在安全元件中检索私钥的 SecKeyRef

Retrieve SecKeyRef of private key in Secure Element

我生成一个 RSA public/private 密钥对如下:

CFDataRef privateTag;
CFDataRef publicTag;

SecKeyRef publicKey;
SecKeyRef privateKey;

const UInt8 publicTagString[] = "com.example.widgets.publickey3";
const UInt8 privateTagString[] = "com.example.widgets.privatekey3";

publicTag = CFDataCreate(0, publicTagString, sizeof(publicTagString));
privateTag = CFDataCreate(0, privateTagString, sizeof(privateTagString));

CFMutableDictionaryRef publicAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionaryAddValue(publicAttr, kSecAttrIsPermanent, kCFBooleanTrue);
CFDictionaryAddValue(publicAttr, kSecAttrApplicationTag, publicTag);
CFDictionaryAddValue(publicAttr, kSecAttrCanEncrypt, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanDecrypt, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanDerive, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanSign, kCFBooleanFalse);
CFDictionaryAddValue(publicAttr, kSecAttrCanVerify, kCFBooleanTrue);
CFDictionaryAddValue(publicAttr, kSecAttrCanUnwrap, kCFBooleanFalse);

CFMutableDictionaryRef privateAttr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionaryAddValue(privateAttr, kSecAttrIsPermanent, kCFBooleanTrue);
CFDictionaryAddValue(privateAttr, kSecAttrApplicationTag, privateTag);
CFDictionaryAddValue(privateAttr, kSecAttrCanEncrypt, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanDecrypt, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanDerive, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanSign, kCFBooleanTrue);
CFDictionaryAddValue(privateAttr, kSecAttrCanVerify, kCFBooleanFalse);
CFDictionaryAddValue(privateAttr, kSecAttrCanUnwrap, kCFBooleanFalse);

const void* parameterKeys[] = {
    kSecAttrKeyType,
    kSecAttrKeySizeInBits,
    kSecPublicKeyAttrs,
    kSecPrivateKeyAttrs
};

int intKeySize = 512;
CFNumberRef keySize = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &intKeySize);

const void* parameterValues[] = {
    kSecAttrKeyTypeRSA,
    keySize,
    publicAttr,
    privateAttr
};

CFDictionaryRef parameters = CFDictionaryCreate(
    kCFAllocatorDefault,
    parameterKeys,
    parameterValues,
    4,
    NULL,
    NULL
);

OSStatus status = SecKeyGeneratePair(parameters, &publicKey, &privateKey);

if(status != errSecSuccess) {
    [self logError:[NSString stringWithFormat:@"SecKeyGeneratePair status %d", (int)status] :nil];
    return;
}

使用 public 密钥签名时,我需要 SecKeyRef 保存在安全元素中的私钥:

NSData *signedHash = nil;
uint8_t *signedHashBytes = NULL;
size_t signedHashBytesSize = SecKeyGetBlockSize(privateKey);

// Malloc a buffer to hold signature
signedHashBytes = malloc(signedHashBytesSize * sizeof(uint8_t));
memset((void *)signedHashBytes, 0x0, signedHashBytesSize);

// Sign SHA1 hash
OSStatus status = SecKeyRawSign(
    privateKey,
    kSecPaddingPKCS1SHA1,
    (const uint8_t *)[[self getSHA1:text] bytes],
    CC_SHA1_DIGEST_LENGTH,
    (uint8_t *)signedHashBytes,
    &signedHashBytesSize
);

如何在给定 publicTag 的情况下检索私钥的 SecKeyRef

检索 SecKeyRef 给定 CFDataRef 应用程序标签,使用 SecItemCopyMatching 并将 kSecReturnRef 设置为 kCFBooleanTrue:

CFDataRef privateTag; // The same used in SecKeyGeneratePair
SecKeyRef privateKeyRef = nil;
CFMutableDictionaryRef query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);

CFDictionaryAddValue(query, kSecClass, kSecClassKey);
CFDictionaryAddValue(query, kSecAttrApplicationTag, privateTag);
CFDictionaryAddValue(query, kSecAttrKeyType, kSecAttrKeyTypeRSA);
CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);

OSStatus status = SecItemCopyMatching(query, (CFTypeRef *)&privateKeyRef);

if(status != noErr) {
    [self logError:[NSString stringWithFormat:@"SecItemCopyMatching status %d", (int)status] :nil];
    return nil;
}