在安全元件中检索私钥的 SecKeyRef
Retrieve SecKeyRef of private key in Secure Element
我生成一个 RSA public/private 密钥对如下:
CFDataRef privateTag;
CFDataRef publicTag;
SecKeyRef publicKey;
SecKeyRef privateKey;
const UInt8 publicTagString[] = "com.example.widgets.publickey3";
const UInt8 privateTagString[] = "com.example.widgets.privatekey3";
publicTag = CFDataCreate(0, publicTagString, sizeof(publicTagString));
privateTag = CFDataCreate(0, privateTagString, sizeof(privateTagString));
CFMutableDictionaryRef publicAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionaryAddValue(publicAttr, kSecAttrIsPermanent, kCFBooleanTrue);
CFDictionaryAddValue(publicAttr, kSecAttrApplicationTag, publicTag);
CFDictionaryAddValue(publicAttr, kSecAttrCanEncrypt, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanDecrypt, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanDerive, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanSign, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanVerify, kCFBooleanTrue);
CFDictionaryAddValue(publicAttr, kSecAttrCanUnwrap, kCFBooleanFalse);
CFMutableDictionaryRef privateAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionaryAddValue(privateAttr, kSecAttrIsPermanent, kCFBooleanTrue);
CFDictionaryAddValue(privateAttr, kSecAttrApplicationTag, privateTag);
CFDictionaryAddValue(privateAttr, kSecAttrCanEncrypt, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanDecrypt, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanDerive, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanSign, kCFBooleanTrue);
CFDictionaryAddValue(privateAttr, kSecAttrCanVerify, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanUnwrap, kCFBooleanFalse);
const void* parameterKeys[] = {
kSecAttrKeyType,
kSecAttrKeySizeInBits,
kSecPublicKeyAttrs,
kSecPrivateKeyAttrs
};
int intKeySize = 512;
CFNumberRef keySize = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &intKeySize);
const void* parameterValues[] = {
kSecAttrKeyTypeRSA,
keySize,
publicAttr,
privateAttr
};
CFDictionaryRef parameters = CFDictionaryCreate(
kCFAllocatorDefault,
parameterKeys,
parameterValues,
4,
NULL,
NULL
);
OSStatus status = SecKeyGeneratePair(parameters, &publicKey, &privateKey);
if(status != errSecSuccess) {
[self logError:[NSString stringWithFormat:@"SecKeyGeneratePair status %d", (int)status] :nil];
return;
}
使用 public 密钥签名时,我需要 SecKeyRef
保存在安全元素中的私钥:
NSData *signedHash = nil;
uint8_t *signedHashBytes = NULL;
size_t signedHashBytesSize = SecKeyGetBlockSize(privateKey);
// Malloc a buffer to hold signature
signedHashBytes = malloc(signedHashBytesSize * sizeof(uint8_t));
memset((void *)signedHashBytes, 0x0, signedHashBytesSize);
// Sign SHA1 hash
OSStatus status = SecKeyRawSign(
privateKey,
kSecPaddingPKCS1SHA1,
(const uint8_t *)[[self getSHA1:text] bytes],
CC_SHA1_DIGEST_LENGTH,
(uint8_t *)signedHashBytes,
&signedHashBytesSize
);
如何在给定 publicTag
的情况下检索私钥的 SecKeyRef
?
检索 SecKeyRef
给定 CFDataRef
应用程序标签,使用 SecItemCopyMatching
并将 kSecReturnRef
设置为 kCFBooleanTrue
:
CFDataRef privateTag; // The same used in SecKeyGeneratePair
SecKeyRef privateKeyRef = nil;
CFMutableDictionaryRef query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionaryAddValue(query, kSecClass, kSecClassKey);
CFDictionaryAddValue(query, kSecAttrApplicationTag, privateTag);
CFDictionaryAddValue(query, kSecAttrKeyType, kSecAttrKeyTypeRSA);
CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
OSStatus status = SecItemCopyMatching(query, (CFTypeRef *)&privateKeyRef);
if(status != noErr) {
[self logError:[NSString stringWithFormat:@"SecItemCopyMatching status %d", (int)status] :nil];
return nil;
}
我生成一个 RSA public/private 密钥对如下:
CFDataRef privateTag;
CFDataRef publicTag;
SecKeyRef publicKey;
SecKeyRef privateKey;
const UInt8 publicTagString[] = "com.example.widgets.publickey3";
const UInt8 privateTagString[] = "com.example.widgets.privatekey3";
publicTag = CFDataCreate(0, publicTagString, sizeof(publicTagString));
privateTag = CFDataCreate(0, privateTagString, sizeof(privateTagString));
CFMutableDictionaryRef publicAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionaryAddValue(publicAttr, kSecAttrIsPermanent, kCFBooleanTrue);
CFDictionaryAddValue(publicAttr, kSecAttrApplicationTag, publicTag);
CFDictionaryAddValue(publicAttr, kSecAttrCanEncrypt, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanDecrypt, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanDerive, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanSign, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanVerify, kCFBooleanTrue);
CFDictionaryAddValue(publicAttr, kSecAttrCanUnwrap, kCFBooleanFalse);
CFMutableDictionaryRef privateAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionaryAddValue(privateAttr, kSecAttrIsPermanent, kCFBooleanTrue);
CFDictionaryAddValue(privateAttr, kSecAttrApplicationTag, privateTag);
CFDictionaryAddValue(privateAttr, kSecAttrCanEncrypt, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanDecrypt, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanDerive, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanSign, kCFBooleanTrue);
CFDictionaryAddValue(privateAttr, kSecAttrCanVerify, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanUnwrap, kCFBooleanFalse);
const void* parameterKeys[] = {
kSecAttrKeyType,
kSecAttrKeySizeInBits,
kSecPublicKeyAttrs,
kSecPrivateKeyAttrs
};
int intKeySize = 512;
CFNumberRef keySize = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &intKeySize);
const void* parameterValues[] = {
kSecAttrKeyTypeRSA,
keySize,
publicAttr,
privateAttr
};
CFDictionaryRef parameters = CFDictionaryCreate(
kCFAllocatorDefault,
parameterKeys,
parameterValues,
4,
NULL,
NULL
);
OSStatus status = SecKeyGeneratePair(parameters, &publicKey, &privateKey);
if(status != errSecSuccess) {
[self logError:[NSString stringWithFormat:@"SecKeyGeneratePair status %d", (int)status] :nil];
return;
}
使用 public 密钥签名时,我需要 SecKeyRef
保存在安全元素中的私钥:
NSData *signedHash = nil;
uint8_t *signedHashBytes = NULL;
size_t signedHashBytesSize = SecKeyGetBlockSize(privateKey);
// Malloc a buffer to hold signature
signedHashBytes = malloc(signedHashBytesSize * sizeof(uint8_t));
memset((void *)signedHashBytes, 0x0, signedHashBytesSize);
// Sign SHA1 hash
OSStatus status = SecKeyRawSign(
privateKey,
kSecPaddingPKCS1SHA1,
(const uint8_t *)[[self getSHA1:text] bytes],
CC_SHA1_DIGEST_LENGTH,
(uint8_t *)signedHashBytes,
&signedHashBytesSize
);
如何在给定 publicTag
的情况下检索私钥的 SecKeyRef
?
检索 SecKeyRef
给定 CFDataRef
应用程序标签,使用 SecItemCopyMatching
并将 kSecReturnRef
设置为 kCFBooleanTrue
:
CFDataRef privateTag; // The same used in SecKeyGeneratePair
SecKeyRef privateKeyRef = nil;
CFMutableDictionaryRef query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionaryAddValue(query, kSecClass, kSecClassKey);
CFDictionaryAddValue(query, kSecAttrApplicationTag, privateTag);
CFDictionaryAddValue(query, kSecAttrKeyType, kSecAttrKeyTypeRSA);
CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
OSStatus status = SecItemCopyMatching(query, (CFTypeRef *)&privateKeyRef);
if(status != noErr) {
[self logError:[NSString stringWithFormat:@"SecItemCopyMatching status %d", (int)status] :nil];
return nil;
}