Apple released a way to attest generated key pairs on the iOS 14 beta, named Device Check App Attestation Service (DCAppAttestService).
I've already successfully generated a key pair like it is documented by apple:
DCAppAttestService.shared.generateKey { keyId, error in
guard error == nil else { /* Handle the error. */ }
// Cache keyId for subsequent operations.
}
After this call I get the keyId in form of a string. But now I don't know if I'm missing something obvious or if it just isn't documented: I absolutely can't figure out how to use this key identifier to retrieve a reference to the associated private key.
I know the itself is stored within the Secure Enclave and I can't directly get it. But I should be able to get a reference of it, a SecKey object, which I could use to sign or encrypt data with calls like
var error: Unmanaged<CFError>?
guard let signature = SecKeyCreateSignature(privateKey, self.algorithm, data as CFData, &error) as Data? else {
/* Something went wrong */
return
}
The DCAppAttestationService itself doesn't provide any methods to interact with the key using the keyId (except the attestKey and generateAssertion methods). The mentioned attestKey method is also just returning a serverUnavailableError at the moment, as Apple themselves state in the release notes.
Does anybody have experience with this? How can I get a private key reference to effectively use it?
There is no other way to make use of the key-pair. You can create an effective signature with the generateAssertion method. However this not a signature over your data alone, but a signature over your data (hash) plus some of Apple's data from the attestKey method. I have communicated in several ways with Apple about this, the answer is to use the generateAssertion method to do what you need. To be clear: you cannot obtain a reference to the key-pair.