iphone - 在 iPhone 上使用 SecKeyRawSign

Question

我正在尝试使用 SecKeyRawSign 签署一些数据，但我一直收到 -4 errSecUnimplemented。这看起来很奇怪，因为文档指出它在 iPhone OS2.0 及更高版本中可用。

有人用过这个功能吗？如果有，有什么技巧吗？

~内特

Answer 1

如果您遇到此问题，很可能是因为您生成的私钥实际上并未保存到钥匙串(keychain)中。我在停止并重新启动应用程序时发现了这一点，并且无法对消息进行签名。

下面是我实现此功能的方法。

这个生成 key 对

- (void)generateKeyPair:(NSUInteger)keySize {
    OSStatus sanityCheck = noErr;
    publicKeyRef = NULL;
    privateKeyRef = NULL;

    LOGGING_FACILITY1( keySize == 512 || keySize == 1024 || keySize == 2048, @"%d is an invalid and unsupported key size.", keySize );

    // First delete current keys.
    [self deleteAsymmetricKeys];

    // Container dictionaries.

    // See SecKey.h for other values
    NSDictionary *privateKeyDict = @{
                    (__bridge id) kSecAttrIsPermanent : [NSNumber numberWithBool:YES],
                    (__bridge id) kSecAttrApplicationTag : privateTag
    };

    // See SecKey.h for other values
    NSDictionary *publicKeyDict = @{
                    (__bridge id) kSecAttrIsPermanent : [NSNumber numberWithBool:YES],
                    (__bridge id) kSecAttrApplicationTag : publicTag
    };

    NSDictionary *keyPairDict = @{
                    (__bridge id) kSecAttrKeyType : (__bridge id) kSecAttrKeyTypeRSA,
                    (__bridge id) kSecAttrKeySizeInBits : [NSNumber numberWithUnsignedInteger:keySize],
                    (__bridge id) kSecPrivateKeyAttrs : privateKeyDict,
                    (__bridge id) kSecPublicKeyAttrs : publicKeyDict
    };

    // SecKeyGeneratePair returns the SecKeyRefs
    sanityCheck = SecKeyGeneratePair((__bridge CFDictionaryRef) keyPairDict, &publicKeyRef, &privateKeyRef);
    LOGGING_FACILITY( sanityCheck == noErr && publicKeyRef != NULL && privateKeyRef != NULL, @"Something really bad went wrong with generating the key pair." );

    // retrieve the actual bits for the keys, not just the references
    NSData *publicKeyBits = [self getKeyBitsFromKey:publicKeyRef];
    NSData *privateKeyBits = [self getKeyBitsFromKey:privateKeyRef];

    // save the keys to the keychain
    [self saveKeyToKeychain:publicKeyBits keySize:keySize private:NO];
    [self saveKeyToKeychain:privateKeyBits keySize:keySize private:YES];
}

** 编辑 **

iOS 9 引入了一项名为Secure Enclave 的新功能。如果您想生成一个将存储在那里且仅存储在那里的 key ，您将需要使用 256 位 EC key ，因为这是 enclave 唯一支持的类型。 keyPairDict 将如下所示:

NSDictionary *keyPairDict = @{
                (__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
                (__bridge id) kSecAttrKeyType : (__bridge id) kSecAttrKeyTypeEC,
                // we can use keySize here if we want
                // but since 256 is the only available size
                // we can just hardcode it for now
                (__bridge id) kSecAttrKeySizeInBits : @256],
                (__bridge id) kSecPrivateKeyAttrs : privateKeyDict,
                (__bridge id) kSecPublicKeyAttrs : publicKeyDict
};

我知道参数是正确的，但我自己还没有测试过 Secure Enclave，所以如果由于某种原因这不起作用，请告诉我。

此外，作为引用:256 位 EC key 等同于 3072 位 RSA key 。

用于检索下面的键的查询也会有所不同:

NSDictionary *queryKey = @{
                (__bridge id) kSecClass : (__bridge id) kSecClassKey,
                (__bridge id) kSecAttrApplicationTag : tempTag,
                (__bridge id) kSecAttrKeyType : (__bridge id) kSecAttrKeyTypeEC
};

由于 Secure Enclave 非常安全，您很可能无法检索私钥位。最有可能的是，您只能生成一个引用。但是无论如何您都不需要处理私钥数据。

** 结束编辑 **

此方法从钥匙串(keychain)中检索实际位而不仅仅是引用

- (NSData *)getKeyBitsFromKey:(SecKeyRef)givenKey {
    static const uint8_t publicKeyIdentifier[] = "com.sample.temp";
    NSData *tempTag = [[NSData alloc] initWithBytes:publicKeyIdentifier length:sizeof(publicKeyIdentifier)];

    NSDictionary *queryKey = @{
                    (__bridge id) kSecClass : (__bridge id) kSecClassKey,
                    (__bridge id) kSecAttrApplicationTag : tempTag,
                    (__bridge id) kSecAttrKeyType : (__bridge id) kSecAttrKeyTypeRSA
    };

    // Temporarily add key to the Keychain, return as data:
    NSMutableDictionary *attributes = [[NSMutableDictionary alloc] initWithDictionary:queryKey copyItems:YES];
    [attributes setObject:(__bridge id) givenKey forKey:(__bridge id) kSecValueRef];
    [attributes setObject:@YES forKey:(__bridge id) kSecReturnData];

    // result codes: https://developer.apple.com/library/ios/documentation/Security/Reference/certifkeytrustservices/Reference/reference.html#//apple_ref/doc/uid/TP30000157-CH4g-339030
    OSStatus sanityCheck = noErr;
    NSData *keyBits = nil;

    CFTypeRef result;
    sanityCheck = SecItemAdd((__bridge CFDictionaryRef) attributes, &result);
    if (sanityCheck == errSecSuccess) {
            keyBits = CFBridgingRelease(result);

            // Remove from Keychain again:
            (void) SecItemDelete((__bridge CFDictionaryRef) queryKey);
            return keyBits;
    }
    else if (sanityCheck == errSecDuplicateItem) {
            // Remove from Keychain again:
            (void) SecItemDelete((__bridge CFDictionaryRef) queryKey);
            return [self getKeyBitsFromKey:givenKey];
    }

    return nil;
}

此方法将位保存到钥匙串(keychain)

- (void)saveKeyToKeychain:(NSData *)key keySize:(NSUInteger)keySize private:(BOOL)isPrivate {
    OSStatus sanityCheck = noErr;
    NSData *tag;
    id keyClass;
    if (isPrivate) {
            tag = privateTag;
            keyClass = (__bridge id) kSecAttrKeyClassPrivate;
    }
    else {
            tag = publicTag;
            keyClass = (__bridge id) kSecAttrKeyClassPublic;
    }

    NSDictionary *saveDict = @{
                    (__bridge id) kSecClass : (__bridge id) kSecClassKey,
                    (__bridge id) kSecAttrKeyType : (__bridge id) kSecAttrKeyTypeRSA,
                    (__bridge id) kSecAttrApplicationTag : tag,
                    (__bridge id) kSecAttrKeyClass : keyClass,
                    (__bridge id) kSecValueData : key,
                    (__bridge id) kSecAttrKeySizeInBits : [NSNumber numberWithUnsignedInteger:keySize],
                    (__bridge id) kSecAttrEffectiveKeySize : [NSNumber numberWithUnsignedInteger:keySize],
                    (__bridge id) kSecAttrCanDerive : (__bridge id) kCFBooleanFalse,
                    (__bridge id) kSecAttrCanEncrypt : (__bridge id) kCFBooleanTrue,
                    (__bridge id) kSecAttrCanDecrypt : (__bridge id) kCFBooleanFalse,
                    (__bridge id) kSecAttrCanVerify : (__bridge id) kCFBooleanTrue,
                    (__bridge id) kSecAttrCanSign : (__bridge id) kCFBooleanFalse,
                    (__bridge id) kSecAttrCanWrap : (__bridge id) kCFBooleanTrue,
                    (__bridge id) kSecAttrCanUnwrap : (__bridge id) kCFBooleanFalse
    };

    SecKeyRef savedKey = NULL;
    sanityCheck = SecItemAdd((__bridge CFDictionaryRef) saveDict, (CFTypeRef *)&savedKey);
    if (sanityCheck != errSecSuccess) {
            LOGGING_FACILITY1(sanityCheck != noErr, @"Problem saving the key to keychain, OSStatus == %d.", sanityCheck);
    }
}

然后你这样签名:

- (NSData *)getSignatureBytes:(NSData *)plainText {
    OSStatus sanityCheck = noErr;
    NSData *signedHash = nil;

    uint8_t *signedHashBytes = NULL;
    size_t signedHashBytesSize = 0;

    SecKeyRef privateKey = NULL;

    privateKey = [self getKeyRef:YES];
    signedHashBytesSize = SecKeyGetBlockSize(privateKey);

    // Malloc a buffer to hold signature.
    signedHashBytes = malloc(signedHashBytesSize * sizeof(uint8_t));
    memset((void *) signedHashBytes, 0x0, signedHashBytesSize);

    // Sign the SHA1 hash.
    sanityCheck = SecKeyRawSign(privateKey,
            kTypeOfSigPadding,
            (const uint8_t *) [[self getHashBytes:plainText] bytes],
            kChosenDigestLength,
            signedHashBytes,
            &signedHashBytesSize
    );

    LOGGING_FACILITY1( sanityCheck == noErr, @"Problem signing the SHA1 hash, OSStatus == %d.", sanityCheck );

    // Build up signed SHA1 blob.
    signedHash = [NSData dataWithBytes:(const void *) signedHashBytes length:(NSUInteger) signedHashBytesSize];

    if (signedHashBytes) {
        free(signedHashBytes);
    }

    return signedHash;
}