Using the private key generated by DCAppAttestService

1k views Asked by At

Apple released a way to attest generated key pairs on the iOS 14 beta, named Device Check App Attestation Service (DCAppAttestService).

I've already successfully generated a key pair like it is documented by apple:

DCAppAttestService.shared.generateKey { keyId, error in
   guard error == nil else { /* Handle the error. */ }

   // Cache keyId for subsequent operations.
}

After this call I get the keyId in form of a string. But now I don't know if I'm missing something obvious or if it just isn't documented: I absolutely can't figure out how to use this key identifier to retrieve a reference to the associated private key.

I know the itself is stored within the Secure Enclave and I can't directly get it. But I should be able to get a reference of it, a SecKey object, which I could use to sign or encrypt data with calls like

var error: Unmanaged<CFError>?
guard let signature = SecKeyCreateSignature(privateKey, self.algorithm, data as CFData, &error) as Data? else {
   /* Something went wrong */
   return
}

The DCAppAttestationService itself doesn't provide any methods to interact with the key using the keyId (except the attestKey and generateAssertion methods). The mentioned attestKey method is also just returning a serverUnavailableError at the moment, as Apple themselves state in the release notes.

Does anybody have experience with this? How can I get a private key reference to effectively use it?

1

There are 1 answers

0
Randix On

There is no other way to make use of the key-pair. You can create an effective signature with the generateAssertion method. However this not a signature over your data alone, but a signature over your data (hash) plus some of Apple's data from the attestKey method. I have communicated in several ways with Apple about this, the answer is to use the generateAssertion method to do what you need. To be clear: you cannot obtain a reference to the key-pair.