Creating x509 certificates programmatically in Obj

2019-06-24 05:09发布

I am struggling hard to find a way to create x509 certificates programmatically (Self-signed) in Objective-C using the Security Framework. I am NOT using OpenSSL for my project. So I can't consider using OpenSSL. Here are the few things I already created:

  • Created RSA key pair. Used - (void)generateKeyPairPlease function per Apple's docs

  • Used ios-csr (https://github.com/ateska/ios-csr) to create CSR. See the below code

    SCCSR *sccsr = [[SCCSR alloc]init];
    sccsr.commonName = @"some name";
    sccsr.organizationName = @"some organisation";
    
    NSData *certificateRequest = [sccsr build:pPublicKey privateKey:privateKey];
    NSString *str = [certificateRequest base64EncodedStringWithOptions:NSDataBase64Encoding64CharacterLineLength];
    
    NSString *strCertificateRequest = @"-----BEGIN CERTIFICATE REQUEST-----\n";
    strCertificateRequest = [strCertificateRequest stringByAppendingString:str];
    strCertificateRequest = [strCertificateRequest stringByAppendingString:@"\n-----END CERTIFICATE REQUEST-----\n"];
    
  • Now I need to create X509 Certificate (self-signed). I used the below code.

    // Convert to Base64 data
    NSData *base64Data = [certificateRequest base64EncodedDataWithOptions:0];
    SecCertificateRef cer = SecCertificateCreateWithData ( NULL, (__bridge CFDataRef) base64Data);
    NSLog(@"%@", cer);
    
  • cer seems to be NULL.SecCertificateCreateWithData needs "A DER (Distinguished Encoding Rules) representation of an X.509 certificate" as per the documentation.

Is my approach correct? To reiterate: I have an RSA key pair (public and private keys), successfully generated CSR (Certificate Signing Request). Now I need the X509 Certificate to be generated programatically.

I am using version 6.2 (6C131e) and iOS SDK 8.2.

1条回答
Emotional °昔
2楼-- · 2019-06-24 05:23

I don't think it's actually possible using the Security Framework. AFAICT, the only way to do this on iOS/OSX is to use the (deprecated) CDSA library, or the (deprecated) OpenSSL library.

There is a library at https://github.com/snej/MYCrypto which can do it, but it uses some of the (deprecated) CDSA/CSSA calls, and depends on a lot of the same author's utility/library functions, which I found to be unhelpful.

I suggest you file a bug at bugreporter.apple.com to express your desire to be able to generate x.509 certificates. I have!

Edit: The MYCrypto author (snej) also has a simplified version, MYAnonymousIdentity, which takes a pre-created x.509 self-sign certificate, and uses minimum SDK calls to inject a new RSA key/signature into the existing certificate. It also used some of his utility/library stuff, but I have stripped all of that out for my own project and you can find the modified code, the script I use to generate the pre-canned certificate (and a header file containing all the offsets for modification) at: https://github.com/Hammerspoon/hammerspoon/tree/master/extensions/httpserver

查看更多
登录 后发表回答