是否可以在 iOS 中使用安全框架生成证书签名请求(.csr)? [英] Is it possible to generate certificate signing request(.csr) using security framework in iOS?

问题描述

我想向需要客户端证书身份验证的服务器发出 HTTPS 请求.我查看了这个 为 NSURLConnection 身份验证挑战创建 SecCertificateRef.它按预期工作.

I would like to make HTTPS request with a server require client-certificate authentication. I looked into this Creating a SecCertificateRef for NSURLConnection Authentication Challenge. It worked as expected.

但是，它需要准备包含私钥的 p12 文件.它将受到保护，因为它需要密码才能使用 SecPKCS12Import() 导入 p12 文件.

However, it needs to prepare the p12 file which includes the private key. It would be secured as it needs a password to import the p12 file using SecPKCS12Import().

但是，可能还有其他选择.也就是说，iOS 客户端应该发出证书签名请求(.CSR)并让第三方(服务器)对其进行签名.

However, there could be other option. That is the iOS-client should make a certificate signing request(.CSR) and let a third party (the server) sign it.

对于我的搜索，我发现我可以使用 SecKeyGeneratePair() 来生成密钥对.但我没有看到任何生成 CSR 的 API.

For my search, I see that I can use SecKeyGeneratePair() for generating a key pair. But I don't see any API that generate a CSR.

我真的需要 OpenSSL 来实现这一点吗?

Do I really need OpenSSL to achieve this?

另外，有点跑题了，一旦 iOS 客户端以某种方式收到签名证书.我可以使用 SecCertificateCreateWithData() 来检索 SecCertificateRef().但是，要填写一个NSURLCredential.我还需要使用 SecPKCS12Import() 来自 p12 文件的 SecIdentityRef.如何在没有 SecPKCS12Import() 的情况下检索 SecIdentityRef 而只是像 crt 或 der 这样的证书文件?p>

Also, a bit off topic, once the iOS-client somehow receives the signed certificate. I can use SecCertificateCreateWithData() to retrieve an SecCertificateRef(). However, to fill in a NSURLCredential. I also need the SecIdentityRef which come from p12 file using SecPKCS12Import(). How can I retrieve a SecIdentityRef without SecPKCS12Import() but just a certificate file like crt or der?

推荐答案

iOS 的 Security Framework 中没有明确支持 CSR.但是，手动"构建 CSR 并不难 - 它只是 iOS 运行时可用的 ASN.1 DER 数据块.

There is no explicit support for CSR in Security Framework in iOS. However, it is not that difficult to build CSR 'manually' - it is just ASN.1 DER block of data that are available at iOS runtime.

这是它的伪代码:

1. 使用安全框架中的 SecKeyGeneratePair() 创建新的公钥/私钥
2. 实现 getPublicKeyBits 方法以检索新公钥的 NSData 形式(请参阅 https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html)
3. 实现 getPrivateKey 方法从 Keychain 中检索 SecKeyRef
4. 按照http://www.ietf.org/rfc/rfc2986.txt构建ASN.1NSMutableData 中 CSR 的 DER
5. 使用 CC_SHA1_* 创建认证请求信息的签名哈希(CSR 的一部分)
6. 使用 SecKeyRawSign 和私钥签署 CSR

1. Use SecKeyGeneratePair() from Security Framework to create fresh public/private key
2. Implement getPublicKeyBits method to retrieve NSData-form of fresh public key (see https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html )
3. Implement getPrivateKey method to retrieve SecKeyRef from Keychain
4. Follow http://www.ietf.org/rfc/rfc2986.txt to construct ASN.1 DER of CSR in NSMutableData
5. Use CC_SHA1_* to create signature hash of Certification Request Info (part of CSR)
6. Use SecKeyRawSign and private key to sign CSR

这将创建适当的 CSR(以 NSData 的形式)，可以发送给 CA 以供批准.

This will create proper CSR (in form of NSData) that can be sent to CA for approval.

我的实现在 GitHub 上可用:http://github.com/ateska/ios-csr.

这篇关于是否可以在 iOS 中使用安全框架生成证书签名请求(.csr)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！