从 iOS 导出椭圆曲线密钥以使用 OpenSSL [英] Export an elliptic curve key from iOS to work with OpenSSL
问题描述
我在 Secure Enclave 中生成并存储了一个私钥/公钥对.
它是 256 位椭圆曲线密钥.(唯一可以存储在 Secure Enclave 中的密钥类型).
我使用 SecKeyCreateWithData 和 SecKeyCopyExternalRepresentation 在 iOS 设备之间导入/导出公钥,并且有效.
但是,导出的密钥似乎不适用于 OpenSSL.因为在这个命令上总是显示'unable to load Key'.
openssl ec -pubin -in public_key_file -text<小时>
导出密钥的方法是什么?所以我可以在 OpenSSL 中使用它.
要使用 OpenSSL,您需要 subject public key info (SPKI),DER 或 PEM 格式.
SPKI 包含基本信息,例如,key.type、key.parameters、key.value.
SecKeyCopyExternalRepresentation 只返回原始密钥二进制,它只是 key.value 部分.
您必须从该 key.value 创建 SPKI.执行此操作的正常方法是阅读 https://tools.ietf.org/html/rfc5480,并将 ASN.1 结构编码为二进制编码的 DER 格式.
但这里有一个捷径.
Secure Enclave 仅支持一种密钥类型,256 位 EC 密钥 secp256r1(相当于 OpenSSL 中的 prime256v1).
DER格式的SPKI是二进制编码的数据,例如
<预> <代码> 3059301306072a8648ce3d020106082a8648ce3d03010703420004fad2e70b0f70f0bf80d7f7cbe8dd4237ca9e59357647e7a7cb90d71a71f6b57869069bcdd24272932c6bdd51895fe2180ea0748c737adecc1cefa3a02022164d它总是由两部分组成
固定架构头
3059301306072a8648ce3d020106082a8648ce3d030107034200原始键值
04.......
您可以通过组合这两部分来创建 SPKI.
spki = fixed_schema_header + SecKeyCopyExternalRepresentation(...)
func createSubjectPublicKeyInfo(rawPublicKeyData: Data) ->数据 {让 secp256r1Header = 数据(字节:[0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,0x86、0x48、0xce、0x3d、0x03、0x01、0x07、0x03、0x42、0x00])返回 secp256r1Header + rawPublicKeyData}//用法让 rawPublicKeyData = SecKeyCopyExternalRepresentation(...)!让 publicKeyDER = createSubjectPublicKeyInfo(rawPublicKeyData: rawPublicKeyData)写(publicKeyDER,到:public_key.der")//使用 OpenSSL 进行测试//openssl ec -pubin -in public_key.der -text -inform derI have a private/public key pair generated and stored inside Secure Enclave.
It is 256-bit elliptic curve key. (The only key type that can be stored in Secure Enclave).
I use SecKeyCreateWithData and SecKeyCopyExternalRepresentation to import/export the public key between iOS devices, and it works.
However, the exported key doesn't seem to work with OpenSSL.
Because it always show 'unable to load Key' on this command.
openssl ec -pubin -in public_key_file -text
What's the way to export the key ? So I can use it with OpenSSL.
To work with OpenSSL, you need subject public key info (SPKI), either DER or PEM format.
SPKI contains essential information, for example, key.type, key.parameters, key.value.
SecKeyCopyExternalRepresentation only returns raw key binary which is only key.value part.
You have to create SPKI from that key.value. The normal way to do this is to read https://tools.ietf.org/html/rfc5480, and encode ASN.1 structure to binary-encoded DER format.
But here is a shortcut.
Secure Enclave only supports one key type, 256-bit EC key secp256r1 (equivalent to prime256v1 in OpenSSL).
The SPKI in DER format is a binary encoded data, for example,
3059301306072a8648ce3d020106082a8648ce3d03010703420004fad2e70b0f70f0bf80d7f7cbe8dd4237ca9e59357647e7a7cb90d71a71f6b57869069bcdd24272932c6bdd51895fe2180ea0748c737adecc1cefa3a02022164d
It always consist of two parts
fixed schema header
3059301306072a8648ce3d020106082a8648ce3d030107034200raw key value
04.......
You can create SPKI by combining these two parts.
spki = fixed_schema_header + SecKeyCopyExternalRepresentation(...)
func createSubjectPublicKeyInfo(rawPublicKeyData: Data) -> Data {
let secp256r1Header = Data(bytes: [
0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00
])
return secp256r1Header + rawPublicKeyData
}
// Usage
let rawPublicKeyData = SecKeyCopyExternalRepresentation(...)!
let publicKeyDER = createSubjectPublicKeyInfo(rawPublicKeyData: rawPublicKeyData)
write(publicKeyDER, to: "public_key.der")
// Test with OpenSSL
// openssl ec -pubin -in public_key.der -text -inform der
这篇关于从 iOS 导出椭圆曲线密钥以使用 OpenSSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
