生成无法导出的私钥-Generateprivatekeythatcannotbeexported

5  

This article provides more details (compared to other answers in this thread):

本文提供了更多详细信息（与此主题中的其他答案相比）：

SecGenerateKeyPair(), which is used to generate RSA and ECDSA key pairs, can now be configured to directly store the generated private key in the device’s Keychain (within the Secure Enclave). This means that the private key can be used without ever leaving the device’s Secure Enclave.

SecGenerateKeyPair（）用于生成RSA和ECDSA密钥对，现在可以配置为将生成的私钥直接存储在设备的Keychain中（在Secure Enclave中）。这意味着可以在不离开设备的Secure Enclave的情况下使用私钥。

And the important addition:

而重要的补充：

The kSecAttrTokenIDSecureEnclave attribute needs to be used when generating the key pair.

生成密钥对时需要使用kSecAttrTokenIDSecureEnclave属性。

If you don't specify this attribute the private key will be accessible even on iOS9.

如果您未指定此属性，即使在iOS9上也可以访问私钥。

4  

To answer the first question, the private key cannot be retrieved according to this source:

要回答第一个问题，根据此来源无法检索私钥：

One API call, SecKeyGeneratePair(), creates a public and private key. The public key is returned to the app, and the private key is sent directly to the Secure Enclave. This private key cannot be retrieved.

一个API调用SecKeyGeneratePair（）创建公钥和私钥。公钥将返回到应用程序，私钥将直接发送到Secure Enclave。无法检索此私钥。

More information is available here:

更多信息请点击这里：

The supported keys are Elliptic Curve P256, the private key is not extractible in any form, even protected, and the applications are RawSign and RawVerify.

支持的键是Elliptic Curve P256，私钥不能以任何形式提取，甚至受保护，应用程序是RawSign和RawVerify。