Hello,
I'm exploring the Secure Enclave APIs, and I'm wondering if it's possible to "cryptographically" determine if a block of data was signed on the Secure Enclave.
When I sign a block of data using the Secure Enclave (which implies using a key pair automatically generated by the enclave) and distribute the public key to others, is there any way to verify if the message was encrypted on it / its private key was generated by it? In other words, what I'm trying to achieve is to make sure that the public key hasn't been tampered with until it reaches its destination (including on-device threats, since otherwise I could've used a normal keychain item, perhaps?).
For the purpose of this example, I'm not necessarily interested in figuring out if the key was signed on a certain device's enclave, but rather on any Secure Enclave. So, using something derived from the enclave's GID Key (described in the Apple Platform Security guide) would work for this.
I don’t see how that’d even be theoretically possible. When you signed on the SE, the signing key is a standard P-256 key. The signature it produces will be the same format as a signature produced by any other P-256 key. The only difference is that this specific P-256 key is only accessible to the SE.
what I'm trying to achieve is to make sure that the public key hasn't been tampered with until it reaches its destination
I recommend that you explore App Attest.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
