Reputation: 1496
Swift 3/4 - Generate SecCertificate from Elliptic Curve Keypair
Currently i am generating an Elliptic Curve KeyPair in my iOS App successfully:
let privateKeyParams: [String: Any] = [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: privateTag
]
let publicKeyParams: [String: Any] = [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: publicTag,
kSecAttrAccessible as String: kSecAttrAccessibleAlways
]
let query: [String: Any] = [
kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
kSecPrivateKeyAttrs as String: privateKeyParams,
kSecPublicKeyAttrs as String: publicKeyParams,
kSecAttrKeySizeInBits as String: 256 as AnyObject,
]
let status = SecKeyGeneratePair(query as CFDictionary, &self.publicKey, &self.privateKey)
guard status == errSecSuccess else {
print("Could not generate keypair")
return
}
guard let pubKey = self.publicKey, let privKey = self.privateKey else {
print("Keypair null")
return
}
This one works because when i check if my keys exist they do and i can also encrypt/decrypt and sign/verify.
Soo.. in the next step i need to generate a SecCertificate which will basically hold my public key... this is simply a requirement.
But there is literally no API/Documentation on how to do this..the only api i saw is on how to generate SecCertificate from existing der file etc..
So my question is:
How do i generate an SecCertificate object from my existing Elliptic Curve KeyPair (SecKey)?
Thanks and Greetings!
Upvotes: 2
Views: 1780
Answers (1)
Reputation: 3020
Certificates and cryptographic functions in general are very bad documented and barely supported in Swift / iOS.
But the first question here is: Why do you need a certificate and what do you want to do? The main problem is that you just cannot create a valid certificate out of thin air. A certificate has to be signed by a a certificate authority (CA) so that anyone with the CA certificate can verify that the certificate is valid.
(Of course you can create a self signed certificate but this would be useless in most cases. Additionally, I do not know how to do this easily. All API calls in Swift / iOS assume that you already have a valid certificate. It seems that it is not intended to create certificates inside your app.)
So first, you need a certificate authority, which can sign your certificate. Then, you need to create a certificate signing request from your key pair and send it to your CA. You then will obtain a signed certificate, which you can use in your app. The steps in correct order are:
- Create / find a certificate authority (CA)
- Create your keypair
- Create a certificate signing request (CSR). I currently use CertificateSigningRequestSwift because Apple simply does not provide any functionality to do this.
- Send your CSR to the CA and receive the certificate (CRT).
- Save the CRT together with the private key in a P12 trust store. I use OpenSSL-for-iPhone to do this.
- Get the
SecIdentityor theSecCertificatefrom the P12 trust store
This is a lot of work but after a long time of researching this is the only way I got certificates working in Swift / iOS. Especially the handling with OpenSSL is very tricky (have a look at this post of me to get an idea of the complexity). So, again, the question is what you want to do. If you want to create a SSL client, you need to go the full way, but if you just want to encrypt some stuff, the solution may be a lot easier.
Upvotes: 2
Related Questions
- How to create SecKey from pem file in Swift
- ECIES encryption and EC key generation in Swift
- swift Generate shared key using ECDH
- How to sign/verify using SecKeyRawSign with elliptic curve key
- iOS - swift - Generating key pair for secp224k1 curve (ECDH)
- How to generate an RSA asymmetric Key Pair in Swift for IOS?
- ECDSA secp256k1 keypair generation and signing on Swift
- Generating key pair in iOS using SecKeyGeneratePair failed with errSecInteractionNotAllowed
- Export an elliptic curve key from iOS to work with OpenSSL
- Generate keychain key with swift 2.0