Using the private key generated by DCAppAttestService
Asked Answered
H

1

7

Apple released a way to attest generated key pairs on the iOS 14 beta, named Device Check App Attestation Service (DCAppAttestService).

I've already successfully generated a key pair like it is documented by apple:

DCAppAttestService.shared.generateKey { keyId, error in
   guard error == nil else { /* Handle the error. */ }

   // Cache keyId for subsequent operations.
}

After this call I get the keyId in form of a string. But now I don't know if I'm missing something obvious or if it just isn't documented: I absolutely can't figure out how to use this key identifier to retrieve a reference to the associated private key.

I know the itself is stored within the Secure Enclave and I can't directly get it. But I should be able to get a reference of it, a SecKey object, which I could use to sign or encrypt data with calls like

var error: Unmanaged<CFError>?
guard let signature = SecKeyCreateSignature(privateKey, self.algorithm, data as CFData, &error) as Data? else {
   /* Something went wrong */
   return
}

The DCAppAttestationService itself doesn't provide any methods to interact with the key using the keyId (except the attestKey and generateAssertion methods). The mentioned attestKey method is also just returning a serverUnavailableError at the moment, as Apple themselves state in the release notes.

Does anybody have experience with this? How can I get a private key reference to effectively use it?

Hooligan answered 31/7, 2020 at 6:26 Comment(0)
E
0

There is no other way to make use of the key-pair. You can create an effective signature with the generateAssertion method. However this not a signature over your data alone, but a signature over your data (hash) plus some of Apple's data from the attestKey method. I have communicated in several ways with Apple about this, the answer is to use the generateAssertion method to do what you need. To be clear: you cannot obtain a reference to the key-pair.

Embayment answered 28/3, 2022 at 21:33 Comment(1)
When you say "However this not a signature over your data alone, but a signature over your data (hash) plus some of Apple's data from the attestKey method", what do you mean exactly by "your data"? Reading the documentation, I find no explicit mention that any data is being attested, rather, just that the key was generated by a known Secure Enclave (presumably, Apple has public keys of every secure enclave ever made in any of its manufacturing facilities?)Ascription

© 2022 - 2024 — McMap. All rights reserved.