I am struggling hard to find a way to create x509 certificates programmatically (Self-signed) in Objective-C using the Security Framework. I am NOT using OpenSSL for my project. So I can't consider using OpenSSL. Here are the few things I already created:
Created RSA key pair. Used
- (void)generateKeyPairPlease
function per Apple's docsUsed ios-csr (https://github.com/ateska/ios-csr) to create CSR. See the below code
SCCSR *sccsr = [[SCCSR alloc]init]; sccsr.commonName = @"some name"; sccsr.organizationName = @"some organisation"; NSData *certificateRequest = [sccsr build:pPublicKey privateKey:privateKey]; NSString *str = [certificateRequest base64EncodedStringWithOptions:NSDataBase64Encoding64CharacterLineLength]; NSString *strCertificateRequest = @"-----BEGIN CERTIFICATE REQUEST-----\n"; strCertificateRequest = [strCertificateRequest stringByAppendingString:str]; strCertificateRequest = [strCertificateRequest stringByAppendingString:@"\n-----END CERTIFICATE REQUEST-----\n"];
Now I need to create X509 Certificate (self-signed). I used the below code.
// Convert to Base64 data NSData *base64Data = [certificateRequest base64EncodedDataWithOptions:0]; SecCertificateRef cer = SecCertificateCreateWithData ( NULL, (__bridge CFDataRef) base64Data); NSLog(@"%@", cer);
cer seems to be NULL.
SecCertificateCreateWithData
needs "A DER (Distinguished Encoding Rules) representation of an X.509 certificate" as per the documentation.
Is my approach correct? To reiterate: I have an RSA key pair (public and private keys), successfully generated CSR (Certificate Signing Request). Now I need the X509 Certificate to be generated programatically.
I am using version 6.2 (6C131e) and iOS SDK 8.2.
I don't think it's actually possible using the Security Framework. AFAICT, the only way to do this on iOS/OSX is to use the (deprecated) CDSA library, or the (deprecated) OpenSSL library.
There is a library at https://github.com/snej/MYCrypto which can do it, but it uses some of the (deprecated) CDSA/CSSA calls, and depends on a lot of the same author's utility/library functions, which I found to be unhelpful.
I suggest you file a bug at bugreporter.apple.com to express your desire to be able to generate x.509 certificates. I have!
Edit: The MYCrypto author (snej) also has a simplified version, MYAnonymousIdentity, which takes a pre-created x.509 self-sign certificate, and uses minimum SDK calls to inject a new RSA key/signature into the existing certificate. It also used some of his utility/library stuff, but I have stripped all of that out for my own project and you can find the modified code, the script I use to generate the pre-canned certificate (and a header file containing all the offsets for modification) at: https://github.com/Hammerspoon/hammerspoon/tree/master/extensions/httpserver