Merge pull request #904 from smallstep/mariano/mackms-se

maraino · web-flow · commit cd9e473b34ae · 2025-12-02T11:11:25.000-08:00
Add support for P-384 keys on the secure enclave
diff --git a/kms/mackms/mackms.go b/kms/mackms/mackms.go
@@ -218,7 +218,9 @@ func (k *MacKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespons
 	if !ok {
 		return nil, fmt.Errorf("createKeyRequest 'signatureAlgorithm=%q' is not supported", req.SignatureAlgorithm)
 	}
-	if u.useSecureEnclave && req.SignatureAlgorithm != apiv1.UnspecifiedSignAlgorithm && req.SignatureAlgorithm != apiv1.ECDSAWithSHA256 {
+	if u.useSecureEnclave && req.SignatureAlgorithm != apiv1.UnspecifiedSignAlgorithm &&
+		req.SignatureAlgorithm != apiv1.ECDSAWithSHA256 &&
+		req.SignatureAlgorithm != apiv1.ECDSAWithSHA384 {
 		return nil, fmt.Errorf("createKeyRequest 'signatureAlgorithm=%q' is not supported on Secure Enclave", req.SignatureAlgorithm)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,9 @@ func (k MacKMS) CreateKey(req apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespons`
`218`	`218`	`if !ok {`
`219`	`219`	`return nil, fmt.Errorf("createKeyRequest 'signatureAlgorithm=%q' is not supported", req.SignatureAlgorithm)`
`220`	`220`	`}`
`221`		`- if u.useSecureEnclave && req.SignatureAlgorithm != apiv1.UnspecifiedSignAlgorithm && req.SignatureAlgorithm != apiv1.ECDSAWithSHA256 {`
	`221`	`+ if u.useSecureEnclave && req.SignatureAlgorithm != apiv1.UnspecifiedSignAlgorithm &&`
	`222`	`+ req.SignatureAlgorithm != apiv1.ECDSAWithSHA256 &&`
	`223`	`+ req.SignatureAlgorithm != apiv1.ECDSAWithSHA384 {`
`222`	`224`	`return nil, fmt.Errorf("createKeyRequest 'signatureAlgorithm=%q' is not supported on Secure Enclave", req.SignatureAlgorithm)`
`223`	`225`	`}`
`224`	`226`