个人中心
gpt4 book ai didi

ios - 使用 EC key 签名时 SecKeyRawSign 返回 -50

转载 作者:可可西里 更新时间:2023-11-01 01:23:42 25 4
gpt4 key购买 nike

我正在尝试编写一个原型(prototype)来生成一组 Ecliptic Curve key (256 位),然后使用私钥签署一条消息。我有生成和管理运行良好的 key 的代码,但是当我尝试调用 SecKeyRawSign 时,出现 -50 errSecParam 错误。生成 key 的代码如下所示:

private func generateKeyPair() throws {
    var error: Unmanaged<CFError>? = nil
    let acl = SecAccessControlCreateWithFlags(nil, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                                              [.touchIDAny, .privateKeyUsage], &error)

    guard error == nil else {
        throw MessageError(message: "Could not create ACL: \(error)")
    }

    // We don't want the public key stored in the ecure enclave, so we create it as
    // non permament and add it manually to the keychain later
    let publicKeyParameters: [CFString: Any] = [
        kSecAttrIsPermanent: false,
        kSecAttrApplicationTag: ViewController.KeyTag,
        kSecAttrLabel: ViewController.PublicLabel
    ]

    let privateKeyParameters: [CFString: Any] = [
        kSecAttrIsPermanent: true,
        kSecAttrApplicationTag: ViewController.KeyTag,
        kSecAttrLabel: ViewController.PrivateLabel,
        kSecAttrAccessControl: acl!
    ]

    var parameters: [CFString: Any] = [
        kSecAttrKeyType: kSecAttrKeyTypeEC,
        kSecAttrKeySizeInBits: NSNumber(value: 256),
        kSecPublicKeyAttrs: publicKeyParameters,
        kSecPrivateKeyAttrs: privateKeyParameters
    ]

    // On the simulator we can't use the Secure Enclave
    if hasSecureEnclave() {
        parameters[kSecAttrTokenID] = kSecAttrTokenIDSecureEnclave
    }

    var pubKeyRef, privKeyRef: SecKey?
    var result = SecKeyGeneratePair(parameters as CFDictionary, &pubKeyRef, &privKeyRef)
    guard result == noErr else {
        throw MessageError(message: "Could not create key pair: \(result)")
    }

    parameters = [
        kSecClass: kSecClassKey,
        kSecAttrKeyType: kSecAttrKeyTypeEC,
        kSecAttrApplicationTag: ViewController.KeyTag,
        kSecAttrLabel: ViewController.PublicLabel,
        kSecAttrKeyClass: kSecAttrKeyClassPublic,
        kSecValueRef: pubKeyRef!
    ]

    result = SecItemAdd(parameters as CFDictionary, nil)
    guard result == noErr else {
        throw MessageError(message: "Could not add public key to keychain: \(result)")
    }
}

签名代码如下所示:

private func signWithPrivateKey(_ text: String, _ key: SecKey) throws -> String? {
    var digest = Data(count: Int(CC_SHA256_DIGEST_LENGTH))
    let data = text.data(using: .utf8)!

    let _ = digest.withUnsafeMutableBytes { digestBytes in
        data.withUnsafeBytes { dataBytes in
            CC_SHA256(dataBytes, CC_LONG(data.count), digestBytes)
        }
    }

    var signature = Data(count: SecKeyGetBlockSize(key))
    var signatureLength = signature.count

    let result = signature.withUnsafeMutableBytes { signatureBytes in
        digest.withUnsafeBytes { digestBytes in
            SecKeyRawSign(key,
                          SecPadding.PKCS1SHA256,
                          digestBytes,
                          digest.count,
                          signatureBytes,
                          &signatureLength)
        }
    }

    guard result == noErr else {
        throw MessageError(message: "Could not sign data: \(result)")
    }

    return signature.base64EncodedString()
}

很明显,sign 函数中的最后一个守卫被触发了,它返回了 errSecParam。

有人使用 EC key 在 iOS 中成功完成数据签名吗?如果是这样,你在这里看到任何明显的东西吗?切线地有没有办法获得有关错误本身的更多信息。

编辑:要添加一个重要的细节,如果我只更改此代码以生成 2048 位 RSA key ,则代码可以正常工作。生成 key 并签署消息。只有 256 位 EC key 才会失败。有没有其他方法可以在 iOS 中执行 ECDSA?

最佳答案

我解决了这个问题。我为保存签名而创建的缓冲区太小。我改成使用 SecKeyGetBlockSize() * 4,然后在调用后将缓冲区减少到 signatureLenght。此时我唯一的问题是是否有更好的方法计算长度(除了调用 SecKeyRawSign,让它失败,然后将缓冲区大小调整为返回的大小)。

新的标志代码如下所示:

private func signWithPrivateKey(_ text: String, _ key: SecKey) throws -> String? {
    var digest = Data(count: Int(CC_SHA256_DIGEST_LENGTH))
    let data = text.data(using: .utf8)!

    let _ = digest.withUnsafeMutableBytes { digestBytes in
        data.withUnsafeBytes { dataBytes in
            CC_SHA256(dataBytes, CC_LONG(data.count), digestBytes)
        }
    }

    var signature = Data(count: SecKeyGetBlockSize(key) * 4)
    var signatureLength = signature.count

    let result = signature.withUnsafeMutableBytes { signatureBytes in
        digest.withUnsafeBytes { digestBytes in
            SecKeyRawSign(key,
                          SecPadding.PKCS1SHA256,
                          digestBytes,
                          digest.count,
                          signatureBytes,
                          &signatureLength)
        }
    }

    let count = signature.count - signatureLength
    signature.removeLast(count)

    guard result == noErr else {
        throw MessageError(message: "Could not sign data: \(result)")
    }

    return signature.base64EncodedString()
}

关于ios - 使用 EC key 签名时 SecKeyRawSign 返回 -50,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42400043/

25 4 0
文章推荐: ios - 如何同步数据源更新与线程安全的 TableView 重新加载?
文章推荐: javascript - react 中没有构造函数的初始状态
文章推荐: java - 使用多个源文件夹(作为将大型 Java 项目转换为 Maven 的中间步骤)
文章推荐: javascript - 向 React(create-react-app) 添加静默更新入口点
可可西里
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com