是否可以使用ios中的安全框架生成证书签名请求（.csr）？ [英] Is it possible to generate certificate signing request(.csr) using secuity framework in ios?

问题描述

我想用服务器进行https请求需要客户端证书身份验证。我查看了这个为NSURLConnection身份验证挑战创建SecCertificateRef 。它按预期工作。

I would like to make https request with a server require client-certificate authentication. I looked into this Creating a SecCertificateRef for NSURLConnection Authentication Challenge . It worked as expected.

但是，它需要准备包含私钥的p12文件。这将是安全的，因为它需要密码才能使用 SecPKCS12Import（）导入p12文件。

However, it need to prepare the p12 file which include the private key. It would be securied as it need password to import the p12 file using SecPKCS12Import().

但是，有可能是另一种选择。那就是ios-client应该签署证书签名请求（.CSR）并让第三方（它将是服务器）签名。

However, there could be other option. That is the ios-client should make a certificate signing request(.CSR) and let a third party(it would be the server) sign it.

对于我的搜索，我看到我可以使用 SecKeyGeneratePair（）来生成密钥对。但是我没有看到任何产生CSR的API。

For my search, I see that I can use SecKeyGeneratePair() for generate key pair. But I don't see any API that generate a CSR.

它真的需要openssl才能实现这个目标吗？

Do it really need openssl to achieve this?

另外，有点偏离主题，一旦ios-client以某种方式取回签名证书。我可以使用 SecCertificateCreateWithData（）来检索 SecCertificateRef（）。但是，要填写 NSURLCredential 。我还需要使用
SecPKCS12Import（）来自p12文件的 SecIdentityRef 。如何在没有 SecPKCS12Import（）的情况下撤销 SecIdentityRef ，但只需要像 crt <这样的证书文件/ code>或 der ？

Also, a bit off topic, once the ios-client somehow get back the signed certificate. I can use SecCertificateCreateWithData() to retrieve an SecCertificateRef(). However, to fill in a NSURLCredential . I also need the SecIdentityRef which come from p12 file using SecPKCS12Import(). How can I retreve an SecIdentityRef without SecPKCS12Import() but just a certificate file like crt or der?

推荐答案

没有iOS中安全框架中对CSR的明确支持。但是，手动构建CSR并不困难 - 它只是iOS运行时可用的ASN.1 DER数据块。

There is no explicit support for CSR in Security Framework in iOS. However, it is not that difficult to build CSR 'manually' - it is just ASN.1 DER block of data that are available at iOS runtime.

这是伪代码其中：

1. 使用安全框架中的 SecKeyGeneratePair（）创建新的公共/私钥


2. 实现 getPublicKeyBits 方法以检索NSData形式的新公钥（请参阅 https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html ）


3. 实施 getPrivateKey 从钥匙串中检索SecKeyRef的方法


4. 关注http://www.ietf.org/rfc/rfc2986.txt 在NSMutableData中构建CSR的ASN.1 DER


5. 使用CC_SHA1_ *创建认证请求信息的签名哈希（CSR的一部分）


6. 使用SecKeyRawSign和privat用于签署CSR的密钥

1. Use SecKeyGeneratePair() from Security Framework to create fresh public/private key
2. Implement getPublicKeyBits method to retrieve NSData-form of fresh public key (see https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html )
3. Implement getPrivateKey method to retrieve SecKeyRef from Keychain
4. Follow http://www.ietf.org/rfc/rfc2986.txt to construct ASN.1 DER of CSR in NSMutableData
5. Use CC_SHA1_* to create signature hash of Certification Request Info (part of CSR)
6. Use SecKeyRawSign and private key to sign CSR

这将创建适当的CSR（以NSData的形式），可以发送给CA进行审批。

This will create proper CSR (in form of NSData) that can be sent to CA for approval.

我的实现可以在GitHub上找到： http://github.com / ateska / ios-csr 。

这篇关于是否可以使用ios中的安全框架生成证书签名请求（.csr）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！