We're using a multi platform application which should run on both Windows and Mac. Our application is based on OpenSSL as the SSL and related stuff supplier. It uses Client Certificate to establish secure connections and to identify the end user.
We want to use Windows and Mac native certificate storages to ensure maximum security. Openssl has an engine to interact with Windows' Certificate Store (CAPI engine). However, we didn't manage to find such a solution for Mac's Keychain.
Is there an integration between OpenSSL and Apple's Keychain?
If not, what are your suggestion ?
In addition to handling the client certificate, you will also need to verify the server certificate.
To do so, you will have to provide OpenSSL with a callback that uses the Mac OS X security framework to validate the server certificate. Use the OpenSSL function SSL_CTX_set_cert_verify_callback to set your custom certificate validation callback. Your callback must convert the OpenSSL certificates to SecCertificateRef, create a SecPolicyRef for SSL connections, create a SecTrustRef and evaluate it. See Certificate, Key, and Trust Services Reference for more details.
I think the "simplest" solution would be to write an OpenSSL engine for CSSM (API for CDSA, the security architecture used by Mac OS X). You should ask on the openssl-dev mailing list if anyone is interested in helping (and might have already started).
来源:https://stackoverflow.com/questions/6008295/openssl-and-apple-keychain-integration