Hardware key signing: Secure Enclave / StrongBox / TPM integration #3
Description
Summary
Phase 2 signing using platform hardware security modules for non-exportable ES256 keys.
Platforms
- macOS/iOS: SecKeyCreateSignature with Secure Enclave key (Touch ID protected)
- Android: KeyStore with setIsStrongBoxBacked(true)
- Windows: TPM 2.0 via NCryptSignHash
Design
This is NOT WebAuthn — it's raw Secure Enclave access. WebAuthn signs clientDataJSON (challenge-response), not arbitrary data. The platform's native crypto API signs the JCS-canonical attestation payload directly.
The credentialId field optionally links to a WebAuthn credential for cross-referencing.
Depends on
- JCS canonicalization (RFC 8785 JCS canonicalization + ES256 signing implementation #1)
- Key registry (Key registry: hosted service with revocation and rotation #2)