We are interested in using a hardware-bound key in a launch daemon. In a previous post, Quinn explicitly told me this is not possible to use an SE keypair outside of the system context and my reading of the Apple documentation also supports that.
That said, we have gotten the following key-creation and persistence flow to work, so we have some questions as to how this fits in with the above.
(1) In a launch daemon (running thus as root), we do:
let key = SecureEnclave.P256.Signing.PrivateKey()
(2) We then use
key.dataRepresentation
to store a reference to the key in the system keychain as a kSecClassGenericPassword.
(3) When we want to use the key, we fetch the data representation from system keychain and we "rehydrate" the key using:
SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: data)
(4) We then use the output of the above to sign whatever we want.
My questions:
- in the above flow, are we actually getting a hardware-bound key from the Secure Enclave or is this working because it's actually defaulting to a non-hardware-backed key?
- if it is an SE key, is it that the Apple documentation stating that you can only use the SE with the Data Protection Keychain in the user context is outdated (or wrong)?
- does the above work, but is not an approach sanctioned by Apple?
Any feedback on this would be greatly appreciated.