使用安全框架在 Objective-C 中以编程方式创建 x509 证书 [英] Creating x509 certificates programmatically in Objective-C using the Security Framework
问题描述
我正在努力寻找一种使用安全框架在 Objective-C 中以编程方式(自签名)创建 x509 证书的方法.我的项目没有使用 OpenSSL.所以我不能考虑使用 OpenSSL.以下是我已经创建的一些内容:
I am struggling hard to find a way to create x509 certificates programmatically (Self-signed) in Objective-C using the Security Framework. I am NOT using OpenSSL for my project. So I can't consider using OpenSSL. Here are the few things I already created:
创建了 RSA 密钥对.根据 - (void)generateKeyPairPlease 函数"noreferrer">Apple 的文档
Created RSA key pair. Used
- (void)generateKeyPairPleasefunction per Apple's docs
使用 ios-csr (https://github.com/ateska/ios-csr) 创建 CSR.看下面的代码
Used ios-csr (https://github.com/ateska/ios-csr) to create CSR. See the below code
SCCSR *sccsr = [[SCCSR alloc]init];
sccsr.commonName = @"some name";
sccsr.organizationName = @"some organisation";
NSData *certificateRequest = [sccsr build:pPublicKey privateKey:privateKey];
NSString *str = [certificateRequest base64EncodedStringWithOptions:NSDataBase64Encoding64CharacterLineLength];
NSString *strCertificateRequest = @"-----BEGIN CERTIFICATE REQUEST-----\n";
strCertificateRequest = [strCertificateRequest stringByAppendingString:str];
strCertificateRequest = [strCertificateRequest stringByAppendingString:@"\n-----END CERTIFICATE REQUEST-----\n"];
现在我需要创建 X509 证书(自签名).我使用了以下代码.
Now I need to create X509 Certificate (self-signed). I used the below code.
// Convert to Base64 data
NSData *base64Data = [certificateRequest base64EncodedDataWithOptions:0];
SecCertificateRef cer = SecCertificateCreateWithData ( NULL, (__bridge CFDataRef) base64Data);
NSLog(@"%@", cer);
cer 似乎为 NULL.SecCertificateCreateWithData 需要按照 文档.
我的方法正确吗?重申:我有一个 RSA 密钥对(公钥和私钥),成功生成了 CSR(证书签名请求).现在我需要以编程方式生成 X509 证书.
Is my approach correct? To reiterate: I have an RSA key pair (public and private keys), successfully generated CSR (Certificate Signing Request). Now I need the X509 Certificate to be generated programatically.
我使用的是版本 6.2 (6C131e) 和 iOS SDK 8.2.
I am using version 6.2 (6C131e) and iOS SDK 8.2.
推荐答案
我认为使用安全框架实际上是不可能的.AFAICT,在 iOS/OSX 上执行此操作的唯一方法是使用(已弃用)CDSA 库或(已弃用)OpenSSL 库.
I don't think it's actually possible using the Security Framework. AFAICT, the only way to do this on iOS/OSX is to use the (deprecated) CDSA library, or the (deprecated) OpenSSL library.
https://github.com/snej/MYCrypto 有一个库可以做到,但它使用了一些(不推荐使用的)CDSA/CSSA 调用,并且依赖于许多同一作者的实用程序/库函数,我发现这些函数没有帮助.
There is a library at https://github.com/snej/MYCrypto which can do it, but it uses some of the (deprecated) CDSA/CSSA calls, and depends on a lot of the same author's utility/library functions, which I found to be unhelpful.
我建议您在 bugreporter.apple.com 上提交错误以表达您希望能够生成 x.509 证书的愿望.我有!
I suggest you file a bug at bugreporter.apple.com to express your desire to be able to generate x.509 certificates. I have!
MYCrypto 作者 (snej) 也有一个简化版本,MYAnonymousIdentity,它采用预先创建的 x.509 自签名证书,并使用最少的 SDK 调用将新的 RSA 密钥/签名注入现有证书.它还使用了他的一些实用程序/库的东西,但我已经为我自己的项目剥离了所有这些内容,您可以找到修改后的代码、我用来生成预装证书的脚本(以及包含所有修改偏移量)在:https://github.com/Hammerspoon/hammerspoon/tree/master/extensions/httpserver
The MYCrypto author (snej) also has a simplified version, MYAnonymousIdentity, which takes a pre-created x.509 self-sign certificate, and uses minimum SDK calls to inject a new RSA key/signature into the existing certificate. It also used some of his utility/library stuff, but I have stripped all of that out for my own project and you can find the modified code, the script I use to generate the pre-canned certificate (and a header file containing all the offsets for modification) at: https://github.com/Hammerspoon/hammerspoon/tree/master/extensions/httpserver
这篇关于使用安全框架在 Objective-C 中以编程方式创建 x509 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
