Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apple Secure Enclave Support #45

Open
ravenium opened this issue Aug 4, 2023 · 3 comments
Open

Apple Secure Enclave Support #45

ravenium opened this issue Aug 4, 2023 · 3 comments

Comments

@ravenium
Copy link

ravenium commented Aug 4, 2023

Hello,

I suspect this may be a neighbor/relative of #36 , but it would be nice to implement usage of the secure enclave in order to leverage TouchID on Macs.

There is already a project that has a PoC of this, so it's definitely possible.

Basically, you need to use something like Secretive to stand up an ssh agent that communicates with the SE. The PoC above has a subcommand that takes the raw public key and uses it to create a cert for use with IAM Roles Anywhere.

While the actual cert creation is probably out of scope for this feature, it would be nice to have a flag/format that could tell it when a private key is in the SE (or even just via the ssh agent).
@dwmw2
Copy link
Contributor

dwmw2 commented Aug 4, 2023

Can this be done through PKCS#11?

@ravenium
Copy link
Author

ravenium commented Aug 5, 2023

Possibly, but I think one would have to write a PKCS11 module for the Secure Enclave and it doesn't appear that one exists at the moment (Near as I can tell).

The way the PoC appears to work is it runs sign operations through the SSH Agent (agent package in go, client) and Secretive just so happens to run its own that talks to the SE.

Most SE implementations I've seen are Swift or Objective C, but I'll keep looking!

@udf2457
Copy link

udf2457 commented Sep 26, 2023
edited
Loading

I'm no expert, only someone who has occasionally vaguely researched the topic for their own interest. But I never tried coding anything, mostly becuase I don't speak Swift or Objective C and was hoping to find a way to do it in something else (e.g. Go or Rust).

My understanding is that broadly access to Apple Secure Enclave is further segregated by developer so as to combat the possibility of one developer gaining access to another's key output. And so this is ultimately the reason for the Swift/Objective C interface because of the root-of-trust flows (i.e. code signing required).

IIRC CryptoTokenKit has integrations with both SE and Keychain and so could potentially provide an interesting bridge between SE and reuse of existing code on this project for keychain ?

There is also an alternative approach mentioned on this Apple forum post.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ravenium @dwmw2 @udf2457