Merge pull request #173 from auths-dev/dev-macFingerprint

feat: Apple Enclave fingerprint working

Author: bordumb

.auths/allowed_signers

@@ -1,4 +1,8 @@
 # auths:managed — do not edit manually
 # auths:attestation
-zDnaeozdqZm6u6rx8pc8RjSFVXRdoyACavgoRMQQx1qCXvsdm@auths.local namespaces="git" ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF4bP1XrwmGIzv5AR3L64MzVmhncKSJZvUm/vRaNFQ5k6yREvLIJwOmAI7ifc9oaTWdLOW/JD/fx3AzDRhNEyNU=
+<<<<<<< Updated upstream
+zDnaeTDAGwQd8YFykWwyeQEQC8hrHHWbeb9AsoJanKqheTQ9g@auths.local namespaces="git" ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBClLNRlBdgjEEPozFdM4rZh556aLyLCJLj77b+Ru5ACTaqMmXLuRlUWkonba8LKP2NKBWNme+4+tRLYngOaDDxo=
+=======
+zDnaeQaiejhv26gSRpcw2GuXyFwnBsg5d4LnEYmwswkL6xqNq@auths.local namespaces="git" ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAI983sl/v/wrXA3Eh6z1pbEUrSISl90Ydt6pagriWA6af/KRqhnahp5ZfUFLDxBNRRLHj8y/aWvWO9NqCQWRXI=
+>>>>>>> Stashed changes
 # auths:manual

.pre-commit-config.yaml

@@ -51,14 +51,14 @@ repos:
 
       - id: cargo-clippy
         name: cargo clippy
-        entry: cargo clippy --all-targets --all-features -- -D warnings
+        entry: cargo clippy --all-targets --all-features --keep-going -- -D warnings
         language: system
         types: [rust]
         pass_filenames: false
 
       - id: cargo-clippy-packages
         name: cargo clippy (packages/)
-        entry: bash -c 'for d in packages/auths-node packages/auths-python packages/auths-verifier-swift; do [ -f "$d/Cargo.toml" ] && CARGO_TARGET_DIR=../../target cargo clippy --manifest-path "$d/Cargo.toml" --all-targets -- -D warnings || exit 1; done'
+        entry: bash -c 'failed=0; for d in packages/auths-node packages/auths-python packages/auths-verifier-swift; do [ -f "$d/Cargo.toml" ] || continue; CARGO_TARGET_DIR=../../target cargo clippy --manifest-path "$d/Cargo.toml" --all-targets --keep-going -- -D warnings || failed=1; done; exit $failed'
         language: system
         types: [rust]
         pass_filenames: false
@@ -97,7 +97,7 @@ repos:
 
       - id: cargo-test
         name: cargo test
-        entry: cargo nextest run --workspace --profile pre-commit
+        entry: cargo nextest run --workspace --profile pre-commit --no-fail-fast
         language: system
         types: [rust]
         pass_filenames: false

crates/auths-cli/Cargo.toml

@@ -37,7 +37,7 @@ glob.workspace = true
 auths-policy.workspace = true
 auths-index.workspace = true
 auths-crypto.workspace = true
-auths-sdk = { workspace = true, features = ["backend-git", "witness-server", "witness-client", "indexed-storage"] }
+auths-sdk = { workspace = true, features = ["backend-git", "witness-server", "witness-client", "indexed-storage", "keychain-secure-enclave"] }
 auths-transparency = { workspace = true, features = ["native"] }
 auths-pairing-protocol.workspace = true
 auths-telemetry = { workspace = true, features = ["sink-http"] }

crates/auths-cli/src/commands/agent/mod.rs

@@ -541,6 +541,17 @@ fn unlock_agent(key_alias: &str) -> Result<()> {
 
     let keychain = auths_sdk::keychain::get_platform_keychain()
         .map_err(|e| anyhow!("Failed to get platform keychain: {}", e))?;
+
+    if keychain.is_hardware_backend() {
+        return Err(anyhow!(
+            "Agent-mode signing requires a software-backed key. Key '{}' is hardware-backed \
+             (Secure Enclave) and cannot export raw key material needed by the SSH agent. \
+             Use direct signing instead (which dispatches through the Secure Enclave), \
+             or initialize a separate software-backed identity for agent use.",
+            key_alias
+        ));
+    }
+
     let (_identity_did, _role, encrypted_data) = keychain
         .load_key(&auths_sdk::keychain::KeyAlias::new_unchecked(key_alias))
         .map_err(|e| anyhow!("Failed to load key '{}': {}", key_alias, e))?;

crates/auths-cli/src/commands/artifact/sign.rs

@@ -52,19 +52,13 @@ pub fn handle_sign(
             result.attestation_json.as_bytes(),
         );
         let alias = KeyAlias::new_unchecked(device_key);
-        let (_, _role, encrypted) = ctx
-            .key_storage
-            .load_key(&alias)
-            .context("Failed to load device key for log signature")?;
-        let passphrase = passphrase_provider
-            .get_passphrase("Re-enter passphrase for log signature:")
-            .map_err(|e| anyhow::anyhow!("Passphrase error: {e}"))?;
-        let pkcs8 = auths_sdk::crypto::decrypt_keypair(&encrypted, &passphrase)
-            .context("Failed to decrypt key for log signature")?;
-        let parsed = auths_crypto::parse_key_material(&pkcs8)
-            .map_err(|e| anyhow::anyhow!("Failed to parse key: {e}"))?;
-        let sig = auths_crypto::typed_sign(&parsed.seed, &pae)
-            .map_err(|e| anyhow::anyhow!("Failed to sign DSSE PAE: {e}"))?;
+        let (sig, _pubkey, _curve) = auths_sdk::keychain::sign_with_key(
+            ctx.key_storage.as_ref(),
+            &alias,
+            passphrase_provider.as_ref(),
+            &pae,
+        )
+        .context("Failed to sign DSSE PAE for log submission")?;
         Some(sig)
     } else {
         None

crates/auths-cli/src/commands/artifact/verify.rs

@@ -310,20 +310,26 @@ pub async fn handle_verify(
 fn resolve_identity_key(
     identity_bundle: &Option<PathBuf>,
     attestation: &Attestation,
-) -> Result<(Vec<u8>, CanonicalDid)> {
+) -> Result<(auths_verifier::DevicePublicKey, CanonicalDid)> {
     if let Some(bundle_path) = identity_bundle {
         let bundle_content = fs::read_to_string(bundle_path)
             .with_context(|| format!("Failed to read identity bundle: {:?}", bundle_path))?;
         let bundle: IdentityBundle = serde_json::from_str(&bundle_content)
             .with_context(|| format!("Failed to parse identity bundle: {:?}", bundle_path))?;
-        let pk = hex::decode(bundle.public_key_hex.as_str())
+        let pk_bytes = hex::decode(bundle.public_key_hex.as_str())
             .context("Invalid public key hex in bundle")?;
+        let curve = auths_crypto::CurveType::from_public_key_len(pk_bytes.len())
+            .ok_or_else(|| anyhow!("Invalid bundle public key length: {}", pk_bytes.len()))?;
+        let pk = auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
+            .map_err(|e| anyhow!("Invalid bundle public key: {e}"))?;
         Ok((pk, bundle.identity_did.into()))
     } else {
         // Resolve public key from the issuer DID
         let issuer = &attestation.issuer;
-        let (pk, _curve) = resolve_pk_from_did(issuer)
+        let (pk_bytes, curve) = resolve_pk_from_did(issuer)
             .with_context(|| format!("Failed to resolve public key from issuer DID '{}'. Use --identity-bundle for stateless verification.", issuer))?;
+        let pk = auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
+            .map_err(|e| anyhow!("Invalid issuer public key resolved from DID: {e}"))?;
         Ok((pk, issuer.clone()))
     }
 }
@@ -357,7 +363,7 @@ fn resolve_pk_from_did(did: &str) -> Result<(Vec<u8>, auths_crypto::CurveType)>
 /// Verify witness receipts if provided.
 async fn verify_witnesses(
     chain: &[Attestation],
-    root_pk: &[u8],
+    root_pk: &auths_verifier::DevicePublicKey,
     receipts_path: &Option<PathBuf>,
     witness_keys_raw: &[String],
     threshold: usize,

crates/auths-cli/src/commands/auth.rs

@@ -1,15 +1,9 @@
 use anyhow::{Context, Result, anyhow};
 use clap::{Parser, Subcommand};
 
-use auths_crypto::Pkcs8Der;
-use auths_sdk::crypto::decrypt_keypair;
-use auths_sdk::crypto::extract_seed_from_pkcs8;
-use auths_sdk::crypto::provider_bridge;
-use auths_sdk::keychain::KeyStorage;
 use auths_sdk::storage_layout::layout;
 
 use crate::factories::storage::build_auths_context;
-use auths_sdk::workflows::auth::sign_auth_challenge;
 
 use crate::commands::executable::ExecutableCommand;
 use crate::config::CliConfig;
@@ -76,33 +70,22 @@ fn handle_auth_challenge(nonce: &str, domain: &str, ctx: &CliConfig) -> Result<(
     let key_alias = auths_sdk::keychain::KeyAlias::new(&key_alias_str)
         .map_err(|e| anyhow!("Invalid key alias: {e}"))?;
 
-    let (_stored_did, _role, encrypted_key) = auths_ctx
-        .key_storage
-        .load_key(&key_alias)
-        .with_context(|| format!("Failed to load key '{}'", key_alias_str))?;
-
-    let passphrase =
-        passphrase_provider.get_passphrase(&format!("Enter passphrase for '{}':", key_alias))?;
-    let pkcs8_bytes = decrypt_keypair(&encrypted_key, &passphrase)
-        .context("Failed to decrypt key (invalid passphrase?)")?;
-
-    let pkcs8 = Pkcs8Der::new(&pkcs8_bytes[..]);
-    let seed =
-        extract_seed_from_pkcs8(&pkcs8).context("Failed to extract seed from key material")?;
-
-    // Derive public key from the seed instead of resolving via KEL
-    let public_key_bytes = provider_bridge::ed25519_public_key_from_seed_sync(&seed)
-        .context("Failed to derive public key from seed")?;
-    let public_key_hex = hex::encode(public_key_bytes);
-
-    let result = sign_auth_challenge(
-        nonce,
-        domain,
-        &seed,
-        &public_key_hex,
-        controller_did.as_str(),
+    let message = auths_sdk::workflows::auth::build_auth_challenge_message(nonce, domain)
+        .context("Failed to build auth challenge payload")?;
+
+    let (signature_bytes, public_key_bytes, _curve) = auths_sdk::keychain::sign_with_key(
+        auths_ctx.key_storage.as_ref(),
+        &key_alias,
+        passphrase_provider.as_ref(),
+        message.as_bytes(),
     )
-    .context("Failed to sign auth challenge")?;
+    .with_context(|| format!("Failed to sign auth challenge with key '{}'", key_alias))?;
+
+    let result = auths_sdk::workflows::auth::SignedAuthChallenge {
+        signature_hex: hex::encode(&signature_bytes),
+        public_key_hex: hex::encode(&public_key_bytes),
+        did: controller_did.to_string(),
+    };
 
     if is_json_mode() {
         JsonResponse::success(

crates/auths-cli/src/commands/device/verify_attestation.rs

@@ -165,36 +165,38 @@ fn effective_trust_policy(cmd: &VerifyCommand) -> TrustPolicy {
     }
 }
 
+/// Wrap raw pubkey bytes from a trust store (pin or roots.json) into a curve-tagged
+/// `DevicePublicKey`. Infers the curve from length via `CurveType::from_public_key_len`.
+fn bytes_to_device_public_key(
+    bytes: &[u8],
+    source: &str,
+) -> Result<auths_verifier::DevicePublicKey> {
+    let curve = auths_crypto::CurveType::from_public_key_len(bytes.len())
+        .ok_or_else(|| anyhow!("Invalid {} public key length: {}", source, bytes.len()))?;
+    auths_verifier::DevicePublicKey::try_new(curve, bytes)
+        .map_err(|e| anyhow!("Invalid {} public key: {e}", source))
+}
+
 /// Resolve the issuer public key from various sources.
 ///
 /// Resolution precedence:
-/// 1. --issuer-pk (direct key, bypasses trust)
+/// 1. `--issuer-pk` (direct key, bypasses trust)
 /// 2. Pinned identity store
-/// 3. roots.json file
+/// 3. `roots.json` file
 /// 4. Trust policy (TOFU prompt or explicit rejection)
 fn resolve_issuer_key(
     now: chrono::DateTime<Utc>,
     cmd: &VerifyCommand,
     att: &Attestation,
-) -> Result<Vec<u8>> {
+) -> Result<auths_verifier::DevicePublicKey> {
     // 1. Direct key takes precedence
     if let Some(ref pk_hex) = cmd.issuer_pk {
         let pk_bytes =
             hex::decode(pk_hex).context("Invalid hex string provided for issuer public key")?;
-        let curve = match pk_bytes.len() {
-            32 => auths_crypto::CurveType::Ed25519,
-            33 | 65 => auths_crypto::CurveType::P256,
-            _ => {
-                return Err(anyhow!(
-                    "Invalid issuer public key length: {}",
-                    pk_bytes.len()
-                ));
-            }
-        };
-        // Validate via DevicePublicKey type system
-        auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
-            .map_err(|e| anyhow!("Invalid issuer public key: {e}"))?;
-        return Ok(pk_bytes);
+        let curve = auths_crypto::CurveType::from_public_key_len(pk_bytes.len())
+            .ok_or_else(|| anyhow!("Invalid issuer public key length: {}", pk_bytes.len()))?;
+        return auths_verifier::DevicePublicKey::try_new(curve, &pk_bytes)
+            .map_err(|e| anyhow!("Invalid issuer public key: {e}"));
     }
 
     // Determine the DID to look up
@@ -209,7 +211,7 @@ fn resolve_issuer_key(
         if !is_json_mode() {
             println!("Using pinned identity: {}", did);
         }
-        return Ok(pin.public_key_bytes()?);
+        return bytes_to_device_public_key(&pin.public_key_bytes()?, "pinned identity");
     }
 
     // 3. Check roots.json file
@@ -240,7 +242,7 @@ fn resolve_issuer_key(
                 trust_level: TrustLevel::OrgPolicy,
             };
             store.pin(pin)?;
-            return Ok(root.public_key_bytes()?);
+            return bytes_to_device_public_key(&root.public_key_bytes()?, "roots.json");
         }
     }
 
@@ -297,7 +299,7 @@ async fn run_verify(now: chrono::DateTime<Utc>, cmd: &VerifyCommand) -> Result<V
     }
 
     // 3. Resolve issuer public key
-    let issuer_pk_bytes = resolve_issuer_key(now, cmd, &att)?;
+    let issuer_pk = resolve_issuer_key(now, cmd, &att)?;
 
     let required_capability: Option<Capability> = cmd.require_capability.as_ref().map(|cap| {
         cap.parse::<Capability>().unwrap_or_else(|e| {
@@ -308,9 +310,9 @@ async fn run_verify(now: chrono::DateTime<Utc>, cmd: &VerifyCommand) -> Result<V
 
     // 5. Verify the attestation (with or without capability check)
     let verify_result = if let Some(ref cap) = required_capability {
-        verify_with_capability(&att, cap, &issuer_pk_bytes).await
+        verify_with_capability(&att, cap, &issuer_pk).await
     } else {
-        verify_with_keys(&att, &issuer_pk_bytes).await
+        verify_with_keys(&att, &issuer_pk).await
     };
 
     match verify_result {
@@ -330,13 +332,10 @@ async fn run_verify(now: chrono::DateTime<Utc>, cmd: &VerifyCommand) -> Result<V
                     threshold: cmd.witness_threshold,
                 };
 
-                let report = verify_chain_with_witnesses(
-                    std::slice::from_ref(&att),
-                    &issuer_pk_bytes,
-                    &config,
-                )
-                .await
-                .context("Witness chain verification failed")?;
+                let report =
+                    verify_chain_with_witnesses(std::slice::from_ref(&att), &issuer_pk, &config)
+                        .await
+                        .context("Witness chain verification failed")?;
 
                 if !report.is_valid() {
                     if !is_json_mode()
@@ -447,21 +446,9 @@ pub async fn handle_verify_attestation(
 
     let issuer_pk_bytes = hex::decode(issuer_pubkey_hex)
         .context("Invalid hex string provided for issuer public key")?;
+    let issuer_pk = bytes_to_device_public_key(&issuer_pk_bytes, "issuer")?;
 
-    let curve = match issuer_pk_bytes.len() {
-        32 => auths_crypto::CurveType::Ed25519,
-        33 | 65 => auths_crypto::CurveType::P256,
-        _ => {
-            return Err(anyhow!(
-                "Invalid issuer public key length: {}",
-                issuer_pk_bytes.len()
-            ));
-        }
-    };
-    auths_verifier::DevicePublicKey::try_new(curve, &issuer_pk_bytes)
-        .map_err(|e| anyhow!("Invalid issuer public key: {e}"))?;
-
-    match verify_with_keys(&att, &issuer_pk_bytes).await {
+    match verify_with_keys(&att, &issuer_pk).await {
         Ok(_) => {
             println!("Attestation verified successfully.");
             Ok(())

crates/auths-cli/src/commands/id/identity.rs

@@ -1,6 +1,5 @@
 use anyhow::{Context, Result, anyhow};
 use clap::{ArgAction, Parser, Subcommand};
-use ring::signature::KeyPair;
 use serde::Serialize;
 use serde_json;
 use std::fs;
@@ -402,6 +401,7 @@ pub fn handle_id(
                 passphrase_provider.as_ref(),
                 &get_platform_keychain()?,
                 None,
+                auths_crypto::CurveType::default(),
             ) {
                 Ok((controller_did_keri, alias)) => {
                     println!("\n✅ Identity created.");
@@ -592,23 +592,19 @@ pub fn handle_id(
                 .load_all_attestations()
                 .unwrap_or_default();
 
-            // Load the public key from keychain
+            // Load the public key from keychain (handles SE and software keys)
             let keychain = get_platform_keychain()?;
-            let (_, _role, encrypted_key) = keychain
-                .load_key(&KeyAlias::new_unchecked(&alias))
-                .with_context(|| format!("Key '{}' not found in keychain", alias))?;
-
-            // Decrypt to get public key
-            let pass = passphrase_provider
-                .get_passphrase(&format!("Enter passphrase for key '{}':", alias))?;
-            let pkcs8_bytes = auths_sdk::crypto::decrypt_keypair(&encrypted_key, &pass)
-                .context("Failed to decrypt key")?;
-            let keypair = auths_sdk::identity::load_keypair_from_der_or_seed(&pkcs8_bytes)?;
+            let alias_typed = KeyAlias::new_unchecked(&alias);
+            let (public_key_bytes, _curve) = auths_sdk::keychain::extract_public_key_bytes(
+                keychain.as_ref(),
+                &alias_typed,
+                passphrase_provider.as_ref(),
+            )
+            .with_context(|| format!("Failed to extract public key for '{}'", alias))?;
             #[allow(clippy::disallowed_methods)]
-            // INVARIANT: hex::encode of Ed25519 pubkey always produces valid hex
-            let public_key_hex = auths_verifier::PublicKeyHex::new_unchecked(hex::encode(
-                keypair.public_key().as_ref(),
-            ));
+            // INVARIANT: hex::encode of pubkey bytes always produces valid hex
+            let public_key_hex =
+                auths_verifier::PublicKeyHex::new_unchecked(hex::encode(&public_key_bytes));
 
             // Create the bundle
             let bundle = IdentityBundle {

crates/auths-cli/src/commands/id/migrate.rs

@@ -436,6 +436,7 @@ fn perform_gpg_migration(
         &passphrase_provider,
         keychain.as_ref(),
         None,
+        auths_crypto::CurveType::default(),
     ) {
         Ok((controller_did, alias)) => {
             out.print_success(&format!("Created Auths identity: {}", controller_did));
@@ -832,6 +833,7 @@ fn perform_ssh_migration(
         &passphrase_provider,
         keychain.as_ref(),
         None,
+        auths_crypto::CurveType::default(),
     ) {
         Ok((controller_did, alias)) => {
             out.print_success(&format!("Created Auths identity: {}", controller_did));