encrypting/decrypting

[paleozogt]

According to Working with Secure Enclave, we can use kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM to do AES/GCM with a symmetric key that's wrapped by asymmetric (ECIES) encryption.

In investigating this, I added the following to generateKeyPairWithAccessControlObject of SecureEnclaveObjective-C:

  // kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM uses kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
  BOOL canKeyExchange = SecKeyIsAlgorithmSupported(privateKeyRef,
                                                   kSecKeyOperationTypeKeyExchange,
                                                   kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1);
  NSLog(@"canKeyExchange %d", canKeyExchange);
    
  BOOL canEncrypt = SecKeyIsAlgorithmSupported(publicKeyRef,
                                               kSecKeyOperationTypeEncrypt,
                                               kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
  NSLog(@"canEncrypt %d", canEncrypt);
    
  BOOL canDecrypt = SecKeyIsAlgorithmSupported(privateKeyRef,
                                               kSecKeyOperationTypeDecrypt,
                                               kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
  NSLog(@"canDecrypt %d", canDecrypt);

which shows

canKeyExchange 1
canEncrypt 1
canDecrypt 0

I'm rather baffled by this-- how can encryption be supported while decryption isn't?

[paleozogt]

I realize this isn't exactly an issue with the SecureEnclaveCrypto project, since it only shows how to do signatures, but its the best code example I've found for using kSecAttrTokenIDSecureEnclave.

Also, having encrypt/decrypt in this project would be pretty useful. :)

[withzombies]

kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM is newer than the library. I'd have to look into it to give you a proper answer.

I do agree that a proper encrypt/decrypt implementation belongs in this project and I'll add it to the roadmap. However, this project moves very slowly so I can't give a timeline.

[paleozogt]

I opened a support issue with Apple and it turns out that

This is a known bug that was fixed in iOS 10.3. There is no good workaround for this bug, so your best option is to ask affected customers to upgrade to 10.3.

Additionally, on 10.3 there was a problem with decrypting large amounts of data with kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM. I filed a bug report for it, and it got fixed in iOS 11. :)