Use SecKeyCopyExternalRepresentation to export public keys

Question

Use SecKeyCopyExternalRepresentation to export public keys

withzombies opened this issue 7 years ago · comments

Ryan Stortz commented 7 years ago

Apple added a new API to export keys in sane formats. We should use it.

https://developer.apple.com/reference/security/1643698-seckeycopyexternalrepresentation

Håvard Fossli · Answer 1 · Mon Dec 26 2016 02:27:50 GMT+0800 (China Standard Time)

iOS 10 only. What's the benefit / difference?

Håvard Fossli · Answer 2 · Mon Jan 02 2017 19:52:48 GMT+0800 (China Standard Time)

I'm ready to implement, but I don't see the added benefit here. Can you elaborate on why we should rather use that new API?

Dan Guido · Answer 3 · Mon Jan 02 2017 23:46:44 GMT+0800 (China Standard Time)

If we're intending this to be a reference for other developers, then we should use the latest available APIs that produce the simplest code. We had to work around the lack of the SecKeyCopyExternalRepresentation API when we originally wrote this project and it required some hacks that we can eliminate by using it. Less code is better code.

Håvard Fossli · Answer 4 · Tue Jan 03 2017 02:38:13 GMT+0800 (China Standard Time)

If I understand correctly: copying the external representation is only good for later importing that representation. That's not part of showcasing how to use the secure enclave IMHO. I don't think retreiving the bits/string of the public key is done hackish at all - at least not in the swift code.

Feels like I'm misunderstanding you guys.

Ryan Stortz · Answer 5 · Tue Jan 03 2017 03:21:46 GMT+0800 (China Standard Time)

It's better to export a key that's directly applicable rather than one you have to run through an auxiliary ruby script. This API didn't exist before, so we had an awful workaround to make it viable for existing applications (e.g. OpenSSL, Python, etc) to use the exported key directly.

Håvard Fossli · Answer 6 · Tue Jan 03 2017 03:25:21 GMT+0800 (China Standard Time)

I still don't get it. It seems to me that this api isn't making that easier. Maybe I'm missing something crucial. Lead the way.

Håvard Fossli · Answer 7 · Tue Jan 03 2017 03:27:28 GMT+0800 (China Standard Time)

So how's the data structured in the output of this function?

Ryan Stortz · Answer 8 · Tue Jan 03 2017 03:30:52 GMT+0800 (China Standard Time)

Exporting the key to an external representation such as PKCS1 allows digital signatures created by the TouchID interface to be validated by tools like openssl. Currently to solve this problem, we have key_builder.rb, but if we can do it without key_builder.rb, that'd be best.

Also, key_builder.rb assumes the key type will always be elliptic curve with the prime256v1 curve. Using the API provided by Apple means we don't have to rely on this assumption.

Håvard Fossli · Answer 9 · Tue Jan 03 2017 03:32:15 GMT+0800 (China Standard Time)

Awesome. I'm ready to vet any swift pull requests.

Håvard Fossli · Answer 10 · Thu Jan 12 2017 18:12:10 GMT+0800 (China Standard Time)

I don't see any difference.
Base64 public key exported using old/current API

BDCvFO9AXGQAkjVrJaGE/mLiWlKLGzTo0n6sAUMrZac0dBdJS+mGFWK6rAtbnLAplXAqXR1wVTBcES9fhJRbKcM=

Base64 public key exported using new API (SecKeyCopyExternalRepresentation)

BDCvFO9AXGQAkjVrJaGE/mLiWlKLGzTo0n6sAUMrZac0dBdJS+mGFWK6rAtbnLAplXAqXR1wVTBcES9fhJRbKcM=

José Luis Pereira · Answer 11 · Mon Sep 10 2018 14:20:28 GMT+0800 (China Standard Time)

One advantage IMO is that you wont (Apple actually recommends this) need to store the public key in the keychain. You'd use SecKeyCopyPublicKey to get a reference to it and then you can use SecKeyCopyExternalRepresentation to get the data.

Håvard Fossli · Answer 12 · Mon Sep 10 2018 15:07:37 GMT+0800 (China Standard Time)

Almost 2 years has passed since this issue was opened. The SecKeyCopyPublicKey was quite new then and only available to ios 10. Now it might be possible drop support for iOS 9.