Reputation: 151
Creating x509 certificates programmatically in Objective-C using the Security Framework
I am struggling hard to find a way to create x509 certificates programmatically (Self-signed) in Objective-C using the Security Framework. I am NOT using OpenSSL for my project. So I can't consider using OpenSSL. Here are the few things I already created:
Created RSA key pair. Used
- (void)generateKeyPairPleasefunction per Apple's docsUsed ios-csr (https://github.com/ateska/ios-csr) to create CSR. See the below code
SCCSR *sccsr = [[SCCSR alloc]init]; sccsr.commonName = @"some name"; sccsr.organizationName = @"some organisation"; NSData *certificateRequest = [sccsr build:pPublicKey privateKey:privateKey]; NSString *str = [certificateRequest base64EncodedStringWithOptions:NSDataBase64Encoding64CharacterLineLength]; NSString *strCertificateRequest = @"-----BEGIN CERTIFICATE REQUEST-----\n"; strCertificateRequest = [strCertificateRequest stringByAppendingString:str]; strCertificateRequest = [strCertificateRequest stringByAppendingString:@"\n-----END CERTIFICATE REQUEST-----\n"];Now I need to create X509 Certificate (self-signed). I used the below code.
// Convert to Base64 data NSData *base64Data = [certificateRequest base64EncodedDataWithOptions:0]; SecCertificateRef cer = SecCertificateCreateWithData ( NULL, (__bridge CFDataRef) base64Data); NSLog(@"%@", cer);cer seems to be NULL.
SecCertificateCreateWithDataneeds "A DER (Distinguished Encoding Rules) representation of an X.509 certificate" as per the documentation.
Is my approach correct? To reiterate: I have an RSA key pair (public and private keys), successfully generated CSR (Certificate Signing Request). Now I need the X509 Certificate to be generated programatically.
I am using version 6.2 (6C131e) and iOS SDK 8.2.
Upvotes: 7
Views: 5555
Answers (1)
Reputation: 456
I don't think it's actually possible using the Security Framework. AFAICT, the only way to do this on iOS/OSX is to use the (deprecated) CDSA library, or the (deprecated) OpenSSL library.
There is a library at https://github.com/snej/MYCrypto which can do it, but it uses some of the (deprecated) CDSA/CSSA calls, and depends on a lot of the same author's utility/library functions, which I found to be unhelpful.
I suggest you file a bug at bugreporter.apple.com to express your desire to be able to generate x.509 certificates. I have!
Edit: The MYCrypto author (snej) also has a simplified version, MYAnonymousIdentity, which takes a pre-created x.509 self-sign certificate, and uses minimum SDK calls to inject a new RSA key/signature into the existing certificate. It also used some of his utility/library stuff, but I have stripped all of that out for my own project and you can find the modified code, the script I use to generate the pre-canned certificate (and a header file containing all the offsets for modification) at: https://github.com/Hammerspoon/hammerspoon/tree/master/extensions/httpserver
Upvotes: 4
Related Questions
- iOS: How to create PKCS12 (P12) keystore from private key and x509certificate in application programmatically?
- ios create certificate request programmatically
- create DER certificate in os x
- Custom Certificate in iOS App
- iOS - programmatically trusting CA (certificate authority)
- Generating a self-signed certificate with iOS Security.framework?
- iOS - Add Certificate to application
- iOS import self-signed and self-created CA certificates
- Dynamically create x509 certificate in iOS
- Using X.509 certificate with OpenSSL in iPhone App