1. 技术文章
  2. Is it possible to generate certificate signing request(.csr) using secuity framework in ios?

Is it possible to generate certificate signing request(.csr) using secuity framework in ios?

泪湿孤枕 提交于 2019-11-30 18:02:18

问题


I would like to make https request with a server require client-certificate authentication. I looked into this Creating a SecCertificateRef for NSURLConnection Authentication Challenge . It worked as expected.

However, it need to prepare the p12 file which include the private key. It would be securied as it need password to import the p12 file using SecPKCS12Import().

However, there could be other option. That is the ios-client should make a certificate signing request(.CSR) and let a third party(it would be the server) sign it.

For my search, I see that I can use SecKeyGeneratePair() for generate key pair. But I don't see any API that generate a CSR.

Do it really need openssl to achieve this?

Also, a bit off topic, once the ios-client somehow get back the signed certificate. I can use SecCertificateCreateWithData() to retrieve an SecCertificateRef(). However, to fill in a NSURLCredential . I also need the SecIdentityRef which come from p12 file using SecPKCS12Import(). How can I retreve an SecIdentityRef without SecPKCS12Import() but just a certificate file like crt or der?


回答1:


There is no explicit support for CSR in Security Framework in iOS. However, it is not that difficult to build CSR 'manually' - it is just ASN.1 DER block of data that are available at iOS runtime.

Here is pseudo code of that:

  1. Use SecKeyGeneratePair() from Security Framework to create fresh public/private key
  2. Implement getPublicKeyBits method to retrieve NSData-form of fresh public key (see https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html )
  3. Implement getPrivateKey method to retrieve SecKeyRef from Keychain
  4. Follow http://www.ietf.org/rfc/rfc2986.txt to construct ASN.1 DER of CSR in NSMutableData
  5. Use CC_SHA1_* to create signature hash of Certification Request Info (part of CSR)
  6. Use SecKeyRawSign and private key to sign CSR

This will create proper CSR (in form of NSData) that can be sent to CA for approval.

My implementation is available on GitHub: http://github.com/ateska/ios-csr .



来源:https://stackoverflow.com/questions/17277865/is-it-possible-to-generate-certificate-signing-request-csr-using-secuity-frame

标签
ios
ssl
OpenSSL
ssl-certificate
csr
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!