@wlfi-agent/cli 1.4.13 → 1.4.15

package/crates/vault-signer/src/lib.rs

@@ -0,0 +1,731 @@
+//! Signer backends for vault keys.
+//!
+//! The daemon depends on [`VaultSignerBackend`] so hardware-backed (Secure
+//! Enclave), software-backed, and future TEE-backed implementations can be
+//! swapped without changing policy logic.
+
+use std::collections::HashMap;
+use std::sync::{Arc, RwLock};
+
+use async_trait::async_trait;
+use k256::ecdsa::signature::Signer;
+use k256::ecdsa::{Signature as EcdsaSignature, SigningKey};
+use k256::elliptic_curve::rand_core::OsRng;
+use serde::{Deserialize, Serialize};
+use thiserror::Error;
+use time::OffsetDateTime;
+use uuid::Uuid;
+use vault_domain::{KeySource, Signature, VaultKey};
+
+#[cfg(target_os = "macos")]
+use core_foundation::base::{TCFType, ToVoid};
+#[cfg(target_os = "macos")]
+use core_foundation::string::CFString;
+#[cfg(target_os = "macos")]
+use security_framework::access_control::{ProtectionMode, SecAccessControl};
+#[cfg(target_os = "macos")]
+use security_framework::item::{
+    ItemClass, ItemSearchOptions, KeyClass, Limit, Location, Reference, SearchResult,
+};
+#[cfg(target_os = "macos")]
+use security_framework::key::{Algorithm, GenerateKeyOptions, KeyType, SecKey, Token};
+#[cfg(target_os = "macos")]
+use security_framework_sys::access_control::kSecAccessControlPrivateKeyUsage;
+#[cfg(target_os = "macos")]
+use security_framework_sys::item::{
+    kSecAttrAccessControl, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave,
+};
+
+/// Logical backend category.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum BackendKind {
+    /// macOS Secure Enclave + Keychain backend.
+    SecureEnclave,
+    /// Hardware-backed remote TEE backend.
+    Tee,
+    /// In-process software signer backend.
+    Software,
+}
+
+/// Key creation request from daemon/admin.
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub enum KeyCreateRequest {
+    /// Generate a fresh private key.
+    Generate,
+    /// Import an existing hex-encoded 32-byte secp256k1 private key.
+    Import { private_key_hex: String },
+}
+
+/// Errors returned by signer backends.
+#[derive(Debug, Error, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub enum SignerError {
+    /// Unknown key identifier.
+    #[error("unknown vault key id: {0}")]
+    UnknownKey(Uuid),
+    /// Invalid import key material.
+    #[error("invalid private key")]
+    InvalidPrivateKey,
+    /// Operation is intentionally unsupported by backend.
+    #[error("backend operation unsupported: {0}")]
+    Unsupported(String),
+    /// Caller does not satisfy backend security requirements.
+    #[error("permission denied: {0}")]
+    PermissionDenied(String),
+    /// Backend-specific failure.
+    #[error("internal backend failure: {0}")]
+    Internal(String),
+}
+
+/// Backend interface used by daemon.
+#[async_trait]
+pub trait VaultSignerBackend: Send + Sync {
+    /// Returns backend category.
+    fn backend_kind(&self) -> BackendKind;
+
+    /// Creates a vault key according to request.
+    async fn create_vault_key(&self, request: KeyCreateRequest) -> Result<VaultKey, SignerError>;
+
+    /// Signs payload with key `vault_key_id`.
+    async fn sign_payload(
+        &self,
+        vault_key_id: Uuid,
+        payload: &[u8],
+    ) -> Result<Signature, SignerError>;
+
+    /// Signs a prehashed 32-byte digest with key `vault_key_id`.
+    ///
+    /// Digest format is caller-defined; for Ethereum transactions this must be
+    /// Keccak-256 transaction-signing prehash.
+    async fn sign_digest(
+        &self,
+        vault_key_id: Uuid,
+        digest: [u8; 32],
+    ) -> Result<Signature, SignerError>;
+
+    /// Exports persistable key material for the requested vault key IDs.
+    ///
+    /// Backends that keep private keys outside daemon persistence (for example
+    /// Secure Enclave) should return an empty map.
+    fn export_persistable_key_material(
+        &self,
+        _vault_key_ids: &[Uuid],
+    ) -> Result<HashMap<Uuid, String>, SignerError> {
+        Ok(HashMap::new())
+    }
+
+    /// Restores persistable key material previously exported by this backend.
+    ///
+    /// Backends that do not support material export/import return an error when
+    /// non-empty state is provided.
+    fn restore_persistable_key_material(
+        &self,
+        persisted: &HashMap<Uuid, String>,
+    ) -> Result<(), SignerError> {
+        if persisted.is_empty() {
+            return Ok(());
+        }
+        Err(SignerError::Unsupported(
+            "backend does not support persisted key material".to_string(),
+        ))
+    }
+}
+
+/// Optional extension for backends capable of cryptographic attestation.
+#[async_trait]
+pub trait AttestableSignerBackend: VaultSignerBackend {
+    /// Returns an attestation document proving key/backend identity.
+    async fn attestation_document(&self) -> Result<Vec<u8>, SignerError>;
+}
+
+/// Pure software signer for development and tests.
+#[derive(Debug, Clone, Default)]
+pub struct SoftwareSignerBackend {
+    keys: Arc<RwLock<HashMap<Uuid, SigningKey>>>,
+}
+
+impl SoftwareSignerBackend {
+    fn public_key_hex(signing_key: &SigningKey) -> String {
+        let verifying_key = signing_key.verifying_key();
+        hex::encode(verifying_key.to_encoded_point(false).as_bytes())
+    }
+
+    fn parse_import_key(private_key_hex: &str) -> Result<SigningKey, SignerError> {
+        let raw = hex::decode(
+            private_key_hex
+                .strip_prefix("0x")
+                .unwrap_or(private_key_hex),
+        )
+        .map_err(|_| SignerError::InvalidPrivateKey)?;
+        if raw.len() != 32 {
+            return Err(SignerError::InvalidPrivateKey);
+        }
+        SigningKey::from_slice(&raw).map_err(|_| SignerError::InvalidPrivateKey)
+    }
+}
+
+#[async_trait]
+impl VaultSignerBackend for SoftwareSignerBackend {
+    fn backend_kind(&self) -> BackendKind {
+        BackendKind::Software
+    }
+
+    async fn create_vault_key(&self, request: KeyCreateRequest) -> Result<VaultKey, SignerError> {
+        let (signing_key, source) = match request {
+            KeyCreateRequest::Generate => (SigningKey::random(&mut OsRng), KeySource::Generated),
+            KeyCreateRequest::Import { private_key_hex } => {
+                let key = Self::parse_import_key(&private_key_hex)?;
+                (key, KeySource::Imported)
+            }
+        };
+
+        let key_id = Uuid::new_v4();
+        let public_key_hex = Self::public_key_hex(&signing_key);
+        let created_at = OffsetDateTime::now_utc();
+
+        self.keys
+            .write()
+            .map_err(|_| SignerError::Internal("poisoned lock".into()))?
+            .insert(key_id, signing_key);
+
+        Ok(VaultKey {
+            id: key_id,
+            source,
+            public_key_hex,
+            created_at,
+        })
+    }
+
+    async fn sign_payload(
+        &self,
+        vault_key_id: Uuid,
+        payload: &[u8],
+    ) -> Result<Signature, SignerError> {
+        let keys = self
+            .keys
+            .read()
+            .map_err(|_| SignerError::Internal("poisoned lock".into()))?;
+        let signing_key = keys
+            .get(&vault_key_id)
+            .ok_or(SignerError::UnknownKey(vault_key_id))?;
+
+        let signature: EcdsaSignature = signing_key.sign(payload);
+        Ok(Signature::from_der(signature.to_der().as_bytes().to_vec()))
+    }
+
+    async fn sign_digest(
+        &self,
+        vault_key_id: Uuid,
+        digest: [u8; 32],
+    ) -> Result<Signature, SignerError> {
+        let keys = self
+            .keys
+            .read()
+            .map_err(|_| SignerError::Internal("poisoned lock".into()))?;
+        let signing_key = keys
+            .get(&vault_key_id)
+            .ok_or(SignerError::UnknownKey(vault_key_id))?;
+
+        let (signature, _) = signing_key
+            .sign_prehash_recoverable(&digest)
+            .map_err(|err| SignerError::Internal(format!("digest signature failed: {err}")))?;
+        Ok(Signature::from_der(signature.to_der().as_bytes().to_vec()))
+    }
+
+    fn export_persistable_key_material(
+        &self,
+        vault_key_ids: &[Uuid],
+    ) -> Result<HashMap<Uuid, String>, SignerError> {
+        let keys = self
+            .keys
+            .read()
+            .map_err(|_| SignerError::Internal("poisoned lock".into()))?;
+        let mut exported = HashMap::with_capacity(vault_key_ids.len());
+        for vault_key_id in vault_key_ids {
+            let signing_key = keys
+                .get(vault_key_id)
+                .ok_or(SignerError::UnknownKey(*vault_key_id))?;
+            exported.insert(*vault_key_id, hex::encode(signing_key.to_bytes()));
+        }
+        Ok(exported)
+    }
+
+    fn restore_persistable_key_material(
+        &self,
+        persisted: &HashMap<Uuid, String>,
+    ) -> Result<(), SignerError> {
+        let mut restored = HashMap::with_capacity(persisted.len());
+        for (vault_key_id, private_key_hex) in persisted {
+            let signing_key = Self::parse_import_key(private_key_hex)?;
+            restored.insert(*vault_key_id, signing_key);
+        }
+        *self
+            .keys
+            .write()
+            .map_err(|_| SignerError::Internal("poisoned lock".into()))? = restored;
+        Ok(())
+    }
+}
+
+/// Real macOS Secure Enclave signer.
+///
+/// Generated keys are permanent Keychain items with `PRIVATE_KEY_USAGE`
+/// access control and `kSecAttrTokenIDSecureEnclave` token binding.
+#[derive(Debug, Clone)]
+pub struct SecureEnclaveSignerBackend {
+    label_prefix: String,
+}
+
+impl Default for SecureEnclaveSignerBackend {
+    fn default() -> Self {
+        Self::new("com.wlfi.vault")
+    }
+}
+
+impl SecureEnclaveSignerBackend {
+    /// Creates backend with a key label prefix.
+    #[must_use]
+    pub fn new(label_prefix: impl Into<String>) -> Self {
+        Self {
+            label_prefix: label_prefix.into(),
+        }
+    }
+
+    fn key_label(&self, key_id: Uuid) -> String {
+        format!("{}.{key_id}", self.label_prefix)
+    }
+
+    #[cfg(target_os = "macos")]
+    fn require_root() -> Result<(), SignerError> {
+        if unsafe { libc::geteuid() } != 0 {
+            return Err(SignerError::PermissionDenied(
+                "secure enclave backend requires root daemon context".to_string(),
+            ));
+        }
+        Ok(())
+    }
+
+    #[cfg(target_os = "macos")]
+    fn make_access_control() -> Result<SecAccessControl, SignerError> {
+        SecAccessControl::create_with_protection(
+            Some(ProtectionMode::AccessibleAfterFirstUnlockThisDeviceOnly),
+            kSecAccessControlPrivateKeyUsage,
+        )
+        .map_err(|err| SignerError::Internal(format!("unable to create access control: {err}")))
+    }
+
+    #[cfg(target_os = "macos")]
+    fn generate_secure_enclave_key(&self, key_id: Uuid) -> Result<SecKey, SignerError> {
+        let label = self.key_label(key_id);
+        let mut options = GenerateKeyOptions::default();
+        options
+            .set_key_type(KeyType::ec_sec_prime_random())
+            .set_size_in_bits(256)
+            .set_label(label)
+            .set_token(Token::SecureEnclave)
+            .set_location(Location::DataProtectionKeychain)
+            .set_access_control(Self::make_access_control()?);
+
+        SecKey::new(&options).map_err(|err| {
+            SignerError::Internal(format!("secure enclave key generation failed: {err}"))
+        })
+    }
+
+    #[cfg(target_os = "macos")]
+    fn find_private_key(&self, key_id: Uuid) -> Result<SecKey, SignerError> {
+        let label = self.key_label(key_id);
+        let mut search = ItemSearchOptions::new();
+        search
+            .class(ItemClass::key())
+            .key_class(KeyClass::private())
+            .label(&label)
+            .load_refs(true)
+            .limit(Limit::All)
+            .ignore_legacy_keychains();
+
+        let mut results = search
+            .search()
+            .map_err(|err| SignerError::Internal(format!("key lookup failed: {err}")))?;
+        if results.is_empty() {
+            return Err(SignerError::UnknownKey(key_id));
+        }
+        if results.len() > 1 {
+            return Err(SignerError::Internal(format!(
+                "multiple keychain private keys matched label for vault key {key_id}; refusing ambiguous lookup"
+            )));
+        }
+
+        let first = results
+            .pop()
+            .ok_or_else(|| SignerError::Internal("missing search result".to_string()))?;
+
+        match first {
+            SearchResult::Ref(Reference::Key(key)) => {
+                Self::validate_secure_enclave_key_attributes(&key, key_id)?;
+                Ok(key)
+            }
+            _ => Err(SignerError::Internal(
+                "unexpected keychain search result type".to_string(),
+            )),
+        }
+    }
+
+    #[cfg(target_os = "macos")]
+    fn validate_secure_enclave_key_attributes(
+        key: &SecKey,
+        key_id: Uuid,
+    ) -> Result<(), SignerError> {
+        let attrs = key.attributes();
+        let token_attr = attrs
+            .find(unsafe { kSecAttrTokenID }.to_void())
+            .ok_or_else(|| {
+                SignerError::Internal(format!(
+                    "resolved key for vault key {key_id} is missing token-id attribute"
+                ))
+            })?;
+        let token_value = format!("{}", unsafe {
+            CFString::wrap_under_get_rule(token_attr.cast())
+        });
+        let expected_secure_enclave_token = format!("{}", unsafe {
+            CFString::wrap_under_get_rule(kSecAttrTokenIDSecureEnclave)
+        });
+        if token_value != expected_secure_enclave_token {
+            return Err(SignerError::Internal(format!(
+                "resolved key for vault key {key_id} is not secure-enclave backed"
+            )));
+        }
+
+        let access_control = attrs
+            .find(unsafe { kSecAttrAccessControl }.to_void())
+            .ok_or_else(|| {
+                SignerError::Internal(format!(
+                    "resolved key for vault key {key_id} is missing access-control metadata"
+                ))
+            })?;
+        if access_control.is_null() {
+            return Err(SignerError::Internal(format!(
+                "resolved key for vault key {key_id} has null access-control metadata"
+            )));
+        }
+
+        Ok(())
+    }
+
+    #[cfg(target_os = "macos")]
+    fn public_key_hex(private_key: &SecKey) -> Result<String, SignerError> {
+        let public_key = private_key
+            .public_key()
+            .ok_or_else(|| SignerError::Internal("missing public key".to_string()))?;
+        let data = public_key.external_representation().ok_or_else(|| {
+            SignerError::Internal("missing public key representation".to_string())
+        })?;
+        Ok(hex::encode(data.bytes()))
+    }
+
+    #[cfg(all(test, target_os = "macos"))]
+    fn delete_if_present(&self, key_id: Uuid) -> Result<(), SignerError> {
+        match self.find_private_key(key_id) {
+            Ok(key) => key
+                .delete()
+                .map_err(|err| SignerError::Internal(format!("key cleanup failed: {err}"))),
+            Err(SignerError::UnknownKey(_)) => Ok(()),
+            Err(other) => Err(other),
+        }
+    }
+}
+
+#[async_trait]
+impl VaultSignerBackend for SecureEnclaveSignerBackend {
+    fn backend_kind(&self) -> BackendKind {
+        BackendKind::SecureEnclave
+    }
+
+    async fn create_vault_key(&self, request: KeyCreateRequest) -> Result<VaultKey, SignerError> {
+        #[cfg(not(target_os = "macos"))]
+        {
+            let _ = request;
+            return Err(SignerError::Unsupported(
+                "Secure Enclave backend requires macOS".to_string(),
+            ));
+        }
+
+        #[cfg(target_os = "macos")]
+        {
+            match request {
+                KeyCreateRequest::Generate => {
+                    Self::require_root()?;
+                    let key_id = Uuid::new_v4();
+                    let private_key = self.generate_secure_enclave_key(key_id)?;
+                    let public_key_hex = Self::public_key_hex(&private_key)?;
+                    Ok(VaultKey {
+                        id: key_id,
+                        source: KeySource::Generated,
+                        public_key_hex,
+                        created_at: OffsetDateTime::now_utc(),
+                    })
+                }
+                KeyCreateRequest::Import { .. } => Err(SignerError::Unsupported(
+                    "Secure Enclave keys are non-importable; use a non-enclave backend for imports"
+                        .to_string(),
+                )),
+            }
+        }
+    }
+
+    async fn sign_payload(
+        &self,
+        vault_key_id: Uuid,
+        payload: &[u8],
+    ) -> Result<Signature, SignerError> {
+        #[cfg(not(target_os = "macos"))]
+        {
+            let _ = (vault_key_id, payload);
+            return Err(SignerError::Unsupported(
+                "Secure Enclave backend requires macOS".to_string(),
+            ));
+        }
+
+        #[cfg(target_os = "macos")]
+        {
+            Self::require_root()?;
+            let private_key = self.find_private_key(vault_key_id)?;
+            let bytes = private_key
+                .create_signature(Algorithm::ECDSASignatureMessageX962SHA256, payload)
+                .map_err(|err| {
+                    SignerError::Internal(format!("signature creation failed: {err}"))
+                })?;
+            Ok(Signature::from_der(bytes))
+        }
+    }
+
+    async fn sign_digest(
+        &self,
+        vault_key_id: Uuid,
+        digest: [u8; 32],
+    ) -> Result<Signature, SignerError> {
+        #[cfg(not(target_os = "macos"))]
+        {
+            let _ = (vault_key_id, digest);
+            return Err(SignerError::Unsupported(
+                "Secure Enclave backend requires macOS".to_string(),
+            ));
+        }
+
+        #[cfg(target_os = "macos")]
+        {
+            Self::require_root()?;
+            let private_key = self.find_private_key(vault_key_id)?;
+            let bytes = private_key
+                .create_signature(Algorithm::ECDSASignatureDigestX962, &digest)
+                .map_err(|err| {
+                    SignerError::Internal(format!("digest signature creation failed: {err}"))
+                })?;
+            Ok(Signature::from_der(bytes))
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{KeyCreateRequest, SignerError, SoftwareSignerBackend, VaultSignerBackend};
+
+    #[tokio::test]
+    async fn generated_key_can_sign_payload() {
+        use k256::ecdsa::Signature as K256Signature;
+
+        let backend = SoftwareSignerBackend::default();
+        let key = backend
+            .create_vault_key(KeyCreateRequest::Generate)
+            .await
+            .expect("must create key");
+
+        let sig = backend
+            .sign_payload(key.id, b"payload")
+            .await
+            .expect("must sign");
+
+        let parsed = K256Signature::from_der(&sig.bytes).expect("must be DER");
+        assert!(!parsed.to_bytes().is_empty());
+    }
+
+    #[tokio::test]
+    async fn generated_key_can_sign_digest() {
+        use k256::ecdsa::{RecoveryId, Signature as K256Signature, VerifyingKey};
+
+        let backend = SoftwareSignerBackend::default();
+        let key = backend
+            .create_vault_key(KeyCreateRequest::Generate)
+            .await
+            .expect("must create key");
+
+        let digest = [0x42u8; 32];
+        let sig = backend
+            .sign_digest(key.id, digest)
+            .await
+            .expect("must sign digest");
+
+        let parsed = K256Signature::from_der(&sig.bytes).expect("must be DER");
+        let verifying_key = VerifyingKey::from_sec1_bytes(
+            &hex::decode(&key.public_key_hex).expect("public key hex"),
+        )
+        .expect("verifying key");
+        let recovery_id = RecoveryId::trial_recovery_from_prehash(&verifying_key, &digest, &parsed)
+            .expect("must derive recovery id");
+        let recovered = VerifyingKey::recover_from_prehash(&digest, &parsed, recovery_id)
+            .expect("must recover verifying key");
+        assert_eq!(recovered, verifying_key);
+    }
+
+    #[tokio::test]
+    async fn import_rejects_bad_key() {
+        let backend = SoftwareSignerBackend::default();
+        let result = backend
+            .create_vault_key(KeyCreateRequest::Import {
+                private_key_hex: "0x1234".to_string(),
+            })
+            .await;
+
+        assert!(result.is_err());
+    }
+
+    #[tokio::test]
+    async fn software_backend_can_export_and_restore_key_material() {
+        let backend = SoftwareSignerBackend::default();
+        let key = backend
+            .create_vault_key(KeyCreateRequest::Generate)
+            .await
+            .expect("must create key");
+
+        let exported = backend
+            .export_persistable_key_material(&[key.id])
+            .expect("must export key material");
+        assert!(exported.contains_key(&key.id));
+
+        let restored_backend = SoftwareSignerBackend::default();
+        restored_backend
+            .restore_persistable_key_material(&exported)
+            .expect("must restore key material");
+        let sig = restored_backend
+            .sign_payload(key.id, b"payload")
+            .await
+            .expect("must sign with restored key");
+        assert!(!sig.bytes.is_empty());
+    }
+
+    #[cfg(target_os = "macos")]
+    #[tokio::test]
+    async fn secure_enclave_import_is_explicitly_unsupported() {
+        use super::SecureEnclaveSignerBackend;
+
+        let backend = SecureEnclaveSignerBackend::default();
+        let result = backend
+            .create_vault_key(KeyCreateRequest::Import {
+                private_key_hex: "0x11".repeat(32),
+            })
+            .await;
+
+        assert!(matches!(result, Err(SignerError::Unsupported(_))));
+    }
+
+    #[cfg(target_os = "macos")]
+    #[tokio::test]
+    async fn secure_enclave_generate_requires_root_context() {
+        use super::SecureEnclaveSignerBackend;
+
+        if unsafe { libc::geteuid() } == 0 {
+            return;
+        }
+
+        let backend = SecureEnclaveSignerBackend::default();
+        let result = backend.create_vault_key(KeyCreateRequest::Generate).await;
+
+        assert!(matches!(result, Err(SignerError::PermissionDenied(_))));
+    }
+
+    #[cfg(target_os = "macos")]
+    #[tokio::test]
+    async fn secure_enclave_sign_requires_root_context() {
+        use super::SecureEnclaveSignerBackend;
+        use uuid::Uuid;
+
+        if unsafe { libc::geteuid() } == 0 {
+            return;
+        }
+
+        let backend = SecureEnclaveSignerBackend::default();
+        let result = backend.sign_payload(Uuid::new_v4(), b"payload").await;
+
+        assert!(matches!(result, Err(SignerError::PermissionDenied(_))));
+    }
+
+    #[cfg(target_os = "macos")]
+    #[ignore = "requires a logged-in, entitlement-capable keychain session"]
+    #[tokio::test]
+    async fn secure_enclave_can_generate_and_sign() {
+        use core_foundation::base::{TCFType, ToVoid};
+        use security_framework::item::{
+            ItemClass, ItemSearchOptions, KeyClass, Limit, Reference, SearchResult,
+        };
+        use security_framework_sys::item::{
+            kSecAttrAccessControl, kSecAttrTokenID, kSecAttrTokenIDSecureEnclave,
+        };
+
+        use super::SecureEnclaveSignerBackend;
+
+        if unsafe { libc::geteuid() } != 0 {
+            return;
+        }
+
+        let backend = SecureEnclaveSignerBackend::new("com.wlfi.vault.test");
+        let key = backend
+            .create_vault_key(KeyCreateRequest::Generate)
+            .await
+            .expect("must create secure enclave key");
+
+        let sig = backend
+            .sign_payload(key.id, b"payload")
+            .await
+            .expect("must sign");
+        assert!(!sig.bytes.is_empty());
+
+        let label = format!("com.wlfi.vault.test.{}", key.id);
+        let mut search = ItemSearchOptions::new();
+        search
+            .class(ItemClass::key())
+            .key_class(KeyClass::private())
+            .label(&label)
+            .load_refs(true)
+            .limit(Limit::Max(1))
+            .ignore_legacy_keychains();
+
+        let results = search.search().expect("search must succeed");
+        assert_eq!(results.len(), 1);
+
+        let private_key = match &results[0] {
+            SearchResult::Ref(Reference::Key(key)) => key,
+            _ => panic!("unexpected key search result"),
+        };
+
+        let attrs = private_key.attributes();
+        let token = attrs
+            .find(unsafe { kSecAttrTokenID }.to_void())
+            .expect("secure enclave token id must be present");
+        let token_string = format!("{}", unsafe {
+            core_foundation::string::CFString::wrap_under_get_rule(token.cast())
+        });
+        let expected = format!("{}", unsafe {
+            core_foundation::string::CFString::wrap_under_get_rule(kSecAttrTokenIDSecureEnclave)
+        });
+        assert_eq!(token_string, expected);
+
+        assert!(
+            attrs
+                .find(unsafe { kSecAttrAccessControl }.to_void())
+                .is_some(),
+            "access-control metadata must be present"
+        );
+
+        backend
+            .delete_if_present(key.id)
+            .expect("cleanup should not fail");
+    }
+}