sneak
9d238a03af
Adds a new "secure-enclave" unlocker type that stores the vault's long-term private key encrypted by a non-exportable P-256 key held in the Secure Enclave hardware. Decryption (ECDH) is performed inside the SE; the key never leaves the hardware. Uses CryptoTokenKit identities created via sc_auth, which allows SE access from unsigned binaries without Apple Developer Program membership. ECIES (X963SHA256 + AES-GCM) handles encryption and decryption through Security.framework. New package internal/macse/ provides the CGo bridge to Security.framework for SE key creation, ECIES encrypt/decrypt, and key deletion. The SE unlocker directly encrypts the vault long-term key (no intermediate age keypair).
30 lines
775 B
Go
30 lines
775 B
Go
//go:build !darwin
|
|
// +build !darwin
|
|
|
|
// Package macse provides Go bindings for macOS Secure Enclave operations.
|
|
package macse
|
|
|
|
import "fmt"
|
|
|
|
var errNotSupported = fmt.Errorf("secure enclave is only supported on macOS") //nolint:gochecknoglobals
|
|
|
|
// CreateKey is not supported on non-darwin platforms.
|
|
func CreateKey(_ string) ([]byte, string, error) {
|
|
return nil, "", errNotSupported
|
|
}
|
|
|
|
// Encrypt is not supported on non-darwin platforms.
|
|
func Encrypt(_ string, _ []byte) ([]byte, error) {
|
|
return nil, errNotSupported
|
|
}
|
|
|
|
// Decrypt is not supported on non-darwin platforms.
|
|
func Decrypt(_ string, _ []byte) ([]byte, error) {
|
|
return nil, errNotSupported
|
|
}
|
|
|
|
// DeleteKey is not supported on non-darwin platforms.
|
|
func DeleteKey(_ string) error {
|
|
return errNotSupported
|
|
}
|