是否可以在 iOS 中使用安全框架生成证书签名请求(.csr)?

Is it possible to generate certificate signing request(.csr) using security framework in iOS?(是否可以在 iOS 中使用安全框架生成证书签名请求(.csr)?)
本文介绍了是否可以在 iOS 中使用安全框架生成证书签名请求(.csr)?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想向需要客户端证书身份验证的服务器发出 HTTPS 请求.我查看了这个 为 NSURLConnection 身份验证挑战创建 SecCertificateRef.它按预期工作.

I would like to make HTTPS request with a server require client-certificate authentication. I looked into this Creating a SecCertificateRef for NSURLConnection Authentication Challenge. It worked as expected.

但是,它需要准备包含私钥的 p12 文件.它将受到保护,因为它需要密码才能使用 SecPKCS12Import() 导入 p12 文件.

However, it needs to prepare the p12 file which includes the private key. It would be secured as it needs a password to import the p12 file using SecPKCS12Import().

但是,可能还有其他选择.也就是说,iOS 客户端应该发出证书签名请求(.CSR)并让第三方(服务器)对其进行签名.

However, there could be other option. That is the iOS-client should make a certificate signing request(.CSR) and let a third party (the server) sign it.

对于我的搜索,我发现我可以使用 SecKeyGeneratePair() 来生成密钥对.但我没有看到任何生成 CSR 的 API.

For my search, I see that I can use SecKeyGeneratePair() for generating a key pair. But I don't see any API that generate a CSR.

我真的需要 OpenSSL 来实现这一点吗?

Do I really need OpenSSL to achieve this?

另外,有点跑题了,一旦 iOS 客户端以某种方式收到签名证书.我可以使用 SecCertificateCreateWithData() 来检索 SecCertificateRef().但是,要填写一个NSURLCredential.我还需要使用 SecPKCS12Import() 来自 p12 文件的 SecIdentityRef.如何在没有 SecPKCS12Import() 的情况下检索 SecIdentityRef 而只是像 crtder 这样的证书文件?p>

Also, a bit off topic, once the iOS-client somehow receives the signed certificate. I can use SecCertificateCreateWithData() to retrieve an SecCertificateRef(). However, to fill in a NSURLCredential. I also need the SecIdentityRef which come from p12 file using SecPKCS12Import(). How can I retrieve a SecIdentityRef without SecPKCS12Import() but just a certificate file like crt or der?

推荐答案

iOS 的 Security Framework 中没有明确支持 CSR.但是,手动"构建 CSR 并不难 - 它只是 iOS 运行时可用的 ASN.1 DER 数据块.

There is no explicit support for CSR in Security Framework in iOS. However, it is not that difficult to build CSR 'manually' - it is just ASN.1 DER block of data that are available at iOS runtime.

这是它的伪代码:

  1. 使用安全框架中的 SecKeyGeneratePair() 创建新的公钥/私钥
  2. 实现 getPublicKeyBits 方法以检索新公钥的 NSData 形式(请参阅 https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html)
  3. 实现 getPrivateKey 方法从 Keychain 中检索 SecKeyRef
  4. 按照http://www.ietf.org/rfc/rfc2986.txt构建ASN.1NSMutableData 中 CSR 的 DER
  5. 使用 CC_SHA1_* 创建认证请求信息的签名哈希(CSR 的一部分)
  6. 使用 SecKeyRawSign 和私钥签署 CSR
  1. Use SecKeyGeneratePair() from Security Framework to create fresh public/private key
  2. Implement getPublicKeyBits method to retrieve NSData-form of fresh public key (see https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html )
  3. Implement getPrivateKey method to retrieve SecKeyRef from Keychain
  4. Follow http://www.ietf.org/rfc/rfc2986.txt to construct ASN.1 DER of CSR in NSMutableData
  5. Use CC_SHA1_* to create signature hash of Certification Request Info (part of CSR)
  6. Use SecKeyRawSign and private key to sign CSR

这将创建适当的 CSR(以 NSData 的形式),可以发送给 CA 以供批准.

This will create proper CSR (in form of NSData) that can be sent to CA for approval.

我的实现在 GitHub 上可用:http://github.com/ateska/ios-csr.

这篇关于是否可以在 iOS 中使用安全框架生成证书签名请求(.csr)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

Why local notification is not firing for UNCalendarNotificationTrigger(为什么没有为UNCalendarNotificationTrigger触发本地通知)
iOS VoiceOver functionality changes with Bundle Identifier(IOS画外音功能随捆绑包标识符而变化)
tabbar middle tab out of tabbar corner(选项卡栏中间的选项卡角外)
Pushing UIViewController above UITabBar(将UIView控制器推送到UITabBar上方)
How can I sync two flatList scroll position in react native(如何在本机Reaction中同步两个平面列表滚动位置)
Get an event when UIBarButtonItem menu is displayed(显示UIBarButtonItem菜单时获取事件)