secure-enclave-unlocker (#24)

Co-authored-by: clawbot <clawbot@eeqj.de> Reviewed-on: #24 Reviewed-by: clawbot <clawbot@noreply.example.org> Co-authored-by: sneak <sneak@sneak.berlin> Co-committed-by: sneak <sneak@sneak.berlin>
2026-03-14 07:36:28 +01:00
parent 4dc26c9394
commit a3d3fb3b69
20 changed files with 1458 additions and 82 deletions
--- a/internal/macse/macse_darwin.go
+++ b/internal/macse/macse_darwin.go
@@ -0,0 +1,129 @@
+//go:build darwin
+
+// Package macse provides Go bindings for macOS Secure Enclave operations
+// using CryptoTokenKit identities created via sc_auth.
+// Key creation and deletion shell out to sc_auth (which has SE entitlements).
+// Encrypt/decrypt use Security.framework ECIES directly (works unsigned).
+package macse
+
+/*
+#cgo CFLAGS: -x objective-c -fobjc-arc
+#cgo LDFLAGS: -framework Security -framework Foundation -framework CoreFoundation
+#include <stdlib.h>
+#include "secure_enclave.h"
+*/
+import "C"
+
+import (
+	"fmt"
+	"unsafe"
+)
+
+const (
+	// p256UncompressedKeySize is the size of an uncompressed P-256 public key.
+	p256UncompressedKeySize = 65
+
+	// errorBufferSize is the size of the C error message buffer.
+	errorBufferSize = 512
+
+	// hashBufferSize is the size of the hash output buffer.
+	hashBufferSize = 128
+
+	// maxCiphertextSize is the max buffer for ECIES ciphertext.
+	// ECIES overhead for P-256: 65 (ephemeral pub) + 16 (GCM tag) + 16 (IV) + plaintext.
+	maxCiphertextSize = 8192
+
+	// maxPlaintextSize is the max buffer for decrypted plaintext.
+	maxPlaintextSize = 8192
+)
+
+// CreateKey creates a new P-256 non-exportable key in the Secure Enclave via sc_auth.
+// Returns the uncompressed public key bytes (65 bytes) and the identity hash (for deletion).
+func CreateKey(label string) (publicKey []byte, hash string, err error) {
+	pubKeyBuf := make([]C.uint8_t, p256UncompressedKeySize)
+	pubKeyLen := C.int(p256UncompressedKeySize)
+	var hashBuf [hashBufferSize]C.char
+	var errBuf [errorBufferSize]C.char
+
+	cLabel := C.CString(label)
+	defer C.free(unsafe.Pointer(cLabel)) //nolint:nlreturn // CGo free pattern
+
+	result := C.se_create_key(cLabel,
+		&pubKeyBuf[0], &pubKeyLen,
+		&hashBuf[0], C.int(hashBufferSize),
+		&errBuf[0], C.int(errorBufferSize))
+
+	if result != 0 {
+		return nil, "", fmt.Errorf("secure enclave: %s", C.GoString(&errBuf[0]))
+	}
+
+	pk := C.GoBytes(unsafe.Pointer(&pubKeyBuf[0]), pubKeyLen) //nolint:nlreturn // CGo result extraction
+	h := C.GoString(&hashBuf[0])
+
+	return pk, h, nil
+}
+
+// Encrypt encrypts plaintext using the SE-backed public key via ECIES
+// (eciesEncryptionStandardVariableIVX963SHA256AESGCM).
+// Encryption uses only the public key; no SE interaction required.
+func Encrypt(label string, plaintext []byte) ([]byte, error) {
+	ciphertextBuf := make([]C.uint8_t, maxCiphertextSize)
+	ciphertextLen := C.int(maxCiphertextSize)
+	var errBuf [errorBufferSize]C.char
+
+	cLabel := C.CString(label)
+	defer C.free(unsafe.Pointer(cLabel)) //nolint:nlreturn // CGo free pattern
+
+	result := C.se_encrypt(cLabel,
+		(*C.uint8_t)(unsafe.Pointer(&plaintext[0])), C.int(len(plaintext)),
+		&ciphertextBuf[0], &ciphertextLen,
+		&errBuf[0], C.int(errorBufferSize))
+
+	if result != 0 {
+		return nil, fmt.Errorf("secure enclave: %s", C.GoString(&errBuf[0]))
+	}
+
+	out := C.GoBytes(unsafe.Pointer(&ciphertextBuf[0]), ciphertextLen) //nolint:nlreturn // CGo result extraction
+
+	return out, nil
+}
+
+// Decrypt decrypts ECIES ciphertext using the SE-backed private key.
+// The ECDH portion of decryption is performed inside the Secure Enclave.
+func Decrypt(label string, ciphertext []byte) ([]byte, error) {
+	plaintextBuf := make([]C.uint8_t, maxPlaintextSize)
+	plaintextLen := C.int(maxPlaintextSize)
+	var errBuf [errorBufferSize]C.char
+
+	cLabel := C.CString(label)
+	defer C.free(unsafe.Pointer(cLabel)) //nolint:nlreturn // CGo free pattern
+
+	result := C.se_decrypt(cLabel,
+		(*C.uint8_t)(unsafe.Pointer(&ciphertext[0])), C.int(len(ciphertext)),
+		&plaintextBuf[0], &plaintextLen,
+		&errBuf[0], C.int(errorBufferSize))
+
+	if result != 0 {
+		return nil, fmt.Errorf("secure enclave: %s", C.GoString(&errBuf[0]))
+	}
+
+	out := C.GoBytes(unsafe.Pointer(&plaintextBuf[0]), plaintextLen) //nolint:nlreturn // CGo result extraction
+
+	return out, nil
+}
+
+// DeleteKey removes a CTK identity from the Secure Enclave via sc_auth.
+func DeleteKey(hash string) error {
+	var errBuf [errorBufferSize]C.char
+
+	cHash := C.CString(hash)
+	defer C.free(unsafe.Pointer(cHash)) //nolint:nlreturn // CGo free pattern
+
+	result := C.se_delete_key(cHash, &errBuf[0], C.int(errorBufferSize))
+
+	if result != 0 {
+		return fmt.Errorf("secure enclave: %s", C.GoString(&errBuf[0]))
+	}
+
+	return nil
+}
--- a/internal/macse/macse_stub.go
+++ b/internal/macse/macse_stub.go
@@ -0,0 +1,29 @@
+//go:build !darwin
+// +build !darwin
+
+// Package macse provides Go bindings for macOS Secure Enclave operations.
+package macse
+
+import "fmt"
+
+var errNotSupported = fmt.Errorf("secure enclave is only supported on macOS") //nolint:gochecknoglobals
+
+// CreateKey is not supported on non-darwin platforms.
+func CreateKey(_ string) ([]byte, string, error) {
+	return nil, "", errNotSupported
+}
+
+// Encrypt is not supported on non-darwin platforms.
+func Encrypt(_ string, _ []byte) ([]byte, error) {
+	return nil, errNotSupported
+}
+
+// Decrypt is not supported on non-darwin platforms.
+func Decrypt(_ string, _ []byte) ([]byte, error) {
+	return nil, errNotSupported
+}
+
+// DeleteKey is not supported on non-darwin platforms.
+func DeleteKey(_ string) error {
+	return errNotSupported
+}
--- a/internal/macse/macse_test.go
+++ b/internal/macse/macse_test.go
@@ -0,0 +1,163 @@
+//go:build darwin
+// +build darwin
+
+package macse
+
+import (
+	"bytes"
+	"testing"
+)
+
+const testKeyLabel = "berlin.sneak.app.secret.test.se-key"
+
+// testKeyHash stores the hash of the created test key for cleanup.
+var testKeyHash string //nolint:gochecknoglobals
+
+// skipIfNoSecureEnclave skips the test if SE access is unavailable.
+func skipIfNoSecureEnclave(t *testing.T) {
+	t.Helper()
+
+	probeLabel := "berlin.sneak.app.secret.test.se-probe"
+	_, hash, err := CreateKey(probeLabel)
+	if err != nil {
+		t.Skipf("Secure Enclave unavailable (skipping): %v", err)
+	}
+
+	if hash != "" {
+		_ = DeleteKey(hash)
+	}
+}
+
+func TestCreateAndDeleteKey(t *testing.T) {
+	skipIfNoSecureEnclave(t)
+
+	if testKeyHash != "" {
+		_ = DeleteKey(testKeyHash)
+	}
+
+	pubKey, hash, err := CreateKey(testKeyLabel)
+	if err != nil {
+		t.Fatalf("CreateKey failed: %v", err)
+	}
+
+	testKeyHash = hash
+	t.Logf("Created key with hash: %s", hash)
+
+	// Verify valid uncompressed P-256 public key
+	if len(pubKey) != p256UncompressedKeySize {
+		t.Fatalf("expected public key length %d, got %d", p256UncompressedKeySize, len(pubKey))
+	}
+
+	if pubKey[0] != 0x04 {
+		t.Fatalf("expected uncompressed point prefix 0x04, got 0x%02x", pubKey[0])
+	}
+
+	if hash == "" {
+		t.Fatal("expected non-empty hash")
+	}
+
+	// Delete the key
+	if err := DeleteKey(hash); err != nil {
+		t.Fatalf("DeleteKey failed: %v", err)
+	}
+
+	testKeyHash = ""
+	t.Log("Key created, verified, and deleted successfully")
+}
+
+func TestEncryptDecryptRoundTrip(t *testing.T) {
+	skipIfNoSecureEnclave(t)
+
+	_, hash, err := CreateKey(testKeyLabel)
+	if err != nil {
+		t.Fatalf("CreateKey failed: %v", err)
+	}
+
+	testKeyHash = hash
+
+	defer func() {
+		if testKeyHash != "" {
+			_ = DeleteKey(testKeyHash)
+			testKeyHash = ""
+		}
+	}()
+
+	// Test data simulating an age private key
+	plaintext := []byte("AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ")
+
+	// Encrypt
+	ciphertext, err := Encrypt(testKeyLabel, plaintext)
+	if err != nil {
+		t.Fatalf("Encrypt failed: %v", err)
+	}
+
+	t.Logf("Plaintext: %d bytes, Ciphertext: %d bytes", len(plaintext), len(ciphertext))
+
+	if bytes.Equal(ciphertext, plaintext) {
+		t.Fatal("ciphertext should differ from plaintext")
+	}
+
+	// Decrypt
+	decrypted, err := Decrypt(testKeyLabel, ciphertext)
+	if err != nil {
+		t.Fatalf("Decrypt failed: %v", err)
+	}
+
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Fatalf("decrypted data does not match original plaintext")
+	}
+
+	t.Log("ECIES encrypt/decrypt round-trip successful")
+}
+
+func TestEncryptProducesDifferentCiphertexts(t *testing.T) {
+	skipIfNoSecureEnclave(t)
+
+	_, hash, err := CreateKey(testKeyLabel)
+	if err != nil {
+		t.Fatalf("CreateKey failed: %v", err)
+	}
+
+	testKeyHash = hash
+
+	defer func() {
+		if testKeyHash != "" {
+			_ = DeleteKey(testKeyHash)
+			testKeyHash = ""
+		}
+	}()
+
+	plaintext := []byte("test-secret-data")
+
+	ct1, err := Encrypt(testKeyLabel, plaintext)
+	if err != nil {
+		t.Fatalf("first Encrypt failed: %v", err)
+	}
+
+	ct2, err := Encrypt(testKeyLabel, plaintext)
+	if err != nil {
+		t.Fatalf("second Encrypt failed: %v", err)
+	}
+
+	// ECIES uses a random ephemeral key each time, so ciphertexts should differ
+	if bytes.Equal(ct1, ct2) {
+		t.Fatal("two encryptions of same plaintext should produce different ciphertexts")
+	}
+
+	// Both should decrypt to the same plaintext
+	dec1, err := Decrypt(testKeyLabel, ct1)
+	if err != nil {
+		t.Fatalf("first Decrypt failed: %v", err)
+	}
+
+	dec2, err := Decrypt(testKeyLabel, ct2)
+	if err != nil {
+		t.Fatalf("second Decrypt failed: %v", err)
+	}
+
+	if !bytes.Equal(dec1, plaintext) || !bytes.Equal(dec2, plaintext) {
+		t.Fatal("both ciphertexts should decrypt to original plaintext")
+	}
+
+	t.Log("ECIES correctly produces different ciphertexts that decrypt to same plaintext")
+}
--- a/internal/macse/secure_enclave.h
+++ b/internal/macse/secure_enclave.h
@@ -0,0 +1,57 @@
+#ifndef SECURE_ENCLAVE_H
+#define SECURE_ENCLAVE_H
+
+#include <stdint.h>
+
+// se_create_key creates a new P-256 key in the Secure Enclave via sc_auth.
+// label: unique identifier for the CTK identity (UTF-8 C string)
+// pub_key_out: output buffer for the uncompressed public key (65 bytes for P-256)
+// pub_key_len: on input, size of pub_key_out; on output, actual size written
+// hash_out: output buffer for the identity hash (for deletion)
+// hash_out_len: size of hash_out buffer
+// error_out: output buffer for error message
+// error_out_len: size of error_out buffer
+// Returns 0 on success, -1 on failure.
+int se_create_key(const char *label,
+                  uint8_t *pub_key_out, int *pub_key_len,
+                  char *hash_out, int hash_out_len,
+                  char *error_out, int error_out_len);
+
+// se_encrypt encrypts data using the SE-backed public key (ECIES).
+// label: label of the CTK identity whose public key to use
+// plaintext: data to encrypt
+// plaintext_len: length of plaintext
+// ciphertext_out: output buffer for the ECIES ciphertext
+// ciphertext_len: on input, size of buffer; on output, actual size written
+// error_out: output buffer for error message
+// error_out_len: size of error_out buffer
+// Returns 0 on success, -1 on failure.
+int se_encrypt(const char *label,
+               const uint8_t *plaintext, int plaintext_len,
+               uint8_t *ciphertext_out, int *ciphertext_len,
+               char *error_out, int error_out_len);
+
+// se_decrypt decrypts ECIES ciphertext using the SE-backed private key.
+// The ECDH portion of decryption is performed inside the Secure Enclave.
+// label: label of the CTK identity whose private key to use
+// ciphertext: ECIES ciphertext produced by se_encrypt
+// ciphertext_len: length of ciphertext
+// plaintext_out: output buffer for decrypted data
+// plaintext_len: on input, size of buffer; on output, actual size written
+// error_out: output buffer for error message
+// error_out_len: size of error_out buffer
+// Returns 0 on success, -1 on failure.
+int se_decrypt(const char *label,
+               const uint8_t *ciphertext, int ciphertext_len,
+               uint8_t *plaintext_out, int *plaintext_len,
+               char *error_out, int error_out_len);
+
+// se_delete_key removes a CTK identity from the Secure Enclave via sc_auth.
+// hash: the identity hash returned by se_create_key
+// error_out: output buffer for error message
+// error_out_len: size of error_out buffer
+// Returns 0 on success, -1 on failure.
+int se_delete_key(const char *hash,
+                  char *error_out, int error_out_len);
+
+#endif // SECURE_ENCLAVE_H
--- a/internal/macse/secure_enclave.m
+++ b/internal/macse/secure_enclave.m
@@ -0,0 +1,300 @@
+#import <Foundation/Foundation.h>
+#import <Security/Security.h>
+#include "secure_enclave.h"
+#include <string.h>
+
+// snprintf_error writes an error message string to the output buffer.
+static void snprintf_error(char *error_out, int error_out_len, NSString *msg) {
+    if (error_out && error_out_len > 0) {
+        snprintf(error_out, error_out_len, "%s", msg.UTF8String);
+    }
+}
+
+// lookup_ctk_identity finds a CTK identity by label and returns the private key.
+static SecKeyRef lookup_ctk_private_key(const char *label, char *error_out, int error_out_len) {
+    NSDictionary *query = @{
+        (id)kSecClass:      (id)kSecClassIdentity,
+        (id)kSecAttrLabel:  [NSString stringWithUTF8String:label],
+        (id)kSecMatchLimit: (id)kSecMatchLimitOne,
+        (id)kSecReturnRef:  @YES,
+    };
+
+    SecIdentityRef identity = NULL;
+    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&identity);
+
+    if (status != errSecSuccess || !identity) {
+        NSString *msg = [NSString stringWithFormat:@"CTK identity '%s' not found: OSStatus %d",
+                         label, (int)status];
+        snprintf_error(error_out, error_out_len, msg);
+        return NULL;
+    }
+
+    SecKeyRef privateKey = NULL;
+    status = SecIdentityCopyPrivateKey(identity, &privateKey);
+    CFRelease(identity);
+
+    if (status != errSecSuccess || !privateKey) {
+        NSString *msg = [NSString stringWithFormat:
+                         @"failed to get private key from CTK identity '%s': OSStatus %d",
+                         label, (int)status];
+        snprintf_error(error_out, error_out_len, msg);
+        return NULL;
+    }
+
+    return privateKey;
+}
+
+int se_create_key(const char *label,
+                  uint8_t *pub_key_out, int *pub_key_len,
+                  char *hash_out, int hash_out_len,
+                  char *error_out, int error_out_len) {
+    @autoreleasepool {
+        NSString *labelStr = [NSString stringWithUTF8String:label];
+
+        // Shell out to sc_auth (which has SE entitlements) to create the key
+        NSTask *task = [[NSTask alloc] init];
+        task.executableURL = [NSURL fileURLWithPath:@"/usr/sbin/sc_auth"];
+        task.arguments = @[
+            @"create-ctk-identity",
+            @"-k", @"p-256-ne",
+            @"-t", @"none",
+            @"-l", labelStr,
+        ];
+
+        NSPipe *stderrPipe = [NSPipe pipe];
+        task.standardOutput = [NSPipe pipe];
+        task.standardError = stderrPipe;
+
+        NSError *nsError = nil;
+        if (![task launchAndReturnError:&nsError]) {
+            NSString *msg = [NSString stringWithFormat:@"failed to launch sc_auth: %@",
+                             nsError.localizedDescription];
+            snprintf_error(error_out, error_out_len, msg);
+            return -1;
+        }
+
+        [task waitUntilExit];
+
+        if (task.terminationStatus != 0) {
+            NSData *stderrData = [stderrPipe.fileHandleForReading readDataToEndOfFile];
+            NSString *stderrStr = [[NSString alloc] initWithData:stderrData
+                                                        encoding:NSUTF8StringEncoding];
+            NSString *msg = [NSString stringWithFormat:@"sc_auth failed: %@",
+                             stderrStr ?: @"unknown error"];
+            snprintf_error(error_out, error_out_len, msg);
+            return -1;
+        }
+
+        // Retrieve the public key from the created identity
+        SecKeyRef privateKey = lookup_ctk_private_key(label, error_out, error_out_len);
+        if (!privateKey) {
+            return -1;
+        }
+
+        SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
+        CFRelease(privateKey);
+
+        if (!publicKey) {
+            snprintf_error(error_out, error_out_len, @"failed to get public key");
+            return -1;
+        }
+
+        CFErrorRef cfError = NULL;
+        CFDataRef pubKeyData = SecKeyCopyExternalRepresentation(publicKey, &cfError);
+        CFRelease(publicKey);
+
+        if (!pubKeyData) {
+            NSError *err = (__bridge_transfer NSError *)cfError;
+            NSString *msg = [NSString stringWithFormat:@"failed to export public key: %@",
+                             err.localizedDescription];
+            snprintf_error(error_out, error_out_len, msg);
+            return -1;
+        }
+
+        const UInt8 *bytes = CFDataGetBytePtr(pubKeyData);
+        CFIndex length = CFDataGetLength(pubKeyData);
+
+        if (length > *pub_key_len) {
+            CFRelease(pubKeyData);
+            snprintf_error(error_out, error_out_len, @"public key buffer too small");
+            return -1;
+        }
+
+        memcpy(pub_key_out, bytes, length);
+        *pub_key_len = (int)length;
+        CFRelease(pubKeyData);
+
+        // Get the identity hash by parsing sc_auth list output
+        hash_out[0] = '\0';
+        NSTask *listTask = [[NSTask alloc] init];
+        listTask.executableURL = [NSURL fileURLWithPath:@"/usr/sbin/sc_auth"];
+        listTask.arguments = @[@"list-ctk-identities"];
+
+        NSPipe *listPipe = [NSPipe pipe];
+        listTask.standardOutput = listPipe;
+        listTask.standardError = [NSPipe pipe];
+
+        if ([listTask launchAndReturnError:&nsError]) {
+            [listTask waitUntilExit];
+            NSData *listData = [listPipe.fileHandleForReading readDataToEndOfFile];
+            NSString *listStr = [[NSString alloc] initWithData:listData
+                                                      encoding:NSUTF8StringEncoding];
+
+            for (NSString *line in [listStr componentsSeparatedByString:@"\n"]) {
+                if ([line containsString:labelStr]) {
+                    NSMutableArray *tokens = [NSMutableArray array];
+                    for (NSString *part in [line componentsSeparatedByCharactersInSet:
+                                            [NSCharacterSet whitespaceCharacterSet]]) {
+                        if (part.length > 0) {
+                            [tokens addObject:part];
+                        }
+                    }
+                    if (tokens.count > 1) {
+                        snprintf(hash_out, hash_out_len, "%s", [tokens[1] UTF8String]);
+                    }
+                    break;
+                }
+            }
+        }
+
+        return 0;
+    }
+}
+
+int se_encrypt(const char *label,
+               const uint8_t *plaintext, int plaintext_len,
+               uint8_t *ciphertext_out, int *ciphertext_len,
+               char *error_out, int error_out_len) {
+    @autoreleasepool {
+        SecKeyRef privateKey = lookup_ctk_private_key(label, error_out, error_out_len);
+        if (!privateKey) {
+            return -1;
+        }
+
+        SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
+        CFRelease(privateKey);
+
+        if (!publicKey) {
+            snprintf_error(error_out, error_out_len, @"failed to get public key for encryption");
+            return -1;
+        }
+
+        NSData *plaintextData = [NSData dataWithBytes:plaintext length:plaintext_len];
+
+        CFErrorRef cfError = NULL;
+        CFDataRef encrypted = SecKeyCreateEncryptedData(
+            publicKey,
+            kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM,
+            (__bridge CFDataRef)plaintextData,
+            &cfError
+        );
+        CFRelease(publicKey);
+
+        if (!encrypted) {
+            NSError *nsError = (__bridge_transfer NSError *)cfError;
+            NSString *msg = [NSString stringWithFormat:@"ECIES encryption failed: %@",
+                             nsError.localizedDescription];
+            snprintf_error(error_out, error_out_len, msg);
+            return -1;
+        }
+
+        const UInt8 *encBytes = CFDataGetBytePtr(encrypted);
+        CFIndex encLength = CFDataGetLength(encrypted);
+
+        if (encLength > *ciphertext_len) {
+            CFRelease(encrypted);
+            snprintf_error(error_out, error_out_len, @"ciphertext buffer too small");
+            return -1;
+        }
+
+        memcpy(ciphertext_out, encBytes, encLength);
+        *ciphertext_len = (int)encLength;
+        CFRelease(encrypted);
+
+        return 0;
+    }
+}
+
+int se_decrypt(const char *label,
+               const uint8_t *ciphertext, int ciphertext_len,
+               uint8_t *plaintext_out, int *plaintext_len,
+               char *error_out, int error_out_len) {
+    @autoreleasepool {
+        SecKeyRef privateKey = lookup_ctk_private_key(label, error_out, error_out_len);
+        if (!privateKey) {
+            return -1;
+        }
+
+        NSData *ciphertextData = [NSData dataWithBytes:ciphertext length:ciphertext_len];
+
+        CFErrorRef cfError = NULL;
+        CFDataRef decrypted = SecKeyCreateDecryptedData(
+            privateKey,
+            kSecKeyAlgorithmECIESEncryptionStandardVariableIVX963SHA256AESGCM,
+            (__bridge CFDataRef)ciphertextData,
+            &cfError
+        );
+        CFRelease(privateKey);
+
+        if (!decrypted) {
+            NSError *nsError = (__bridge_transfer NSError *)cfError;
+            NSString *msg = [NSString stringWithFormat:@"ECIES decryption failed: %@",
+                             nsError.localizedDescription];
+            snprintf_error(error_out, error_out_len, msg);
+            return -1;
+        }
+
+        const UInt8 *decBytes = CFDataGetBytePtr(decrypted);
+        CFIndex decLength = CFDataGetLength(decrypted);
+
+        if (decLength > *plaintext_len) {
+            CFRelease(decrypted);
+            snprintf_error(error_out, error_out_len, @"plaintext buffer too small");
+            return -1;
+        }
+
+        memcpy(plaintext_out, decBytes, decLength);
+        *plaintext_len = (int)decLength;
+        CFRelease(decrypted);
+
+        return 0;
+    }
+}
+
+int se_delete_key(const char *hash,
+                  char *error_out, int error_out_len) {
+    @autoreleasepool {
+        NSTask *task = [[NSTask alloc] init];
+        task.executableURL = [NSURL fileURLWithPath:@"/usr/sbin/sc_auth"];
+        task.arguments = @[
+            @"delete-ctk-identity",
+            @"-h", [NSString stringWithUTF8String:hash],
+        ];
+
+        NSPipe *stderrPipe = [NSPipe pipe];
+        task.standardOutput = [NSPipe pipe];
+        task.standardError = stderrPipe;
+
+        NSError *nsError = nil;
+        if (![task launchAndReturnError:&nsError]) {
+            NSString *msg = [NSString stringWithFormat:@"failed to launch sc_auth: %@",
+                             nsError.localizedDescription];
+            snprintf_error(error_out, error_out_len, msg);
+            return -1;
+        }
+
+        [task waitUntilExit];
+
+        if (task.terminationStatus != 0) {
+            NSData *stderrData = [stderrPipe.fileHandleForReading readDataToEndOfFile];
+            NSString *stderrStr = [[NSString alloc] initWithData:stderrData
+                                                        encoding:NSUTF8StringEncoding];
+            NSString *msg = [NSString stringWithFormat:@"sc_auth delete failed: %@",
+                             stderrStr ?: @"unknown error"];
+            snprintf_error(error_out, error_out_len, msg);
+            return -1;
+        }
+
+        return 0;
+    }
+}