Support SecKey Certificate private keys (#195)

Motivation: I would like to create Certificates using a SecKey so that I can create certificates signed by hardware-backed keys. Currently, Swift Certificates requires the private key be provided in an exported representation, but this isn't possible when a SecKey is marked as non-exportable. Modifications: Adds a new SecKeyWrapper backing to Certificate.PrivateKey to support initalisation with SecKey. This wrapper struct handles key validation and signing operations by calling the appropriate SecKey interfaces. Adds additional tests to support new backing type. Result: Certifcate.PrivateKey can be initialised with a SecKey, allowing existing hardware-backed SecKey instances to be used as the issuer private key for new Certificate instances. Co-authored-by: Rory Smith <[email protected]> Co-authored-by: Cory Benfield <[email protected]>
apple · Oct 2, 2024 · d8799da · d8799da
1 parent a846fc7
commit d8799da
Show file tree

Hide file tree

Showing 5 changed files with 726 additions and 1 deletion.
diff --git a/Sources/X509/CMakeLists.txt b/Sources/X509/CMakeLists.txt
@@ -82,6 +82,7 @@ add_library(X509
   "RandomNumberGenerator+bytes.swift"
   "RelativeDistinguishedName.swift"
   "SEC1PrivateKey.swift"
+  "SecKeyWrapper.swift"
   "Signature.swift"
   "SignatureAlgorithm.swift"
   "Verifier/AllOfPolicies.swift"

diff --git a/Sources/X509/CertificatePrivateKey.swift b/Sources/X509/CertificatePrivateKey.swift
@@ -21,7 +21,7 @@ extension Certificate {
     /// A private key that can be used with a certificate.
     ///
     /// This type provides an opaque wrapper around the various private key types
-    /// provided by `swift-crypto`. Users are expected to construct this key from
+    /// provided by `swift-crypto` and `Security`. Users are expected to construct this key from
     /// one of those types.
     ///
     /// As private keys are never sent over the wire, this type does not offer
@@ -70,6 +70,13 @@ extension Certificate {
         public init(_ secureEnclaveP256: SecureEnclave.P256.Signing.PrivateKey) {
             self.backing = .secureEnclaveP256(secureEnclaveP256)
         }
+
+        /// Construct a private key wrapping a SecKey private key.
+        /// - Parameter secKey: The SecKey private key to wrap.
+        @inlinable
+        public init(_ secKey: SecKey) throws {
+            self.backing = .secKey(try SecKeyWrapper(key: secKey))
+        }
         #endif
 
         @inlinable
@@ -93,6 +100,8 @@ extension Certificate {
             #if canImport(Darwin)
             case .secureEnclaveP256(let secureEnclaveP256):
                 return try secureEnclaveP256.signature(for: bytes, digestAlgorithm: digestAlgorithm)
+            case .secKey(let secKeyWrapper):
+                return try secKeyWrapper.signature(for: bytes, digestAlgorithm: digestAlgorithm)
             #endif
             }
         }
@@ -113,6 +122,8 @@ extension Certificate {
             #if canImport(Darwin)
             case .secureEnclaveP256(let secureEnclaveP256):
                 return PublicKey(secureEnclaveP256.publicKey)
+            case .secKey(let secKeyWrapper):
+                return secKeyWrapper.publicKey
             #endif
             }
         }
@@ -139,6 +150,21 @@ extension Certificate {
                         reason: "Cannot use \(algorithm) with ECDSA key \(self)"
                     )
                 }
+            case .secKey(let key):
+                switch key.type {
+                case .ECDSA:
+                    if !algorithm.isECDSA {
+                        throw CertificateError.unsupportedSignatureAlgorithm(
+                            reason: "Cannot use \(algorithm) with ECDSA key \(self)"
+                        )
+                    }
+                case .RSA:
+                    if !algorithm.isRSA {
+                        throw CertificateError.unsupportedSignatureAlgorithm(
+                            reason: "Cannot use \(algorithm) with RSA key \(self)"
+                        )
+                    }
+                }
             #endif
             }
 
@@ -164,6 +190,8 @@ extension Certificate.PrivateKey: CustomStringConvertible {
         #if canImport(Darwin)
         case .secureEnclaveP256:
             return "SecureEnclave.P256.PrivateKey"
+        case .secKey:
+            return "SecKey"
         #endif
         }
     }
@@ -178,6 +206,7 @@ extension Certificate.PrivateKey {
         case rsa(_CryptoExtras._RSA.Signing.PrivateKey)
         #if canImport(Darwin)
         case secureEnclaveP256(SecureEnclave.P256.Signing.PrivateKey)
+        case secKey(SecKeyWrapper)
         #endif
 
         @inlinable
@@ -194,6 +223,8 @@ extension Certificate.PrivateKey {
             #if canImport(Darwin)
             case (.secureEnclaveP256(let l), .secureEnclaveP256(let r)):
                 return l.dataRepresentation == r.dataRepresentation
+            case (.secKey(let l), .secKey(let r)):
+                return l.publicKey.backing == r.publicKey.backing
             #endif
             default:
                 return false
@@ -219,6 +250,10 @@ extension Certificate.PrivateKey {
             case .secureEnclaveP256(let digest):
                 hasher.combine(4)
                 hasher.combine(digest.dataRepresentation)
+            case .secKey(let secKeyWrapper):
+                hasher.combine(5)
+                hasher.combine(secKeyWrapper.privateKey.hashValue)
+                hasher.combine(secKeyWrapper.publicKey.hashValue)
             #endif
             }
         }
@@ -305,6 +340,7 @@ extension Certificate.PrivateKey {
             throw CertificateError.unsupportedPrivateKey(
                 reason: "secure enclave private keys can not be serialised as PEM"
             )
+        case .secKey(let key): return try key.pemDocument()
         #endif
         }
     }