Hi,
I'm currently trying to generate and store Private Key and protect this key with Local Authentication using Security framework (not CryptoKit; unfortunately, needed to support below iOS 13 still).
To be more precise, I am trying to generate Secure Enclave private key protected by local authentication (using access control with biometryAny), but I'm not able to trigger Local Authentication when retrieving the key. Secure Enclave key is successfully generated (that I confirmed), and I also confirmed that if I create a key without kSecAttrTokenID, exactly same code triggers the Local Authentication when reading the generated key.
Following is what I'm doing in my code:
// Key generation query
var query = [String: Any]()
query[String(kSecAttrKeyType)] = String(kSecAttrKeyTypeEC)
query[String(kSecAttrKeySizeInBits)] = 256
query[String(kSecAttrAccessGroup)] = "accessGroup"
query[String(kSecAttrTokenID)] = String(kSecAttrTokenIDSecureEnclave)
// Key Attributes
var keyAttr = [String: Any]()
keyAttr[String(kSecAttrIsPermanent)] = true
keyAttr[String(kSecAttrApplicationTag)] = "applicationTag"
let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .biometryAny, nil)!
keyAttr[String(kSecAttrAccessControl)] = accessControl
query[String(kSecPrivateKeyAttrs)] = keyAttr
// Generate Key
var error: Unmanaged<CFError>?
let privateKey = SecKeyCreateRandomKey(query as CFDictionary, &error)
If I remove "query[String(kSecAttrTokenID)] = String(kSecAttrTokenIDSecureEnclave)" this line of code which basically tells the system to generate the key using Secure Enclave, when retrieving the generated key, it triggers the Local Authentication, but with that Secure Enclave flag, Local Authentication is never triggered.
Is it not triggering the local authentication because the Secure Enclave key already protected with same level of security? or am I missing something here?
By the way, I tried with .userPresence and .biometryCurrentSet for Secure Enclave, but still had no luck.. :(
Any advice would be greatly appreciated.
Thanks,
I'm currently trying to generate and store Private Key and protect this key with Local Authentication using Security framework (not CryptoKit; unfortunately, needed to support below iOS 13 still).
To be more precise, I am trying to generate Secure Enclave private key protected by local authentication (using access control with biometryAny), but I'm not able to trigger Local Authentication when retrieving the key. Secure Enclave key is successfully generated (that I confirmed), and I also confirmed that if I create a key without kSecAttrTokenID, exactly same code triggers the Local Authentication when reading the generated key.
Following is what I'm doing in my code:
// Key generation query
var query = [String: Any]()
query[String(kSecAttrKeyType)] = String(kSecAttrKeyTypeEC)
query[String(kSecAttrKeySizeInBits)] = 256
query[String(kSecAttrAccessGroup)] = "accessGroup"
query[String(kSecAttrTokenID)] = String(kSecAttrTokenIDSecureEnclave)
// Key Attributes
var keyAttr = [String: Any]()
keyAttr[String(kSecAttrIsPermanent)] = true
keyAttr[String(kSecAttrApplicationTag)] = "applicationTag"
let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .biometryAny, nil)!
keyAttr[String(kSecAttrAccessControl)] = accessControl
query[String(kSecPrivateKeyAttrs)] = keyAttr
// Generate Key
var error: Unmanaged<CFError>?
let privateKey = SecKeyCreateRandomKey(query as CFDictionary, &error)
If I remove "query[String(kSecAttrTokenID)] = String(kSecAttrTokenIDSecureEnclave)" this line of code which basically tells the system to generate the key using Secure Enclave, when retrieving the generated key, it triggers the Local Authentication, but with that Secure Enclave flag, Local Authentication is never triggered.
Is it not triggering the local authentication because the Secure Enclave key already protected with same level of security? or am I missing something here?
By the way, I tried with .userPresence and .biometryCurrentSet for Secure Enclave, but still had no luck.. :(
Any advice would be greatly appreciated.
Thanks,
