kms/mackms: add user-authorization policy for Secure Enclave keys#1029
Draft
joshdrake wants to merge 1 commit into
Draft
kms/mackms: add user-authorization policy for Secure Enclave keys#1029joshdrake wants to merge 1 commit into
joshdrake wants to merge 1 commit into
Conversation
Adds per-key user-authorization to mackms via two new URI parameters
(plus a "reason" override for the prompt text):
- policy=user-presence — kSecAccessControlUserPresence (Touch ID,
Apple Watch, or device passcode)
- policy=user-verification — kSecAccessControlBiometryCurrentSet
(Touch ID only, invalidates on enrollment change)
- cache=<duration> — sets
LAContext.touchIDAuthenticationAllowableReuseDuration, capped to
300s by the platform
- reason=<text> — localizedReason shown in the macOS prompt
A new LAContext wrapper in internal/darwin/security bridges the
LocalAuthentication framework via a small Objective-C shim. The wrapper
is plumbed into getPrivateKey via kSecUseAuthenticationContext so the
prompt fires before SecKeyCreateSignature is called.
Authorization policies require se=true; software keys can't enforce
the policy at the hardware level, so we reject the combination at
CreateKey rather than silently downgrading. The legacy bio=true flag
is preserved as an alias for policy=user-verification.
Part of "User-Authorized Signing for Hardware-Bound Keys" — macOS
piece. Cross-platform support (Windows/Linux) is out of scope.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds per-key user-authorization (Touch ID / biometric / passcode) to mackms via two new URI parameters plus a prompt-text override:
policy=user-presence—kSecAccessControlUserPresence(Touch ID, Apple Watch, or device passcode)policy=user-verification—kSecAccessControlBiometryCurrentSet(Touch ID only; key invalidates on enrollment change)cache=<duration>—LAContext.touchIDAuthenticationAllowableReuseDuration, clamped to 300sreason=<text>—localizedReasonshown in the macOS promptA new LAContext wrapper in
internal/darwin/securitybridges the LocalAuthentication framework via a small Objective-C shim, and is plumbed intogetPrivateKeyviakSecUseAuthenticationContextso the prompt fires beforeSecKeyCreateSignature.Authorization policies require
se=true; software keys can't enforce the policy at the hardware level, so we reject the combination atCreateKeyrather than silently downgrading. The legacybio=trueflag is preserved as an alias forpolicy=user-verification.Part of the User-Authorized Signing for Hardware-Bound Keys RFC — macOS piece. Cross-platform support (Windows/Linux) is out of scope for this PR.
Note on base
This branch is currently based on
v0.78.0to stay compatible with the agent's current dependency pin. Rebasing ontomasteris straightforward; happy to do that as the consuming PR lands.Test plan
go test ./kms/mackms/...on macOS (CI)policy=user-presence, sign, confirm Touch ID prompt appears with configuredreasoncache=60s, confirm re-sign within 60s skips the promptpolicy=user-verificationrejects passcode (biometric-only)🤖 Generated with Claude Code