Use SecKeyCopyExternalRepresentation to export public keys

[withzombies]

Apple added a new API to export keys in sane formats. We should use it.

https://developer.apple.com/reference/security/1643698-seckeycopyexternalrepresentation

[hfossli]

iOS 10 only. What's the benefit / difference?

[hfossli]

I'm ready to implement, but I don't see the added benefit here. Can you elaborate on why we should rather use that new API?

[dguido]

If we're intending this to be a reference for other developers, then we should use the latest available APIs that produce the simplest code. We had to work around the lack of the SecKeyCopyExternalRepresentation API when we originally wrote this project and it required some hacks that we can eliminate by using it. Less code is better code.

[hfossli]

If I understand correctly: copying the external representation is only good for later importing that representation. That's not part of showcasing how to use the secure enclave IMHO. I don't think retreiving the bits/string of the public key is done hackish at all - at least not in the swift code.

Feels like I'm misunderstanding you guys.

[withzombies]

It's better to export a key that's directly applicable rather than one you have to run through an auxiliary ruby script. This API didn't exist before, so we had an awful workaround to make it viable for existing applications (e.g. OpenSSL, Python, etc) to use the exported key directly.

[hfossli]

I still don't get it. It seems to me that this api isn't making that easier. Maybe I'm missing something crucial. Lead the way.

[hfossli]

So how's the data structured in the output of this function?

[withzombies]

Exporting the key to an external representation such as PKCS1 allows digital signatures created by the TouchID interface to be validated by tools like openssl. Currently to solve this problem, we have key_builder.rb, but if we can do it without key_builder.rb, that'd be best.

Also, key_builder.rb assumes the key type will always be elliptic curve with the prime256v1 curve. Using the API provided by Apple means we don't have to rely on this assumption.

[hfossli]

Awesome. I'm ready to vet any swift pull requests.

[hfossli]

I don't see any difference.
Base64 public key exported using old/current API

BDCvFO9AXGQAkjVrJaGE/mLiWlKLGzTo0n6sAUMrZac0dBdJS+mGFWK6rAtbnLAplXAqXR1wVTBcES9fhJRbKcM=

Base64 public key exported using new API (SecKeyCopyExternalRepresentation)

BDCvFO9AXGQAkjVrJaGE/mLiWlKLGzTo0n6sAUMrZac0dBdJS+mGFWK6rAtbnLAplXAqXR1wVTBcES9fhJRbKcM=

[oNaiPs]

One advantage IMO is that you wont (Apple actually recommends this) need to store the public key in the keychain. You'd use SecKeyCopyPublicKey to get a reference to it and then you can use SecKeyCopyExternalRepresentation to get the data.

[hfossli]

Almost 2 years has passed since this issue was opened. The SecKeyCopyPublicKey was quite new then and only available to ios 10. Now it might be possible drop support for iOS 9.