将PEM公钥读入iOS [英] Reading PEM public key into iOS

问题描述

我有一个使用此代码由java生成的base64公钥：

I have a base64 public key that was generated by java using this code:

RSAPublicKeySpec rsaKS = new RSAPublicKeySpec(modulus, pubExponent);
RSAPublicKey rsaPubKey = (RSAPublicKey) kf.generatePublic(rsaKS);
byte[] encoded = rsaPubKey.getEncoded();
String base64 = Base64.encodeToString(encoded, Base64.DEFAULT);
Log.e(null, "base64: " + base64);

这会产生一个Base64字符串。

This results in a Base64 string.

在OSX中，我可以使用以下代码获取SecKeyRef：

In OSX I can get a SecKeyRef using this code:

// Create the SecKeyRef using the key data
CFErrorRef error = NULL;
CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionarySetValue(parameters, kSecAttrKeyType, kSecAttrKeyTypeRSA);
CFDictionarySetValue(parameters, kSecAttrKeyClass, kSecAttrKeyClassPublic);
SecKeyRef keyRef = SecKeyCreateFromData(parameters, (__bridge CFDataRef)[pubKey base64DecodedData], &error);

但是在iOS中没有 SecKeyCreateFromData 方法。

However in iOS there is no SecKeyCreateFromData method.

我可以使用这段代码将它添加到钥匙串中，然后再次以 SecKeyRef 的形式检索它，但是我更不愿意将证书添加到钥匙串只是为了能够检索它以使用它一次。

I can use the Base64 string in iOS using this code which adds it to the keychain, then retrieves it again as a SecKeyRef however i'd much rather not have to add the cert to the keychain just to be able to retrieve it to use it once.

做一些研究，似乎我应该可以使用 SecCertificateCreateWithData 使用我在Base64字符串中创建要在iOS中使用的证书，但是在使用此代码时我总是得到一个NULL证书：

Doing some research, it seems I should be able to use SecCertificateCreateWithData to create a certificate to use in iOS from the Base64 string I have, however I always get back a NULL cert when using this code:

NSString* pespublicKey = @"MIGfMA0GCSqGSIb3....DCUdz/y4B2sf+q5n+QIDAQAB";
NSData* certData = [pespublicKey dataUsingEncoding:NSUTF8StringEncoding];
SecCertificateRef cert;
if ([certData length]) {
    cert = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certData);
    if (cert != NULL) {
        CFStringRef certSummary = SecCertificateCopySubjectSummary(cert);
        NSString* summaryString = [[NSString alloc] initWithString:(__bridge NSString*)certSummary];
        NSLog(@"CERT SUMMARY: %@", summaryString);
        CFRelease(certSummary);
    } else {
        NSLog(@" *** ERROR *** trying to create the SSL certificate from data located at %@, but failed", pespublicKey);
    }
}

推荐答案

你不是首先解码你的关键数据。您正在将base64编码的数据传递给 SecCertificateCreateWithData（），并且该函数需要原始的解码数据。请尝试这样的事情：

You are not base64-decoding your key data first. You are passing base64-encoded data to SecCertificateCreateWithData(), and that function expects the raw, decoded data. Try something like this instead:

NSData *certData = [[NSData alloc] initWithBase64EncodedString:pespublicKey options:0];
cert = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certData);

更新：

您发送到iOS代码的是base64 DER编码密钥，而不是DER或PEM编码证书。因此，您所看到的结果是预期的 - 您为它提供了一个不包含证书的DER编码数据blob，它会返回一个表示不存在的证书数据的空证书引用。

What you are sending to your iOS code is the base64 DER-encoded key, not a DER- or PEM-encoded certificate. As such, the result you're seeing is expected -- you give it a DER-encoded data blob which doesn't contain a certificate and it gives you back a null certificate reference representing the non-existent certificate data.

您有两种选择：

1. 使用您已找到的代码添加钥匙串的关键，然后取出它。这似乎是导入在iOS上使用密钥的iOS方式。

1. Use the code you have already found to add the key to the keychain and then fetch it out. That seems to be the "iOS way" to import keys for use on iOS.

使用公钥及其关联的私钥签署证书并导入在您的应用程序中，与该证书建立临时信任关系，然后从证书的信息中提取公钥（例如：来自NSString的iOS SecKeyRef ）

Use the public key and its associated private key to sign a certificate and import that into your app, create a temporary trust relationship with that certificate, then pull the public key out of the certificate's information (example: iOS SecKeyRef from NSString)

对于第二个选项，您的Java代码是不仅需要拥有公钥，还需要相关的私钥来生成签名证书。

For the second option to work, your Java code is not only going to have to have the public key, it will also need the associated private key to generate a signed certificate.

取决于您打算如何处理 SecKeyRef ，您可能会遇到问题。 SecKeyRef 值可以直接转换为 SecKeychainItemRef 值，以便在Keychain Services函数中使用。如果 SecKeyRef 值不是来自钥匙串，则代码将出错。 阅读文档了解更多信息

Depending on what you plan to do with the SecKeyRef, you may run into problems. SecKeyRef values can be cast straight to SecKeychainItemRef values for use in Keychain Services functions. If the SecKeyRef value doesn't come from the keychain, your code will get errors. Read the docs for more info

这篇关于将PEM公钥读入iOS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！