This is a porting of Bouncy Castle's IES engine to provide compatibility with Apple's SecKeyCreateEncryptedData, specifically the ECIES algortihms provided by Apple's internal Common Crypto and Core Crypto libraries when using one of the SecKeyAlgorithmECIESEncryptionCofactorVariableIV* algorithms (https://developer.apple.com/documentation/security/seckeyalgorithm).
Apple uses a secific implementation of ECIES which does not perform explicit message tagging, but instead uses an authenticated encryption (AEAD) variant of AES - AES-GCM. GCM (Galois/Counter mode) produces a message tag appended to the ciphertext similarly to other HMAC processes but allows for authentication data input.
- P-256 (secp256r1) only (other key sizes are not supported by Secure Enclave)
- ANSI X9.63 KDF using the following message digest algorithms:
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
- AES (GCM) using:
- 128-bit key (for EC keypairs <= 256 bits) - first part of the KDF output
- 16-byte nonce - second part of the KDF output
- 16-byte tag
This ECIES variant performs the following steps to produce ciphertext result:
- A random ephemeral EC key pair is generated for each message
- A Diffie-Hellman key exchange is performed over the ephemeral private key and the peer (static) public key. The result is a shared secret.
- A KDF is used to expand the shared secret into 256 bits of shared information. Apple uses X9.63 KDF which is simply a SHA message digest of the concatenation of the shared secret, a 4-byte incremental counter, and the ephemeral public key data which serves as the initialization vector (IV).
- The first half (128 bits) of the KDF result is used as the symmetric encryption key for AES-GCM, while the second half (128 bits) is used as the nonce.
- The output of the encryption process is a concatenation of (in this order):
- the ephemeral public key
- the output of the AES-GCM function (which itself is just a concatenation of the ciphertext and the message tag)
https://opensource.apple.com/source/Security/Security-58286.1.32/keychain/SecKey.h.auto.html
See the description of kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM for example.
Please note that contrary to the description provided, Apple does not use authentication data in GCM.
https://opensource.apple.com/source/Security/Security-58286.1.32/OSX/shared_regressions/si-44-seckey-ies.m.auto.html
Test run for kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM provides useful debugging data.
https://github.com/samdmarshall/apple-corecrypto/blob/df1ffe4ae19dcb7c320d336d7f5f28c9af6daa09/ccecies/src/ccecies_encrypt_gcm_composite.c
ccecies_encrypt_gcm_composite provides ECIES implementation