问题
I am working on a e-banking iphone application.
I am using WSS with XML-Signature to sign the requests to the customer's SOAP server.
Since the iPhone device can not be trusted (due to jail-breaking), the customer
requirement is to manually encrypt the RSA key pair (using AES128) before storing the keys into keychain.
From what I have found so far, the keys are automatically added to the keychain when generated.
So my idea is to extract the data afterwards (the same way the public key is extracted in the CryptoExercise example), remove the keys from keychain, do the AES encryption and store it again into keychain as a custom NSData.
1) Do you see any problem with this ?
I read somewhere that retrieving the data or deleting the key might require some sort of password, although I didn't got what password. I will try this later today and will post the answer if no answer is posted in meantime :)
2) I can not find if there is any way to use this key without implementing some more hacks in the code?
It seams like the SecKeyRawSign method only accepts a SecKeyRef reference which is a pointer to the key in keychain. Is there some other method for signing using the NSData of the key ?
The only idea I have in the moment is to use SecItemAdd method to add the non-encrypted key into the keychain before signing, and remove it after signing. But I don't like this since it will happen all the time, and if the application is shut down (crashes or something) before the key is removed from keychain it will remain there until lets say the next time application is started.
Any idea for a better solution ?
regards
回答1:
Consider checking Apple example and documentation for Security. Framework: https://developer.apple.com/library/ios/#DOCUMENTATION/Security/Conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html#//apple_ref/doc/uid/TP40001358-CH208-SW13 - see this link
来源:https://stackoverflow.com/questions/2826090/iphone-data-signing-using-nsdata-of-the-private-key