the documentation describing the meaning of the key value pairs of the dictionary returned by "SecKeyCopyAttributes". I'll appreciate if somebody can guide me to that documentation.

Note: I am creating EC key pair.

Replies

I believe that the private key was part of the value for key "toid" of that dictionary. is my understanding correct or, am I missing something?

I do see what you are saying but extracting the toid value from a SecKey that is created in the SecureEnclave does not allow your code to create a new SecKey though with SecKeyCreateFromData. For example, if you pass the data extracted from toid into SecKeyCreateFromData this will not provide you a nil value.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com