Since it is going to be a be long post, I'll start by resuming what my goals are:
- ✅ Create an EC private key inside the Secure Enclave ℹ (only secp256r1 is supported atm. A11 and before)
- ✅ Get the public key so I can export it ℹ (you can only get a binary format, so you may want to wrap it)
- ✖ Sign an already hashed Data to an x509 DER format ℹ (the hash used is SHA256) (see EDIT3)
- ✅ Remove the private key
xCode: 9.0
iPhone6s: iOS11.0.2
Swift: 3
Here are the attributes used to generate my key pair:
let attributes:[NSObject:AnyObject] = [ kSecAttrIsPermanent: kCFBooleanTrue, kSecAttrAccessible: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, kSecAttrApplicationTag: ApplicationPrivateKeyTag as CFString, kSecAttrLabel: ApplicationPrivateKeyLabel as CFString, kSecAttrKeyType: ( iOS10Available ) ? (kSecAttrKeyTypeECSECPrimeRandom) : (kSecAttrKeyTypeEC), kSecAttrKeySizeInBits: ECKeySize as CFNumber, kSecAttrTokenID: kSecAttrTokenIDSecureEnclave ]
note1: iOS10Avaibale is a boolean that already checked which version of iOS we're dealing with, so we can give the correct parameter
note2: ECKeySize == 256
I generate my keypair with:
SecKeyGeneratePair(attributes as CFDictionary, nil, nil)Though I also tried this one, without actually getting the difference between them, is there a difference other than the function's signature?
var error: Unmanaged<CFError>? SecKeyCreateRandomKey(attributes as CFDictionary, &error)
I am then able to get the public key (and format it to x509 format):
// Query to get the private ref let query: [NSObject: AnyObject] = [ kSecAttrApplicationTag: ApplicationPrivateKeyTag as AnyObject, kSecAttrLabel: ApplicationPrivateKeyLabel as AnyObject, kSecClass: kSecClassKey, kSecAttrKeyClass: kSecAttrKeyClassPrivate, kSecReturnRef: kCFBooleanTrue ] // Get private key.. // SecItemCopyMatching(query as NSDictionary, &extractedData) // Get public SecKey.. // SecKeyCopyPublicKey(privateSecKeyRef) // Get public key as Data // SecKeyCopyExternalRepresentation(publicSecKey!, &error) // Wrap public key to x509 format // x509Header: Data = Data(bytes: [UInt8]([48, 89, 48, 19, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66, 0])) var pubkeyWraped = x509Header pubkeyWraped.append(publicKey) pubkeyWraped.hexEncodedString() // <- here is the hex public key
If you wonder about:
- x509 header: see https://forums.developer.apple.com/message/84684#84684
- hexEncodedString(): see stackoverflow dot com /questions/39075043/how-to-convert-data-to-hex-string-in-swift#40089462
- the other functions: check the doc
note: I keep it in hex format instead of base64 format
=======================================================================================
=======================================================================================
Ok now, some precisions about my test:
- The original data is: "wubba lubba dub dub"
- dataToSign is a hash SHA256 : "23a0944d11b5a54f1970492b5265c732044ae824b7d5656acb193e7f0e51e5fa"
And once again I need to make a choice, but I can't figure it out whether I should use:
Method 1: (the one that should be used no?)
let signature = SecKeyCreateSignature(privateSecKeyRef, .ecdsaSignatureDigestX962SHA256, digestToSign as CFData, &error) as Data?
I don't get the difference between:
- .ecdsaSignatureRFC4754
- .ecdsaSignatureDigestX962
- .ecdsaSignatureDigestX962SHA256 (the one documented, it should be the one to use right?)
Doc is here: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/signing_and_verifying
This function returns this error:
"bad digest size for signing with algorithm algid:sign:ECDSA:digest-X962:SHA256"
What am I doing wrong here?
Isn't the size expected 64 bytes?
Am I bigger, smaller?
What is it related to?
As seen on these close-related threads, secp256r1 curve should be compatible with SHA256 hash right?
- crypto.stackexchange dot com /questions/19793/does-the-size-of-a-ecdsa-key-determine-the-hash-algorithm
- crypto.stackexchange dot com /questions/18488/ecdsa-with-sha256-and-sepc192r1-curve-impossible-or-how-to-calculate-e
EDIT1:
If I give the .ecdsaSignatureMessageX962SHA256 option and that I don't pre-hash the message, I am able to verify the signature both with SecKeyVerifySignature(...) and an external function made with go.
(my hash is good since I still give the hashed form to my external go function, and well, you can check it too)
===========
FWIW: I am converting my string to data that way:
let str = "wubba lubba dub dub" // let str = "23a0944d11b5a54f1970492b5265c732044ae824b7d5656acb193e7f0e51e5fa" let toSign = str.data(using: .utf8)!
EDIT3: str.data(using .utf8)! will convert every single character to create a byte, not 2 character... Thus creating a 64 bytes long Data instead of a required one of 32 bytes.
Method 2:
let digestToSignLen = digestToSign.count var rawSig = Data(count: 128) var rawSigLen = 128 let status = digestToSign.withUnsafeBytes { (digestToSign) -> OSStatus in rawSig.withUnsafeMutableBytes({ (rawSig) -> OSStatus in return SecKeyRawSign(privateKeyRef!, SecPadding.sigRaw, digestToSign, digestToSignLen, rawSig, &rawSigLen) }) } if status == errSecSuccess { signature = rawSig.subdata(in: 0..<rawSigLen) }
If you wonder about why nesting everything, take a look at:
https://forums.developer.apple.com/thread/63965
if you wonder about the PKCS1* options of SecPadding for ec keys, take a look at:
security.stackexchange dot com /questions/84327/converting-ecc-private-key-to-pkcs1-format
Not sure about the actual effect of SecPadding.sigRaw
Is it supposed to refer to:
- the format of what it receives?
- the way it is going to (not) format the signature?
- both?
When I execute this code using the .sigRaw options:
- with the private key attribute kSecAttrTokenID: kSecAttrTokenIDSecureEnclave
I get an OSStatus -50 (bad argument(s))
- without the private key attribute kSecAttrTokenID: kSecAttrTokenIDSecureEnclave
- I get an OSStatus -50 (bad argument(s))
- 😮 I get what looks like a raw signature (that needs to be wraped to DER format then?)
EDIT2: After wraping to ASN.1 and checking the signature, it appear that the key is not verifed 😟
ℹ I must make it work with a pkey stored in the Secure Enclave
btw: you can find a deprecated link pointing at kSecPaddingNone in padding section of the SecKeyRawSign(...) page?
Method 3
This function is only available on macOS
func SecSignTransformCreate(_ key: UnsafeMutablePointer<Unmanaged<CFError>?>?) -> SecTransform?I am lost 😢
So could someone help me to clarify:
What is the way to go, to correctly sign an already hashed (sha256) data to DER format, thanks to an ec-256-secure-enclave private key?
Here is the code I use to check the signature in go: play.golang dot org/p/XH2bi5lBhK
Thank you
I have the same behavior with Secure Enclave disabled …
That’s actually good news, because it removes a whole world of complexity from the issue.
bad digest size for signing with algorithm …
OK, I have two theories here:
Something super weird is going on
You’ve made some sort of ‘brain fade’ error with
O-:digestToSign
To start, I took the snippets you posted and assembled them into a complete test function (shown below). Note line 16, where I set the digest to 32 bytes of zeroes.
import UIKit func test() { var publicKeyMaybe: SecKey? = nil var privateKeyMaybe: SecKey? = nil let err = SecKeyGeneratePair([ kSecAttrIsPermanent as String: kCFBooleanTrue, kSecAttrApplicationTag as String: UUID().uuidString, kSecAttrLabel as String: UUID().uuidString, kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits as String: 256, ] as NSDictionary, &publicKeyMaybe, &privateKeyMaybe) assert(err == errSecSuccess) let privateKey = privateKeyMaybe! let digestToSign = Data(repeating: 0, count: 32) var error: Unmanaged<CFError>? = nil let signature = SecKeyCreateSignature(privateKey, .ecdsaSignatureDigestX962SHA256, digestToSign as NSData, &error) if let signature = signature { NSLog("success, digest: %@", signature as NSData) } else { let error = error!.takeRetainedValue() NSLog("failure, error: %@", String(describing: error)) } }
I ran this on an iOS 11.0 device and it works:
2017-10-17 10:49:39.611516+0100 ECDigest[364:86907] success, digest: <30450220 … 04f8fb>I changed line 16 to set the digest length to 31 bytes and I got the error you’re seeing:
2017-10-17 10:49:58.955706+0100 ECDigest[368:87258] failure, error: Error Domain=NSOSStatusErrorDomain Code=-50 "bad digest size for signing with algorithm algid:sign:ECDSA:digest-X962:SHA256" UserInfo={NSDescription=bad digest size for signing with algorithm algid:sign:ECDSA:digest-X962:SHA256}As far as I can tell this error is only generated in one place, namely
SecKeyCopyECDSASignatureForDigestSecurity/OSX/sec/Security/SecKeyAdaptors.cif (CFDataGetLength(digest) != (CFIndex)di->output_size) { SecError(errSecParam, error, CFSTR("bad digest size for signing with algorithm %@"), algorithm); return NULL; }
If you look through that file you’ll see it’s called by the
DIGEST_ECDSA_ADAPTORSDIGEST_ECDSA_ADAPTORS(X962SHA256, ccsha256_di())ccsha256_di()output_sizeHence my conclusion: either something super weird is going on or you’re passing in a digest of the wrong length. I recommend that you double check the latter (-:
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"