0

我正在尝试提取存储在 OS X 中的私钥的原始字节SecKeyRef。我将如何做呢?

我在 Apple CDSA 讨论列表中阅读了这个~ 7 年前的帖子,但没有发现任何更新的内容。我没有与该线程中的原始海报相同的问题,但这可能是因为我做错了事。这是我目前正在尝试的(无济于事):

SecKeyRef keyRef = ...;
CSSM_KEY *cssmKey = NULL;
CSSM_WRAP_KEY wrappedKey = {0};

CSSM_CSP_HANDLE cspHandle = 0;
CSSM_CC_HANDLE ccHandle = 0;

CSSM_ACCESS_CREDENTIALS *creds = NULL;
SecKeyGetCredentials(keyRef, CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED, kSecCredentialTypeDefault, &creds);

// Tried the following, too.
//CSSM_ACCESS_CREDENTIALS *creds = malloc(sizeof(CSSM_ACCESS_CREDENTIALS));
//memset(creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));

SecKeyGetCSSMKey(keyRef, &cssmKey);
SecKeyGetCSPHandle(keyRef, &cspHandle);

CSSM_CSP_CreateSymmetricContext(cspHandle, 
    CSSM_ALGID_NONE,
    // Have also tried CSSM_ALGMODE_WRAP 
    CSSM_ALGMODE_NONE, 
    creds, 
    NULL, 
    NULL, 
    CSSM_PADDING_NONE, 
    0, 
    &ccHandle);

CSSM_WrapKey(ccHandle, 
    creds, 
    key, 
    NULL, 
    &wrappedKey);

返回的错误代码CSSM_WrapKeyCSSMERR_CSP_INVALID_KEYATTR_MASK。有任何想法吗?

4

1 回答 1

1

我找到了我遇到问题的原因:我试图提取的密钥CSSM_KEYATTR_SENSITIVE启用了属性,并且我试图执行“空包装”,即访问未模糊的原始字节。

libsecurity_apple_csp/lib/wrapKey.cpp的第285-287行如下:

if(isNullWrap && (keyAttr & CSSM_KEYATTR_SENSITIVE)) {
    CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK);
}

如果必须提取敏感私钥,则必须对其进行封装——根据 Apple CSP,私钥的默认封装选项是CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS8.

于 2011-01-18T07:05:00.863 回答