Can you support ES256?

[nico-WX]

New Issue Checklist

• I have read and understood the CONTRIBUTING guide
• I have read the Documentation
• I have searched for a similar issue in the project and found none

Issue Info

Info	Value
Platform Name	e.g. ios / osx / tvos / watchos
Platform Version	e.g. 8.0
CocoaLumberjack Version	e.g. 2.3.0
Integration Method	e.g. carthage / cocoapods / manually
Xcode Version	e.g. Xcode 7.3
Repro rate	e.g. all the time (100%) / sometimes x% / only once
Demo project link	e.g. link to a demo project that highlights the issue

Issue Description and Steps

Please fill in the detailed description of the issue (full output of any stack trace, compiler error, ...) and the steps to reproduce the issue.

[lolgear]

@nico-WX I didn't investigate this feature for a long time.
In previous versions ( prior to iOS 10 and macOS 12 ) Security framework doesn't have this feature.

[nico-WX]

I looked at the AppleMusicKit to create the developer token, and I need to specify the JWT algorithm as ES256, so I would like to know if I can support ES256 😄😄

[lolgear]

@nico-WX Any help will be appreciated :)

Nevertheless, it seems that they added EC support in os 13 and, I suppose, in iOS 11.

// iOS 11 Security / SecKey.h
#if SEC_OS_OSX
/*!
    @typedef SecKeySizes
    @abstract Supported key lengths.
*/
typedef CF_ENUM(uint32_t, SecKeySizes)
{
    kSecDefaultKeySize  = 0,

    // Symmetric Keysizes - default is currently kSecAES128 for AES.
    kSec3DES192         = 192,
    kSecAES128          = 128,
    kSecAES192          = 192,
    kSecAES256          = 256,

    // Supported ECC Keys for Suite-B from RFC 4492 section 5.1.1.
    // default is currently kSecp256r1
    kSecp192r1          = 192,
    kSecp256r1          = 256,
    kSecp384r1          = 384,
    kSecp521r1          = 521,  // Yes, 521

    // Boundaries for RSA KeySizes - default is currently 2048
    // RSA keysizes must be multiples of 8
    kSecRSAMin          = 1024,
    kSecRSAMax          = 4096
};
#endif /* SEC_OS_OSX */

[JanC]

Hi,
I think this is a duplicate of #116 ;)

[lolgear]

@JanC Right!
Do you know how to mark issues as duplicates?

[JanC]

I think you can simply close it :)

[lolgear]

@JanC could you check latest master?
I have added ( no tests, haha ) support for ES by using Apple API.

[JanC]

I tried using the private key I get directly from Apple's APNS. (I revoked the key so that I can post it here)

-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgpnX9ZXmgLCWQ+Hkpvae2PLU68XEzJdp+NjswuBS9RHWgCgYIKoZIzj0DAQehRANCAARMSO6bkKjLT+9Mx9wJRXoqUx+CbeOhAbVGS+3fgvVNGv3QM3NlMou3uguMrITwVvpWjuocXbSzjTwMstMMjsZg
-----END PRIVATE KEY-----

I used this code snippet but I'm getting the error

Error Domain=NSOSStatusErrorDomain Code=-50 "EC public key creation from data failed" UserInfo={NSDescription=EC public key creation from data failed}`

- (void)signWithAppleAPNS
{
    NSString *algorithmName = @"ES256";
    NSString *privateKey = @"-----BEGIN PRIVATE KEY-----\n"
                           "MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgpnX9ZXmgLCWQ+Hkpvae2PLU68XEzJdp+NjswuBS9RHWgCgYIKoZIzj0DAQehRANCAARMSO6bkKjLT+9Mx9wJRXoqUx+CbeOhAbVGS+3fgvVNGv3QM3NlMou3uguMrITwVvpWjuocXbSzjTwMstMMjsZg\n"
                           "-----END PRIVATE KEY-----";

    id <JWTAlgorithmDataHolderProtocol> signDataHolder = [JWTAlgorithmRSFamilyDataHolder new]
            .keyExtractorType([JWTCryptoKeyExtractor privateKeyWithPEMBase64].type)
            .algorithmName(algorithmName)
            .secret(privateKey);


    // sign
    NSDictionary *payloadDictionary = @{ @"hello": @"world" };

    JWTCodingBuilder *signBuilder = [JWTEncodingBuilder encodePayload:payloadDictionary].addHolder(signDataHolder);
    JWTCodingResultType *signResult = signBuilder.result;
    NSString *token = nil;
    if (signResult.successResult) {
        // success
        NSLog(@"%@ success: %@", self.debugDescription, signResult.successResult.encoded);
        token = signResult.successResult.encoded;
    } else {
        // error
        NSLog(@"%@ error: %@", self.debugDescription, signResult.errorResult.error);
    }

    // verify
    if (token == nil) {
        NSLog(@"something wrong");
    }
}

[lolgear]

@JanC
very strange.
I ran tests which verified that public parameter is not passed.
However, error is:

EC public key creation from data failed

I even drop prefix of key to determine correct header to strip off - no luck.

very strange and interesting.

[lolgear]

@JanC
are you sure that this is a private key?

Online checker says that this key type is public. ( Or I do not understand it output )

I do not understand what what happens. I try to create public key from your key and it is created!

By Apple API :(

[JanC]

When I use the OpenSSL api PEM_read_PrivateKey on that pem encoded file, I can extract both public and private keys:

PEM content: 
-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgpnX9ZXmgLCWQ+Hkpvae2PLU68XEzJdp+NjswuBS9RHWgCgYIKoZIzj0DAQehRANCAARMSO6bkKjLT+9Mx9wJRXoqUx+CbeOhAbVGS+3fgvVNGv3QM3NlMou3uguMrITwVvpWjuocXbSzjTwMstMMjsZg
-----END PRIVATE KEY-----

EC_KEY_get0_private_key: 
00A675FD6579A02C2590F87929BDA7B63CB53AF1713325DA7E363B30B814BD4475

EC_KEY_get0_private_key base64: 
AKZ1/WV5oCwlkPh5Kb2ntjy1OvFxMyXafjY7MLgUvUR1

i2o_ECPublicKey: 
044c48ee9b90a8cb4fef4cc7dc09457a2a531f826de3a101b5464beddf82f54d1afdd0337365328bb7ba0b8cac84f056fa568eea1c5db4b38d3c0cb2d30c8ec660

i2o_ECPublicKey base64: 
BExI7puQqMtP70zH3AlFeipTH4Jt46EBtUZL7d+C9U0a/dAzc2Uyi7e6C4yshPBW+laO6hxdtLONPAyy0wyOxmA=

I used this source for testing: https://github.com/matthijs2704/vapor-apns/blob/master/Sources/VaporAPNS/String%2BAPNS.swift

[AyeChanPyaeSone]

Hi any luck for ES256? I also get same error.

[lolgear]

@AyeChanPyaeSone
From Apple Documentation

/*!
    @function SecKeyCreateWithData
    @abstract Create a SecKey from a well-defined external representation.
    @param keyData CFData representing the key. The format of the data depends on the type of key being created.
    @param attributes Dictionary containing attributes describing the key to be imported. The keys in this dictionary
    are kSecAttr* constants from SecItem.h.  Mandatory attributes are:
     * kSecAttrKeyType
     * kSecAttrKeyClass
    @param error On error, will be populated with an error object describing the failure.
    See "Security Error Codes" (SecBase.h).
    @result A SecKey object representing the key, or NULL on failure.
    @discussion This function does not add keys to any keychain, but the SecKey object it returns can be added
    to keychain using the SecItemAdd function.
    The requested data format depend on the type of key (kSecAttrKeyType) being created:
     * kSecAttrKeyTypeRSA               PKCS#1 format, public key can be also in x509 public key format
     * kSecAttrKeyTypeECSECPrimeRandom  ANSI X9.63 format (04 || X || Y [ || K])
 */
SecKeyRef _Nullable SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef attributes, CFErrorRef *error)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);

And we have limitations:

• available(macOS 10.12, iOS 10.0, tvOS 10.0, watchOS 3.0).
• EC key should be in correct format: ANSI X9.63 format (04 || X || Y [ || K]).

[sshallow]

@lolgear Did you solve it? I also found this problem, the ES256 algorithm ('kSecAttrKeyTypeECDSA') is unavailable: not available on iOS, deprecated; kSecAttrKeyTypeECDSA (deprecated; use kSecAttrKeyTypeECSECPrimeRandom instead.)

I tried to set kSecAttrKeyTypeECSECPrimeRandom and kSecAttrKeyTypeECDSA (originally kSecAttrKeyTypeEC), but no matter what value is set here, the value is always 73.

[zhouhao27]

Any conclusion? Got the same error.