{"componentChunkName":"component---src-templates-tag-js","path":"/tags/private-key/","result":{"data":{"site":{"siteMetadata":{"title":"LoginRadius Blog"}},"allMarkdownRemark":{"totalCount":1,"edges":[{"node":{"fields":{"slug":"/engineering/secure-enclave-ios-app/"},"html":"<h2 id=\"introduction\" style=\"position:relative;\"><a href=\"#introduction\" aria-label=\"introduction permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Introduction</h2>\n<p>The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. Using a secure enclave, we can create the key, securely store the key, and perform operations with the key. Thus makes it difficult for the key to be compromised. </p>\n<p>We usually save data persistently in the app using UserDefaults, Keychain, Core Data or SQLite.\nFor example, To save the session of logged in user, we save username and password. But this process puts our data at high-security risk. So it's always recommended to store sensitive data in an encrypted format. But again, it's a challenge to secure keys used in encryption/decryption.</p>\n<p><img src=\"/52c5d8e0a1d8ee7238f2080cc0689c39/image2.webp\" alt=\"Secure Enclave\"></p>\n<p>Now here <strong>Secure Enclave</strong> comes in the role. </p>\n<p>In this blog, we will use Secure Enclave to generate key pair and use those in encryption/decryption of sensitive data further.</p>\n<p>Here I will create a wrapper to generate key pair using Secure Enclave and use them to encrypt/decrypt sensitive data. And also a viewcontroller to show how to use a wrapper to get encrypted and decrypted data.\nYou may implement wrapper's methods as common methods and use wherever needed in the project. But its recommended to use a separate wrapper for handling communication with Secure Enclave.</p>\n<h2 id=\"wrapper\" style=\"position:relative;\"><a href=\"#wrapper\" aria-label=\"wrapper permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Wrapper</h2>\n<p> I have created .h and .m files named as SecEnclaveWrapper as a subclass of NSObject.\nIn .h file I am declaring function for being accessible from other classes like: </p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"objective-c\" data-index=\"0\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk3\">/**</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk3\">Return encrypted value of data using kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM algo</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk3\">*/</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *_Nonnull)encryptData:(</span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *_Nonnull)data ;</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk3\">/**</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk3\">Return decryrpted data of encrypted data  using kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM algo</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk3\">*/</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *_Nonnull)decryptData:(</span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *_Nonnull)data ;</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk3\">/**</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk3\">Return an initialized instance of the wrapper</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk3\">*/</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk4\">instancetype</span><span class=\"mtk1\">)init;</span></span></code></pre>\n<p>Then in .m file, define the following methods as : </p>\n<p>The method <code>init</code> initializes and returns the object of this wrapper class. And 'encryptData' and 'decryptData' method return encrypted data and decrypted data of encrypted data, respectively.</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"objective-c\" data-index=\"1\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk4\">instancetype</span><span class=\"mtk1\">)init {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    self = [super init];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\">(![self lookupPublicKeyRef] || ![self lookupPrivateKeyRef])</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        [self generatePasscodeKeyPair];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> self;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *)encryptData:(</span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *)data {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (data && </span><span class=\"mtk12\">data</span><span class=\"mtk1\">.</span><span class=\"mtk12\">length</span><span class=\"mtk1\">) {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        CFDataRef cipher = </span><span class=\"mtk11\">SecKeyCreateEncryptedData</span><span class=\"mtk1\">(publicKeyRef, kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM, (CFDataRef)data, </span><span class=\"mtk4\">nil</span><span class=\"mtk1\">);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> (__bridge </span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *)cipher;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    } </span><span class=\"mtk15\">else</span><span class=\"mtk1\"> {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> </span><span class=\"mtk4\">nil</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk10\">NSData</span><span class=\"mtk1\">*)decryptData:(</span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *)data {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\">(data && </span><span class=\"mtk12\">data</span><span class=\"mtk1\">.</span><span class=\"mtk12\">length</span><span class=\"mtk1\">){</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        CFDataRef plainData = </span><span class=\"mtk11\">SecKeyCreateDecryptedData</span><span class=\"mtk1\">(privateKeyRef, kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM, (CFDataRef)data, </span><span class=\"mtk4\">nil</span><span class=\"mtk1\">);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk15\">return</span><span class=\"mtk1\">  (__bridge </span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *)plainData;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">else</span><span class=\"mtk1\"> {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> </span><span class=\"mtk4\">nil</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span></code></pre>\n<p>The 'lookupPublicKeyRef' method below will lookup keychain for public key &#x26; 'lookupPrivateKeyRef' method search for the private key and return key if found.</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"objective-c\" data-index=\"2\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">- (SecKeyRef) lookupPublicKeyRef</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">{</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">OSStatus</span><span class=\"mtk1\"> sanityCheck = noErr;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *tag;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk4\">id</span><span class=\"mtk1\"> keyClass;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (publicKeyRef != </span><span class=\"mtk4\">NULL</span><span class=\"mtk1\">) {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk3\">// if already resides in memory, return</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> publicKeyRef;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    tag = [kPublicKeyName dataUsingEncoding:NSUTF8StringEncoding];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    keyClass = (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeyClassPublic;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSDictionary</span><span class=\"mtk1\"> *queryDict = @{</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecClass : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecClassKey,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeyType : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeyTypeEC,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrApplicationTag : tag,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeyClass : keyClass,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecReturnRef : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kCFBooleanTrue</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    };</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk3\">//else look key in keychain and return</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    sanityCheck = </span><span class=\"mtk11\">SecItemCopyMatching</span><span class=\"mtk1\">((__bridge CFDictionaryRef) queryDict, (CFTypeRef *) &publicKeyRef);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (sanityCheck != errSecSuccess) {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk11\">NSLog</span><span class=\"mtk1\">(</span><span class=\"mtk8\">@&quot;Error trying to retrieve key from server.  sanityCheck: %d&quot;</span><span class=\"mtk1\">, (</span><span class=\"mtk4\">int</span><span class=\"mtk1\">)sanityCheck);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> publicKeyRef;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">- (SecKeyRef) lookupPrivateKeyRef</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">{</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    CFMutableDictionaryRef getPrivateKeyRef = newCFDict;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionarySetValue</span><span class=\"mtk1\">(getPrivateKeyRef, kSecClass, kSecClassKey);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionarySetValue</span><span class=\"mtk1\">(getPrivateKeyRef, kSecAttrKeyClass, kSecAttrKeyClassPrivate);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionarySetValue</span><span class=\"mtk1\">(getPrivateKeyRef, kSecAttrLabel, kPrivateKeyName);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionarySetValue</span><span class=\"mtk1\">(getPrivateKeyRef, kSecReturnRef, kCFBooleanTrue);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">OSStatus</span><span class=\"mtk1\"> status = </span><span class=\"mtk11\">SecItemCopyMatching</span><span class=\"mtk1\">(getPrivateKeyRef, (CFTypeRef *)&privateKeyRef);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (status == errSecItemNotFound)</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> </span><span class=\"mtk4\">nil</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> (SecKeyRef)privateKeyRef;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span></code></pre>\n<p>The following methods will actually deal with Secure Enclave to generate a private key and public key.</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"objective-c\" data-index=\"3\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk4\">bool</span><span class=\"mtk1\">) generatePasscodeKeyPair</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">{</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    CFErrorRef error = </span><span class=\"mtk4\">NULL</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    SecAccessControlRef sacObject = </span><span class=\"mtk11\">SecAccessControlCreateWithFlags</span><span class=\"mtk1\">(</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">                                                                    kCFAllocatorDefault,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">                                                                    kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">                                                                    kSecAccessControlPrivateKeyUsage,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">                                                                    &error</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">                                                                    );</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (error != errSecSuccess) {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk11\">NSLog</span><span class=\"mtk1\">(</span><span class=\"mtk8\">@&quot;Generating key pair, error: %@</span><span class=\"mtk6\">\\n</span><span class=\"mtk8\">&quot;</span><span class=\"mtk1\">, error);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> [self generateKeyPairWithAccessControlObject:sacObject];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk4\">bool</span><span class=\"mtk1\">) generateKeyPairWithAccessControlObject:(SecAccessControlRef)accessControlRef</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">{</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk3\">// create dictionary of private key </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    CFMutableDictionaryRef accessControlDict = newCFDict;;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk15\">#if</span><span class=\"mtk4\"> </span><span class=\"mtk1\">!</span><span class=\"mtk11\">TARGET_IPHONE_SIMULATOR</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionaryAddValue</span><span class=\"mtk1\">(accessControlDict, kSecAttrAccessControl, accessControlRef);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk15\">#endif</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionaryAddValue</span><span class=\"mtk1\">(accessControlDict, kSecAttrIsPermanent, kCFBooleanTrue);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionaryAddValue</span><span class=\"mtk1\">(accessControlDict, kSecAttrLabel, kPrivateKeyName);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk3\">// create dictionary for saving key into keychain</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    CFMutableDictionaryRef generatePairRef = newCFDict;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk15\">#if</span><span class=\"mtk4\"> </span><span class=\"mtk1\">!</span><span class=\"mtk11\">TARGET_IPHONE_SIMULATOR</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionaryAddValue</span><span class=\"mtk1\">(generatePairRef, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk15\">#endif</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionaryAddValue</span><span class=\"mtk1\">(generatePairRef, kSecAttrKeyType, kSecAttrKeyTypeEC);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionaryAddValue</span><span class=\"mtk1\">(generatePairRef, kSecAttrKeySizeInBits, (__bridge </span><span class=\"mtk4\">const</span><span class=\"mtk1\"> </span><span class=\"mtk4\">void</span><span class=\"mtk1\"> *)([</span><span class=\"mtk10\">NSNumber</span><span class=\"mtk1\"> numberWithInt:</span><span class=\"mtk7\">256</span><span class=\"mtk1\">]));</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">CFDictionaryAddValue</span><span class=\"mtk1\">(generatePairRef, kSecPrivateKeyAttrs, accessControlDict);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">OSStatus</span><span class=\"mtk1\"> status = </span><span class=\"mtk11\">SecKeyGeneratePair</span><span class=\"mtk1\">(generatePairRef, &publicKeyRef, &privateKeyRef);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (status != errSecSuccess){</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk11\">NSLog</span><span class=\"mtk1\">(</span><span class=\"mtk8\">@&quot;Error trying to retrieve key from server.  sanityCheck: %d&quot;</span><span class=\"mtk1\">, (</span><span class=\"mtk4\">int</span><span class=\"mtk1\">)status);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> </span><span class=\"mtk4\">NO</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    [self savePublicKeyFromRef:publicKeyRef];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> </span><span class=\"mtk4\">YES</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span></code></pre>\n<p>The private key is generated and stored in Secure Enclave which cannot be directly used. Whereas public key have to be stored manually in keychain by following method.</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"objective-c\" data-index=\"4\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk4\">bool</span><span class=\"mtk1\">) savePublicKeyFromRef:(SecKeyRef)publicKeyRef</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">{   </span><span class=\"mtk10\">OSStatus</span><span class=\"mtk1\"> sanityCheck = noErr;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *tag;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk4\">id</span><span class=\"mtk1\"> keyClass;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    tag = [kPublicKeyName dataUsingEncoding:NSUTF8StringEncoding];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    keyClass = (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeyClassPublic;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSDictionary</span><span class=\"mtk1\"> *saveDict = @{</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecClass : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecClassKey,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeyType : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeyTypeEC,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrApplicationTag : tag,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeyClass : keyClass,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecValueData : (__bridge </span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *)</span><span class=\"mtk11\">SecKeyCopyExternalRepresentation</span><span class=\"mtk1\">(publicKeyRef,</span><span class=\"mtk4\">nil</span><span class=\"mtk1\">),</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrKeySizeInBits : [</span><span class=\"mtk10\">NSNumber</span><span class=\"mtk1\"> numberWithUnsignedInteger:</span><span class=\"mtk7\">256</span><span class=\"mtk1\">],</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrEffectiveKeySize : [</span><span class=\"mtk10\">NSNumber</span><span class=\"mtk1\"> numberWithUnsignedInteger:</span><span class=\"mtk7\">256</span><span class=\"mtk1\">],</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrCanDerive : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kCFBooleanFalse,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrCanEncrypt : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kCFBooleanTrue,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrCanDecrypt : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kCFBooleanFalse,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrCanVerify : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kCFBooleanTrue,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrCanSign : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kCFBooleanFalse,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrCanWrap : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kCFBooleanTrue,</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kSecAttrCanUnwrap : (__bridge </span><span class=\"mtk4\">id</span><span class=\"mtk1\">) kCFBooleanFalse</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    };</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    sanityCheck = </span><span class=\"mtk11\">SecItemAdd</span><span class=\"mtk1\">((__bridge CFDictionaryRef) saveDict, (CFTypeRef *)&publicKeyRef);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (sanityCheck != errSecSuccess) {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span><span class=\"mtk11\">NSLog</span><span class=\"mtk1\">(</span><span class=\"mtk8\">@&quot;Error trying to retrieve key from server.  sanityCheck: %d&quot;</span><span class=\"mtk1\">, (</span><span class=\"mtk4\">int</span><span class=\"mtk1\">)sanityCheck);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">        </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> publicKeyRef;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span></code></pre>\n<h2 id=\"demo\" style=\"position:relative;\"><a href=\"#demo\" aria-label=\"demo permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Demo</h2>\n<p>Now I am creating ViewController.h and .m files. In viewDidLoad in .m file, having a string to be stored in UserDefaults. I will encrypt this string by a private key generated above and then store persistently encrypted data for later use.</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"objective-c\" data-index=\"5\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">- (</span><span class=\"mtk4\">void</span><span class=\"mtk1\">)viewDidLoad {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    [super viewDidLoad];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSString</span><span class=\"mtk1\"> *strDatatosave = </span><span class=\"mtk8\">@&quot;example data to save&quot;</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSString</span><span class=\"mtk1\"> *bundleIdentifier = [[</span><span class=\"mtk10\">NSBundle</span><span class=\"mtk1\"> mainBundle] bundleIdentifier];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSString</span><span class=\"mtk1\"> *strGroupID = [</span><span class=\"mtk10\">NSString</span><span class=\"mtk1\"> stringWithFormat:</span><span class=\"mtk8\">@&quot;group.%@&quot;</span><span class=\"mtk1\">,bundleIdentifier];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    SecEnclaveWrapper *keychainItem = [[SecEnclaveWrapper alloc] init];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *encrypted = [keychainItem encryptData:[strDatatosave dataUsingEncoding:NSUTF8StringEncoding]];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSString</span><span class=\"mtk1\"> *strEncrypted = [[</span><span class=\"mtk10\">NSString</span><span class=\"mtk1\"> alloc] initWithData:encrypted encoding:NSUTF8StringEncoding];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">NSLog</span><span class=\"mtk1\">(</span><span class=\"mtk8\">@&quot;encrypted string %@&quot;</span><span class=\"mtk1\">,strEncrypted);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSData</span><span class=\"mtk1\"> *decrypted =[keychainItem decryptData:encrypted];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk10\">NSString</span><span class=\"mtk1\"> *strDecrypted = [[</span><span class=\"mtk10\">NSString</span><span class=\"mtk1\"> alloc] initWithData:decrypted encoding:NSUTF8StringEncoding];</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk11\">NSLog</span><span class=\"mtk1\">(</span><span class=\"mtk8\">@&quot;decrypted string as real string%@&quot;</span><span class=\"mtk1\">,strDecrypted);</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span></code></pre>\n<h2 id=\"conclusion\" style=\"position:relative;\"><a href=\"#conclusion\" aria-label=\"conclusion permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Conclusion</h2>\n<p>In this blog, we learned about the basics of key generation via Secure Enclave and encryption and decryption using keys.\nBy default, key-pairs are generated in the Secure Enclave. The private key is available only at creation time and can not be obtained later as it is saved in Secure Enclave. Operations can be performed with it without exposing it to user code. Only Public Key will be stored and retrieved.</p>\n<p>You can find the complete repository link <a href=\"https://github.com/LoginRadius/engineering-blog-samples/tree/master/iOS/SecureEnclave/SecureEnclaveDemo\">here</a></p>\n<p>Thanks for reading the blog. For detailed information and execution example of this blog, please refer to the video below:</p>\n<iframe width=\"560\" height=\"315\" src=\"https://www.youtube.com/embed/c_1E_NV4NBk\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen></iframe>\n<style class=\"grvsc-styles\">\n  .grvsc-container {\n    overflow: auto;\n    -webkit-overflow-scrolling: touch;\n    padding-top: 1rem;\n    padding-top: var(--grvsc-padding-top, var(--grvsc-padding-v, 1rem));\n    padding-bottom: 1rem;\n    padding-bottom: var(--grvsc-padding-bottom, var(--grvsc-padding-v, 1rem));\n    border-radius: 8px;\n    border-radius: var(--grvsc-border-radius, 8px);\n    font-feature-settings: normal;\n  }\n  \n  .grvsc-code {\n    display: inline-block;\n    min-width: 100%;\n  }\n  \n  .grvsc-line {\n    display: inline-block;\n    box-sizing: border-box;\n    width: 100%;\n    padding-left: 1.5rem;\n    padding-left: var(--grvsc-padding-left, var(--grvsc-padding-h, 1.5rem));\n    padding-right: 1.5rem;\n    padding-right: var(--grvsc-padding-right, var(--grvsc-padding-h, 1.5rem));\n  }\n  \n  .grvsc-line-highlighted {\n    background-color: var(--grvsc-line-highlighted-background-color, transparent);\n    box-shadow: inset var(--grvsc-line-highlighted-border-width, 4px) 0 0 0 var(--grvsc-line-highlighted-border-color, transparent);\n  }\n  \n  .dark-default-dark {\n    background-color: #1E1E1E;\n    color: #D4D4D4;\n  }\n  .dark-default-dark .mtk3 { color: #6A9955; }\n  .dark-default-dark .mtk1 { color: #D4D4D4; }\n  .dark-default-dark .mtk10 { color: #4EC9B0; }\n  .dark-default-dark .mtk4 { color: #569CD6; }\n  .dark-default-dark .mtk15 { color: #C586C0; }\n  .dark-default-dark .mtk12 { color: #9CDCFE; }\n  .dark-default-dark .mtk11 { color: #DCDCAA; }\n  .dark-default-dark .mtk8 { color: #CE9178; }\n  .dark-default-dark .mtk6 { color: #D7BA7D; }\n  .dark-default-dark .mtk7 { color: #B5CEA8; }\n</style>","frontmatter":{"date":"October 13, 2020","updated_date":null,"title":"Secure Enclave in iOS App","tags":["ios","security","data","encryption","private key","xcode"],"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/e677a934323b29af4619ee797f0286b8/58556/CoverImage.webp","srcSet":"/static/e677a934323b29af4619ee797f0286b8/61e93/CoverImage.webp 200w,\n/static/e677a934323b29af4619ee797f0286b8/1f5c5/CoverImage.webp 400w,\n/static/e677a934323b29af4619ee797f0286b8/58556/CoverImage.webp 800w,\n/static/e677a934323b29af4619ee797f0286b8/210c1/CoverImage.webp 900w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Tanvi Jain","github":"tanvijn","avatar":null}}}}]}},"pageContext":{"tag":"private key"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}