I am using Lion and Xcode 4.1.
SecKeyRawSign is not documented for OSX still it can be called and successfully signed for RSA certificate but failed with EC Cert.
SecKeyRawSign method returns -50 i.e. invalid parameters for ec cert-384.
Can SecKeyRawSign be used for OSX and EC Cert? If yes what would be the padding parameter?
Thanks in advance.
SecKeyRawSign is a private function in Mac OS 10.6 and 10.7, so you shouldn't use it. Its problem with ECC certificates may just be one of the reasons it has not (yet?) been made public.
The official high-level API for data signing in 10.7 is SecSignTransformCreate in Security Transforms. It should automatically use a suitable digest algorithm; if not, you just set kSecDigestTypeAttribute and kSecDigestLengthAttribute to whatever you need. AFAIK the padding algorithm is not configurable.
On 10.6 or below, you have to use CDSA. First, you create a context with CSSM_CSP_CreateSignatureContext. The signature algorithm is CSSM_ALGID_SHA512WithECDSA (or similar); you can get the other arguments from SecKeyGetCSPHandle, SecKeyGetCSSMKey, and SecKeyGetCredentials. Once you have the signing context, you sign your data with CSSM_SignData. The digest algorithm should be CSSM_ALGID_NONE.
The padding is best explained by Thomas Pornin's answer to another question.
@Fnord
Thanks for response. I wrote following code:
CFDataRef
CreateSignature (SecKeyRef privateKeyRef, CFDataRef plaintext, CFErrorRef &error)
{
SecTransformRef signingTransform = SecSignTransformCreate(privateKeyRef, error);
if (signingTransform == NULL)
return NULL;
Boolean success = SecTransformSetAttribute(signingTransform,
kSecTransformInputAttributeName,
plaintext,
error);
if (!success) {
CFRelease(signingTransform);
return NULL;
}
CFDataRef signature = SecTransformExecute(signingTransform, error);
CFRetain(signature);
CFRelease(signingTransform);
return signature;
}
