是否可以使用iOS中的安全框架生成证书签名请求(.csr)? [英] Is it possible to generate certificate signing request(.csr) using security framework in iOS?

问题描述

我想通过服务器发出HTTPS请求，需要客户端证书身份验证.我研究了为NSURLConnection身份验证挑战创建SecCertificateRef .它按预期工作.

I would like to make HTTPS request with a server require client-certificate authentication. I looked into this Creating a SecCertificateRef for NSURLConnection Authentication Challenge. It worked as expected.

但是，它需要准备包含私钥的p12文件.由于需要密码才能使用SecPKCS12Import()导入p12文件，因此它将得到保护.

However, it needs to prepare the p12 file which includes the private key. It would be secured as it needs a password to import the p12 file using SecPKCS12Import().

但是，可能还有其他选择.也就是说，iOS客户端应该进行证书签名请求(.CSR)，然后让第三方(服务器)对其进行签名.

However, there could be other option. That is the iOS-client should make a certificate signing request(.CSR) and let a third party (the server) sign it.

对于我的搜索，我发现可以使用SecKeyGeneratePair()生成密钥对.但是我看不到任何会生成CSR的API.

For my search, I see that I can use SecKeyGeneratePair() for generating a key pair. But I don't see any API that generate a CSR.

我真的需要OpenSSL来实现吗?

Do I really need OpenSSL to achieve this?

另外，一旦iOS客户端以某种方式接收到签名证书，话题就有点偏离主题了.我可以使用SecCertificateCreateWithData()来检索SecCertificateRef().但是，要填写NSURLCredential.我还需要使用SecPKCS12Import()来自p12文件的SecIdentityRef.

Also, a bit off topic, once the iOS-client somehow receives the signed certificate. I can use SecCertificateCreateWithData() to retrieve an SecCertificateRef(). However, to fill in a NSURLCredential. I also need the SecIdentityRef which come from p12 file using SecPKCS12Import(). How can I retrieve a SecIdentityRef without SecPKCS12Import() but just a certificate file like crt or der?

推荐答案

iOS的安全框架中没有对CSR的明确支持.但是，手动"构建CSR并不困难-iOS运行时仅提供ASN.1 DER数据块.

There is no explicit support for CSR in Security Framework in iOS. However, it is not that difficult to build CSR 'manually' - it is just ASN.1 DER block of data that are available at iOS runtime.

以下是该代码的伪代码:

Here is pseudo code of that:

1. 使用安全框架中的SecKeyGeneratePair()创建新的公用/专用密钥
2. 实施getPublicKeyBits方法以检索新鲜公开密钥的NSData形式(请参见 https ://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html )
3. 实施getPrivateKey方法以从钥匙串中检索SecKeyRef
4. 按照> http://www.ietf.org/rfc/rfc2986.txt 构造ASN.1 NSMutableData中的CSR DER
5. 使用CC_SHA1_ *创建认证请求信息(属于CSR的一部分)的签名哈希
6. 使用SecKeyRawSign和私钥对CSR进行签名

1. Use SecKeyGeneratePair() from Security Framework to create fresh public/private key
2. Implement getPublicKeyBits method to retrieve NSData-form of fresh public key (see https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html )
3. Implement getPrivateKey method to retrieve SecKeyRef from Keychain
4. Follow http://www.ietf.org/rfc/rfc2986.txt to construct ASN.1 DER of CSR in NSMutableData
5. Use CC_SHA1_* to create signature hash of Certification Request Info (part of CSR)
6. Use SecKeyRawSign and private key to sign CSR

这将创建适当的CSR(以NSData的形式)，然后可以发送给CA进行批准.

This will create proper CSR (in form of NSData) that can be sent to CA for approval.

我的实现在GitHub上可用: http://github.com/ateska/ios-csr

这篇关于是否可以使用iOS中的安全框架生成证书签名请求(.csr)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！