Skip to content
This repository has been archived by the owner on Mar 28, 2023. It is now read-only.

encrypting/decrypting #13

Open
paleozogt opened this issue Apr 4, 2017 · 3 comments
Open

encrypting/decrypting #13

paleozogt opened this issue Apr 4, 2017 · 3 comments

Comments

@paleozogt
Copy link

According to Working with Secure Enclave, we can use kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM to do AES/GCM with a symmetric key that's wrapped by asymmetric (ECIES) encryption.

In investigating this, I added the following to generateKeyPairWithAccessControlObject of SecureEnclaveObjective-C:

  // kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM uses kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
  BOOL canKeyExchange = SecKeyIsAlgorithmSupported(privateKeyRef,
                                                   kSecKeyOperationTypeKeyExchange,
                                                   kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1);
  NSLog(@"canKeyExchange %d", canKeyExchange);
    
  BOOL canEncrypt = SecKeyIsAlgorithmSupported(publicKeyRef,
                                               kSecKeyOperationTypeEncrypt,
                                               kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
  NSLog(@"canEncrypt %d", canEncrypt);
    
  BOOL canDecrypt = SecKeyIsAlgorithmSupported(privateKeyRef,
                                               kSecKeyOperationTypeDecrypt,
                                               kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
  NSLog(@"canDecrypt %d", canDecrypt);

which shows

canKeyExchange 1
canEncrypt 1
canDecrypt 0

I'm rather baffled by this-- how can encryption be supported while decryption isn't?
@paleozogt
Copy link
Author

I realize this isn't exactly an issue with the SecureEnclaveCrypto project, since it only shows how to do signatures, but its the best code example I've found for using kSecAttrTokenIDSecureEnclave.

Also, having encrypt/decrypt in this project would be pretty useful. :)

@withzombies
Copy link
Contributor

kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM is newer than the library. I'd have to look into it to give you a proper answer.

I do agree that a proper encrypt/decrypt implementation belongs in this project and I'll add it to the roadmap. However, this project moves very slowly so I can't give a timeline.

@paleozogt
Copy link
Author

I opened a support issue with Apple and it turns out that

This is a known bug that was fixed in iOS 10.3. There is no good workaround for this bug, so your best option is to ask affected customers to upgrade to 10.3.

Additionally, on 10.3 there was a problem with decrypting large amounts of data with kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM. I filed a bug report for it, and it got fixed in iOS 11. :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paleozogt @withzombies