在OS X上登录,在iOS和OSStatus -9809上验证 [英] Sign on OS X, Verify on iOS and OSStatus -9809
问题描述
我正在使用Apple的安全框架.我可以签名,然后成功验证OS X上的所有内容,但是当我尝试在iOS上使用SecKeyRawVerify
时,它将失败并出现-9809错误.
I am using Apple's Security Framework. I am able to sign and then successfully verify all on OS X, but when I try to use SecKeyRawVerify
on iOS it fails with -9809 error.
我玩过各种PKCS填充选项和许多其他属性,但是我无法正确验证它.
I've played with various PKCS padding options and many other attributes but I'm just not able to get this to verify correctly.
请注意,下面的代码可能到处都有泄漏,只是试图先使其正常运行.
OS X签名代码:
NSData* signData(NSData* plainData, SecKeyRef privateKey) {
CFErrorRef error;
/* Create the transform objects */
SecTransformRef signer = SecSignTransformCreate(privateKey, &error);
if (error) { CFShow(error); exit(-1); }
/* Explicitly set padding type (necessary?) */
SecTransformSetAttribute(signer,
kSecPaddingKey,
kSecPaddingPKCS1Key,
&error);
if (error) { CFShow(error); exit(-1); }
/* Specify digest type */
SecTransformSetAttribute(signer,
kSecDigestTypeAttribute,
kSecDigestSHA1,
&error);
if (error) { CFShow(error); exit(-1); }
/* OS X calculates SHA1 hash/signature for us */
SecTransformSetAttribute(signer,
kSecTransformInputAttributeName,
plainData,
&error);
if (error) { CFShow(error); exit(-1); }
CFTypeRef signature = SecTransformExecute(signer, &error);
if (error || !signature) { CFShow(error); exit(-1); }
CFRelease(signer);
return signature;
}
和iOS验证码:
+ (NSData *)verifyData:(NSData *)data
usingKey:(SecKeyRef)publicKey {
size_t signatureByteLength = SecKeyGetBlockSize(publicKey);
if (signatureByteLength > data.length)
{
NSLog(@"Signature length is greater that data length.");
return nil;
}
NSData *signature = [data subdataWithRange:NSMakeRange(0, signatureByteLength)];
NSData *plainData = [data subdataWithRange:NSMakeRange(signatureByteLength, data.length - signatureByteLength)];
NSLog(@"signatureLength='%lu', signatureBytes='%@', plainDataLength=%lu", (unsigned long)signature.length, signature, (unsigned long)plainData.length);
size_t hashByteLength = CC_SHA1_DIGEST_LENGTH;
uint8_t* hashBytes = (uint8_t *)malloc(hashByteLength);
if (CC_SHA1([plainData bytes], (CC_LONG)[plainData length], hashBytes))
{
NSData *b = [NSData dataWithBytes:hashBytes length:hashByteLength];
NSLog(@"hashBytesLength='%lu', hashBytes=%@", (unsigned long)b.length, b);
OSStatus status = SecKeyRawVerify(publicKey,
kSecPaddingPKCS1SHA1, // I have also tried kSecPaddingPKCS1, doesn't work
hashBytes,
hashByteLength,
(uint8_t *)[signature bytes],
signatureByteLength);
switch (status)
{
case errSecSuccess:
NSLog(@"SecKeyRawVerify success.");
return plainData;
case errSSLCrypto:
NSLog(@"SecKeyRawVerify failed: underlying cryptographic error");
break;
case errSecParam:
NSLog(@"SecKeyRawVerify failed: one or more parameters passed to a function where not valid.");
break;
default:
NSLog(@"SecKeyRawVerify failed: error code '%d'", (int)status);
break;
}
}
return nil;
}
我使用以下OpenSSL命令通过命令行创建了私钥和公钥:
I created the private and public keys via command line using the following OpenSSL commands:
1. // Generate private and public key pair
openssl genrsa -out rsaPrivate.pem 1024
1a. // Generate public key
openssl rsa -in rsaPrivate.pem -pubout -outform PEM -out rsaPublic.pem
2. //Create a certificate signing request with the private key
openssl req -new -key rsaPrivate.pem -out rsaCertReq.csr
3. //Create a self-signed certificate with the private key and signing request
openssl x509 -req -days 3650 -in rsaCertReq.csr -signkey rsaPrivate.pem -out rsaCert.crt
4. //Convert the certificate to DER format: the certificate contains the public key
openssl x509 -outform der -in rsaCert.crt -out rsaCert.der
非常感谢您的帮助.
推荐答案
我发现了问题所在.我发布的代码是正确的,但是每个SecKey.h
头文件的填充都需要设置为kSecPaddingPKCS1SHA1
:
I figured out the issue. The code I posted is correct, but the padding needs to be set as kSecPaddingPKCS1SHA1
per the SecKey.h
header file:
If you are verifying a proper PKCS1-style signature, with DER encoding
of the digest type - and the signedData is a SHA1 digest - use
kSecPaddingPKCS1SHA1.
此外,您可能需要确保.der
格式的公钥是正确的:)
Also, you might want to make sure your public key in .der
format is the correct one :)
这篇关于在OS X上登录,在iOS和OSStatus -9809上验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!