Okay, so it's easy to verify the signature using the public key (SecKeyRef / SecKey) reference retreived from security framework. I want to eat my own dogfood and verify the signature using the public key hex string. Any ideas how I can do that?

The decryption API only works on iOS 10.3 and above. I was told it being broken was a bug (rdar://problem/29438764), and it appears to work in the latest beta.

Usage is pretty straightforward:

let encrypted = try Manager.shared.encrypt("Hello!".data(using: .utf8)!)
let decrypted = try Manager.shared.decrypt(encrypted) // "Hello!"

Uses SHA256 for the KDF which should be a sane default.

I did a total rewrite from ground up and made a new library: https://github.com/agens-no/EllipticCurveKeyPair

I decided to not send a pull request in to this repo because the company I work for is paying for my hours and up until now and I did all the heavy lifting with swift version anyway. I don't violate any license as I wrote everything from ground up.

Thanks for all support! If you'd like to join as contributors to this repo you are more than welcome.

Compared to the swift code in this repo

• better structure and api
• better error handling
• exporting the public key properly
• signature validates with openssl command (was missing sha256)
• useful copy paste output for validating signatures easily in console
• fallback to keychain on simulator for faster development

I hope you like it ✨

The sample code currently shows only the TouchID use case, even though in the implementation of KeyInterface there is a generatePasscodeKeyPair method, but it is not exposed publicly.

As far as I understand it (correct me if I'm wrong), you can also use the passcode as authentication to protect the private key. The private key will still be non-extractable and stored in the secure enclave. The main drawback I see here is that by using the device passcode instead of TouchID is that the passcode is entered by the user through a UI and thus passes through the user space and kernel space, whereas the TouchID interaction will remain completely in the secure enclave.

I think you should either mention this as a (less secure) option or drop the generatePasscodeKeyPair method in the implementation altogether.

I'm trying to get the example running on the Xcode IOS simulator and am getting an exception here. The exception is Thread 1: EXC_BAD_ACCESS (code=1, address=0x10). It seems that lookupPrivateKeyRef is returning nil here and generateKeyPairWithAccessControlObject is returning false here. I'm not used to working with iOS stuff, so I'm not really sure how to debug this further.

I've tried running another SEC example, but get a parameter error (-50) from SecKeyGeneratePair. I'm wondering if SEC doesn't work at all in the iOS simulator?

Any help would be appreciated. I'm running

• Xcode: Version 7.3.1
• Simulator: iPhone 6s / iOS 9.3 (13E230)

Let me know if I can provide any other debugging output or information.

What will happen to the items with access kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly if the passcode has been changed? Are they still accessible? Thanks

Hi, How do i identify and delete the secure encalve key when i use transfer from another iphone directly, icloud restore erases keychain value , so i am able to identify if it is restored from icloud in another phone but it is not getting cleared when i use transfer from another iphone directly, so how to clear secure encalve private keys? any idea?

According to Working with Secure Enclave, we can use kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM to do AES/GCM with a symmetric key that's wrapped by asymmetric (ECIES) encryption.

In investigating this, I added the following to generateKeyPairWithAccessControlObject of SecureEnclaveObjective-C:

  // kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM uses kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
  BOOL canKeyExchange = SecKeyIsAlgorithmSupported(privateKeyRef,
                                                   kSecKeyOperationTypeKeyExchange,
                                                   kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1);
  NSLog(@"canKeyExchange %d", canKeyExchange);
    
  BOOL canEncrypt = SecKeyIsAlgorithmSupported(publicKeyRef,
                                               kSecKeyOperationTypeEncrypt,
                                               kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
  NSLog(@"canEncrypt %d", canEncrypt);
    
  BOOL canDecrypt = SecKeyIsAlgorithmSupported(privateKeyRef,
                                               kSecKeyOperationTypeDecrypt,
                                               kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
  NSLog(@"canDecrypt %d", canDecrypt);

which shows

canKeyExchange 1
canEncrypt 1
canDecrypt 0

I'm rather baffled by this-- how can encryption be supported while decryption isn't?

The new MacBookPros have a secure display (Touchbar) and TouchID. We should investigate the applicability of this project and port this project to the new MacBooks.

Apple added a new API to export keys in sane formats. We should use it.

https://developer.apple.com/reference/security/1643698-seckeycopyexternalrepresentation