iOS硬件支持的密钥证明 [英] iOS hardware-backed key attestation
问题描述
在android中,有一种方法可以知道密钥对中的公钥是否在TEE内部生成,因此是否由硬件支持(
In android there is a way of knowing if the public key from a key pair was generated inside TEE and is, therefore, hardware-backed (https://source.android.com/security/keystore/attestation). I cannot find a way to do that in iOS. Does anyone know if there is a way?
推荐答案
拔键时,检查kSecAttrTokenID是否设置为kSecAttrTokenIDSecureEnclave
When pulling the key, check if kSecAttrTokenID is set to kSecAttrTokenIDSecureEnclave
这将告诉您密钥是否来自secureEnclave(硅/硬件).
This will tell you if the key is from the secureEnclave (silicon/hardware) or not.
示例键:
let attributes: [CFString: Any] = [
kSecClass: kSecClassKey,
kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
kSecAttrKeySizeInBits: 256,
kSecAttrCreator: "com.myapp.crypto",
kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
kSecPrivateKeyAttrs: [
kSecAttrIsPermanent: true,
kSecAttrApplicationTag: "my_key_id",
kSecAttrAccessControl: SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, [.privateKeyUsage], nil)
]
]
var error: Unmanaged<CFError>?
let key = SecKeyCreateRandomKey(attributes as CFDictionary, &error)
检索密钥时,请使用kSecReturnAttributes: kCFBooleanTrue获取密钥的属性:
When retrieving the key, use kSecReturnAttributes: kCFBooleanTrue to get the attributes of the key:
let query: [CFString: Any] = [
kSecClass: kSecClassKey,
kSecAttrApplicationTag: "my_key_id",
kSecMatchLimit: kSecMatchLimitOne,
kSecReturnRef: kCFBooleanFalse,
kSecReturnAttributes: kCFBooleanTrue
]
var result: CFTypeRef?
let error = SecItemCopyMatching(query as CFDictionary, &result)
然后检查kSecAttrTokenID: kSecAttrTokenIDSecureEnclave是否存在..
一种更简单的方法..当密钥用kSecAttrTokenIDSecureEnclave存储时,您无法将其用SecKeyCopyExternalRepresentation转换为字节.它将始终失败..因此,您总是可以尝试获取密钥,然后调用该函数看看是否失败.
Easier way.. is that when a key is stored with kSecAttrTokenIDSecureEnclave you CANNOT convert it to bytes with SecKeyCopyExternalRepresentation.. It will always fail.. So you can always attempt to get the key, then call that function and see if it fails.
这篇关于iOS硬件支持的密钥证明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
