OShv, I didn’t see your comments from back in Feb 2023. Sorry. In future, I recommend that you reply as a reply, rather than in the comments. See Quinn’s Top Ten DevForums Tips for this and other titbits.
If you’re still looking for answers to anything, reply here and I’ll take another look.
Do you imply HSM must be able to exprt their secrets to work with the CryptoTokenKit?
No. The key (ahem) thing to note here is that SecIdentityCopyPrivateKey
returns a SecKey
object. That object isn’t the key itself, it’s a ‘handle’ to the key. To perform a cryptographic operation with that key, you have to pass it back to another API. Let’s say you want to sign some data. You pass the SecKey
object to SecKeyCreateSignature
. That routine knows that the key is backed by a CTK module, and so passes the operation on to the module. That module knows that the key is backed by a hardware token, so it passes the operation on to the token. The token gets that request, performs the operation, and passes back the signature, which flows back to you via the reverse path.
Critically, if you pass a hardware-backed SecKey
object to SecKeyCopyExternalRepresentation
, in an attempt to get the raw bytes of the key, that’ll fail.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"