如何在没有 TouchID 和密码的情况下使用 Secure Enclave?

How to use Secure Enclave without TouchID and Passcode?

为了生成密钥对,我使用了 Secure Enclave (kSecAttrTokenIDSecureEnclave)。当尝试访问生成的密钥对时,iOS 系统要求提供 TouchID。下面是我如何生成和访问密钥对的代码快照。

这里有没有设​​置 properties/attributes 的方法,Secure Enclave 功能将能够在没有 TouchID 和密码的情况下使用?

生成密钥对:

SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                                kSecAttrAccessibleWhenUnlocked,
                                                kSecAccessControlUserPresence | kSecAccessControlPrivateKeyUsage, &error);

    NSDictionary *parameters = @{
        (__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
        (__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeEC,
        (__bridge id)kSecAttrKeySizeInBits: @256,
        (__bridge id)kSecPrivateKeyAttrs: @{
            (__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,
            (__bridge id)kSecAttrIsPermanent: @YES,
            (__bridge id)kSecAttrLabel: @“SecKey”,
        },
    };
SStatus status = SecKeyGeneratePair((__bridge CFDictionaryRef)parameters, &publicKey, &privateKey);

访问密钥对:

    NSDictionary *query = @{
        (__bridge id)kSecClass: (__bridge id)kSecClassKey,
        (__bridge id)kSecAttrKeyClass: (__bridge id)kSecAttrKeyClassPrivate,
        (__bridge id)kSecAttrLabel: @"SecKey",
        (__bridge id)kSecReturnRef: @YES
    };
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&privateKey);

此代码取自 Apple 示例 KeychainTouchID。通过删除 kSecAccessControlTouchIDAny 可以在安全飞地内生成私钥,以后无需输入密码即可使用它。

SecAccessControlRef sacObject;

// Should be the secret invalidated when passcode is removed? If not then use `kSecAttrAccessibleWhenUnlocked`.
sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                            kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                                            /*kSecAccessControlTouchIDAny |*/ kSecAccessControlPrivateKeyUsage, &error);

// Create parameters dictionary for key generation.
NSDictionary *parameters = @{
    (__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
    (__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeEC,
    (__bridge id)kSecAttrKeySizeInBits: @256,
    (__bridge id)kSecPrivateKeyAttrs: @{
        (__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,
        (__bridge id)kSecAttrIsPermanent: @YES,
        (__bridge id)kSecAttrLabel: @"my-se-key",
    },
};