github
diff --git a/‎SoftU2F.xcodeproj/project.pbxproj‎
Lines changed: 8 additions & 8 deletions b/‎SoftU2F.xcodeproj/project.pbxproj‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎SoftU2FTool/AppDelegate.swift‎
Lines changed: 4 additions & 1 deletion b/‎SoftU2FTool/AppDelegate.swift‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎SoftU2FTool/CLI.swift‎
Lines changed: 29 additions & 21 deletions b/‎SoftU2FTool/CLI.swift‎
Lines changed: 29 additions & 21 deletions
diff --git a/‎SoftU2FTool/KeyPair.swift‎
Lines changed: 30 additions & 65 deletions b/‎SoftU2FTool/KeyPair.swift‎
Lines changed: 30 additions & 65 deletions
@@ -85,8 +85,8 @@
 		F738F5871E4A3C09005680A2 /* DataReaderTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = F738F5851E4A3C09005680A2 /* DataReaderTests.swift */; };
 		F738F5881E4A3C09005680A2 /* DataWriterTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = F738F5861E4A3C09005680A2 /* DataWriterTests.swift */; };
 		F738F58A1E4A3C21005680A2 /* TestUtil.swift in Sources */ = {isa = PBXBuildFile; fileRef = F738F5891E4A3C21005680A2 /* TestUtil.swift */; };
-		F78BEF5F1F3E654A0005B3D5 /* Settings.swift in Sources */ = {isa = PBXBuildFile; fileRef = F78BEF5E1F3E654A0005B3D5 /* Settings.swift */; };
-		F78BEF611F3E65510005B3D5 /* CLI.swift in Sources */ = {isa = PBXBuildFile; fileRef = F78BEF601F3E65510005B3D5 /* CLI.swift */; };
+		F7713A5F1F477BA90036A0D5 /* CLI.swift in Sources */ = {isa = PBXBuildFile; fileRef = F7713A5D1F477BA90036A0D5 /* CLI.swift */; };
+		F7713A601F477BA90036A0D5 /* Settings.swift in Sources */ = {isa = PBXBuildFile; fileRef = F7713A5E1F477BA90036A0D5 /* Settings.swift */; };
 		F7ABD9BE1E80603D00768FEC /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = F7ABD9BD1E80603D00768FEC /* Assets.xcassets */; };
 		F7B5DBAD1E4A5CED00E5ABD4 /* Command.swift in Sources */ = {isa = PBXBuildFile; fileRef = F7B5DBAC1E4A5CED00E5ABD4 /* Command.swift */; };
 		F7B5DBAF1E4A815700E5ABD4 /* RawConvertible.swift in Sources */ = {isa = PBXBuildFile; fileRef = F7B5DBAE1E4A815700E5ABD4 /* RawConvertible.swift */; };
@@ -243,8 +243,8 @@
 		F738F5851E4A3C09005680A2 /* DataReaderTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; name = DataReaderTests.swift; path = DataTests/DataReaderTests.swift; sourceTree = "<group>"; };
 		F738F5861E4A3C09005680A2 /* DataWriterTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; name = DataWriterTests.swift; path = DataTests/DataWriterTests.swift; sourceTree = "<group>"; };
 		F738F5891E4A3C21005680A2 /* TestUtil.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = TestUtil.swift; sourceTree = "<group>"; };
-		F78BEF5E1F3E654A0005B3D5 /* Settings.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Settings.swift; sourceTree = "<group>"; };
-		F78BEF601F3E65510005B3D5 /* CLI.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = CLI.swift; sourceTree = "<group>"; };
+		F7713A5D1F477BA90036A0D5 /* CLI.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = CLI.swift; sourceTree = "<group>"; };
+		F7713A5E1F477BA90036A0D5 /* Settings.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Settings.swift; sourceTree = "<group>"; };
 		F7ABD9BD1E80603D00768FEC /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = "<group>"; };
 		F7B5DBAC1E4A5CED00E5ABD4 /* Command.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Command.swift; sourceTree = "<group>"; };
 		F7B5DBAE1E4A815700E5ABD4 /* RawConvertible.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = RawConvertible.swift; sourceTree = "<group>"; };
@@ -378,8 +378,8 @@
 				51213EC51E3916EB005454E0 /* U2FHID.swift */,
 				51B289E41E39903F00AD90CC /* U2FAuthenticator.swift */,
 				51FE30EC1E403DA000BAE824 /* U2FRegistration.swift */,
-				F78BEF601F3E65510005B3D5 /* CLI.swift */,
-				F78BEF5E1F3E654A0005B3D5 /* Settings.swift */,
+				F7713A5D1F477BA90036A0D5 /* CLI.swift */,
+				F7713A5E1F477BA90036A0D5 /* Settings.swift */,
 				518537BF1E380E4600600911 /* SoftU2F-Bridging-Header.h */,
 				51F090181E37E8C600F03AD3 /* Info.plist */,
 			);
@@ -847,16 +847,16 @@
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				F78BEF611F3E65510005B3D5 /* CLI.swift in Sources */,
 				5190B6121E3BFE3D00E6FE06 /* UserPresence.swift in Sources */,
 				51FE30F11E410B3D00BAE824 /* Utils.swift in Sources */,
+				F7713A601F477BA90036A0D5 /* Settings.swift in Sources */,
 				5119862E1E3C1519006A3BBB /* KnownFacets.swift in Sources */,
 				51F090101E37E8C600F03AD3 /* AppDelegate.swift in Sources */,
 				51213EC61E3916EB005454E0 /* U2FHID.swift in Sources */,
 				51E214601E3823E7005B2864 /* SHA256.swift in Sources */,
-				F78BEF5F1F3E654A0005B3D5 /* Settings.swift in Sources */,
 				51B289E51E39903F00AD90CC /* U2FAuthenticator.swift in Sources */,
 				514F3D821E43C833008FA513 /* Keychain.swift in Sources */,
+				F7713A5F1F477BA90036A0D5 /* CLI.swift in Sources */,
 				51FE30ED1E403DA000BAE824 /* U2FRegistration.swift in Sources */,
 				51E214621E382521005B2864 /* WebSafeBase64.swift in Sources */,
 				514F3D871E43E828008FA513 /* KeyPair.swift in Sources */,
 
@@ -10,6 +10,9 @@ import Cocoa
 @NSApplicationMain
 class AppDelegate: NSObject, NSApplicationDelegate {
     func applicationDidFinishLaunching(_ aNotification: Notification) {
+        // Fix up legacy keychain items.
+        U2FRegistration.repair()
+
         if CLI(CommandLine.arguments).run() {
             quit()
         } else if !U2FAuthenticator.start(){
@@ -25,7 +28,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
     }
 
     func applicationDidBecomeActive(_ notification: Notification) {
-        // Chrome gives ignores our U2F responses if it isn't active when we send them.
+        // Chrome ignores our U2F responses if it isn't active when we send them.
         // This hack should give focus back to Chrome immediately after the user interacts
         // with our notification.
         NSApplication.shared().hide(nil)
 
@@ -10,9 +10,9 @@ import Foundation
 // Command line flags
 fileprivate let listFlag = "--list"
 fileprivate let deleteAllFlag = "--delete-all"
-fileprivate let showTouchidFlag = "--show-touchid"
-fileprivate let enableTouchidFlag = "--enable-touchid"
-fileprivate let disableTouchidFlag = "--disable-touchid"
+fileprivate let showSEPFlag = "--show-sep"
+fileprivate let enableSEPFlag = "--enable-sep"
+fileprivate let disableSEPFlag = "--disable-sep"
 
 class CLI {
     private let args: [String]
@@ -28,29 +28,36 @@ class CLI {
         } else if args.contains(deleteAllFlag) {
             deleteAll()
             return true
-        } else if args.contains(showTouchidFlag) {
-            showTouchid()
+        } else if args.contains(showSEPFlag) {
+            showSEP()
             return true
-        } else if args.contains(enableTouchidFlag) {
-            enableTouchid()
+        } else if args.contains(enableSEPFlag) {
+            enableSEP()
             return true
-        } else if args.contains(disableTouchidFlag) {
-            disableTouchid()
+        } else if args.contains(disableSEPFlag) {
+            disableSEP()
             return true
         }
 
         return false
     }
 
     private func listRegistrations() {
+        let registrations = U2FRegistration.all
+        if registrations.count == 0 {
+            print("No registrations to list")
+            return
+        }
+        
         print("The following is a list of U2F registrations stored in your keychain. Each key contains several fields:")
         print("  - Key handle: This is the key handle that we registered with a website. For Soft U2F, the key handle is simply a hash of the public key.")
         print("  - Application parameter: This is the sha256 of the app-id of the site.")
         print("  - Known facet: For some sites we know the application parameter → site name mapping.")
         print("  - Counter: How many times this registration has been used.")
+        print("  — In SEP: Whether this registration's private key is stored in the SEP.")
         print("")
 
-        U2FRegistration.all.forEach { reg in
+        registrations.forEach { reg in
             print("Key handle: ", reg.keyHandle.base64EncodedString())
             print("Application parameter: ", reg.applicationParameter.base64EncodedString())
 
@@ -61,6 +68,7 @@ class CLI {
             }
 
             print("Counter: ", reg.counter)
+            print("In SEP: ", reg.inSEP)
             print("")
         }
     }
@@ -79,24 +87,24 @@ class CLI {
         print("Deleted ", initialCount, " registrations")
     }
 
-    private func showTouchid() {
-        if Settings.touchidDisabled {
-            print("TouchID is disabled")
+    private func showSEP() {
+        if Settings.sepEnabled {
+            print("SEP storage is enabled for new keys")
         } else {
-            print("TouchID is enabled")
+            print("SEP storage is disabled for new keys")
         }
     }
 
-    private func enableTouchid() {
-        if Settings.enableTouchid() {
-            print("TouchID is now enabled")
+    private func enableSEP() {
+        if Settings.enableSEP() {
+            print("SEP storage is now enabled for new keys")
         } else {
-            print("Error enabling TouchID. Does your system support it?")
+            print("Error enabling SEP storage for new keys. Does your system support it?")
         }
     }
 
-    private func disableTouchid() {
-        Settings.disableTouchid()
-        print("TouchID is now disabled")
+    private func disableSEP() {
+        Settings.disableSEP()
+        print("SEP storage is now disabled for new keys")
     }
 }
@@ -7,73 +7,32 @@
 
 import Foundation
 
-fileprivate class tmpKeyPair {
-    var label: String
-    var applicationLabel: Data
-    var publicKey: SecKey?
-    var privateKey: SecKey?
-
-    var keyPair: KeyPair? {
-        guard let pub = publicKey else { return nil }
-        guard let priv = privateKey else { return nil }
-
-        return KeyPair(label: label, appLabel: applicationLabel, publicKey: pub, privateKey: priv)
-    }
-
-    init(label l: String, applicationLabel al: Data) {
-        label = l
-        applicationLabel = al
-    }
-}
-
 class KeyPair {
+    // Fix up legacy keychain items.
+    static func repair(label: String) {
+        Keychain.repair(attrLabel: label as CFString)
+    }
+    
     /// Get all KeyPairs with the given label.
     static func all(label: String) -> [KeyPair] {
-        let secKeys = Keychain.getSecKeys(attrLabel: label as CFString)
-        var tmpKeyPairs: [tmpKeyPair] = []
+        let secKeys = Keychain.getPrivateSecKeys(attrLabel: label as CFString)
         var keyPairs: [KeyPair] = []
 
-        secKeys.forEach { secKey in
-            guard let appLabel: CFData = Keychain.getSecKeyAttr(key: secKey, attr: kSecAttrApplicationLabel) else { return }
-
-            let applicationLabel = appLabel as Data
-            var tmpKP: tmpKeyPair
-
-            if let kp = tmpKeyPairs.first(where: { $0.applicationLabel == applicationLabel }) {
-                tmpKP = kp
-            } else {
-                tmpKP = tmpKeyPair.init(label: label, applicationLabel: applicationLabel)
-                tmpKeyPairs.append(tmpKP)
-            }
-
-            guard let klass: CFString = Keychain.getSecKeyAttr(key: secKey, attr: kSecAttrKeyClass) else { return }
-
-            if klass == kSecAttrKeyClassPublic {
-                tmpKP.publicKey = secKey
-            } else {
-                tmpKP.privateKey = secKey
-            }
-        }
-
-        tmpKeyPairs.forEach { tmpKP in
-            guard let kp = tmpKP.keyPair else { return }
-
+        secKeys.forEach { priv in
+            guard let pub = SecKeyCopyPublicKey(priv) else { return }
+            guard let appLabel: CFData = Keychain.getSecKeyAttr(key: priv, attr: kSecAttrApplicationLabel) else { return }
+            
+            let kp = KeyPair(label: label, appLabel: appLabel as Data, publicKey: pub, privateKey: priv)
+            
             keyPairs.append(kp)
         }
 
         return keyPairs
     }
 
-    // The number of key pairs (keys/2) in the keychain.
+    // The number of private keys in the keychain.
     static func count(label: String) -> Int? {
-        guard let c = Keychain.count(attrLabel: label as CFString) else { return nil }
-
-        if c % 2 != 0 {
-            print("Uneven number of keys in the keychain.")
-            return nil
-        }
-
-        return c / 2
+        return Keychain.count(attrLabel: label as CFString)
     }
 
     // Delete all keys with the given label from the keychain.
@@ -97,19 +56,25 @@ class KeyPair {
 
         set {
             let value = (newValue ?? Data())
-            Keychain.setSecItemAttr(attrAppLabel: applicationLabel as CFData, name: kSecAttrApplicationTag, value: value as CFData)
+            _ = Keychain.setSecItemAttr(attrAppLabel: applicationLabel as CFData, name: kSecAttrApplicationTag, value: value as CFData)
         }
     }
 
     var publicKeyData: Data? {
-        return Keychain.getSecItemData(attrAppLabel: applicationLabel)
+        return Keychain.exportSecKey(publicKey)
+    }
+
+    var inSEP: Bool {
+        let tokenID: String = Keychain.getSecItemAttr(attrAppLabel: applicationLabel as CFData, name: kSecAttrTokenID) ?? "nope"
+
+        return tokenID == kSecAttrTokenIDSecureEnclave as String
     }
 
     // Generate a new key pair.
-    init?(label l: String) {
+    init?(label l: String, inSEP sep: Bool) {
         label = l
 
-        guard let (pub, priv) = Keychain.generateKeyPair(attrLabel: label as CFString) else { return nil }
+        guard let (pub, priv) = Keychain.generateKeyPair(attrLabel: label as CFString, inSEP: sep) else { return nil }
         publicKey = pub
         privateKey = priv
 
@@ -118,17 +83,17 @@ class KeyPair {
     }
 
     // Find a key pair with the given label and application label.
-    init?(label l: String, appLabel al: Data) {
+    init?(label l: String, appLabel al: Data, signPrompt sp: String) {
         label = l
         applicationLabel = al
 
-        // Lookup public key.
-        guard let pub = Keychain.getSecKey(attrAppLabel: applicationLabel as CFData, keyClass: kSecAttrKeyClassPublic) else { return nil }
-        publicKey = pub
-
         // Lookup private key.
-        guard let priv = Keychain.getSecKey(attrAppLabel: applicationLabel as CFData, keyClass: kSecAttrKeyClassPrivate) else { return nil }
+        guard let priv = Keychain.getPrivateSecKey(attrAppLabel: applicationLabel as CFData, signPrompt: sp as CFString) else { return nil }
         privateKey = priv
+        
+        // Generate public key from private key
+        guard let pub = SecKeyCopyPublicKey(priv) else { return nil }
+        publicKey = pub
     }
 
     // Initialize a key pair with all the necessary data.