Reputation: 501
OpenSSL and Apple Keychain integration
We're using a multi platform application which should run on both Windows and Mac. Our application is based on OpenSSL as the SSL and related stuff supplier. It uses Client Certificate to establish secure connections and to identify the end user.
We want to use Windows and Mac native certificate storages to ensure maximum security. Openssl has an engine to interact with Windows' Certificate Store (CAPI engine). However, we didn't manage to find such a solution for Mac's Keychain.
Is there an integration between OpenSSL and Apple's Keychain?
If not, what are your suggestion ?
Upvotes: 6
Views: 3868
Answers (2)
Reputation: 12041
In addition to handling the client certificate, you will also need to verify the server certificate.
To do so, you will have to provide OpenSSL with a callback that uses the Mac OS X security framework to validate the server certificate. Use the OpenSSL function SSL_CTX_set_cert_verify_callback to set your custom certificate validation callback. Your callback must convert the OpenSSL certificates to SecCertificateRef, create a SecPolicyRef for SSL connections, create a SecTrustRef and evaluate it. See Certificate, Key, and Trust Services Reference for more details.
Upvotes: 0
Reputation: 3786
I think the "simplest" solution would be to write an OpenSSL engine for CSSM (API for CDSA, the security architecture used by Mac OS X). You should ask on the openssl-dev mailing list if anyone is interested in helping (and might have already started).
Upvotes: 1
Related Questions
- Sample code for public key encryption/decryption on Mac?
- How to Build OpenSSL for iOS and OSX
- Cocoa interface to MacOS X Keychain
- Use of OpenSSL with XCode 7.3
- getting openSSL to work with Qt on mac
- Sign on OS X, Verify on iOS and OSStatus -9809
- How to do asymmetric encryption/decryption with OSX 10.7+ without openssl?
- Inserting a certificate into the keychain
- Apple keychain private/public key issue
- Objective-C with OpenSSL - Cannot set RSA Key