6

I'm trying to pin a public key. I have a SecKeyRef, and I want to serialize it with SecRSAPublicKeyCopyPublicSerialization. SecRSAPublicKeyCopyPublicSerialization will serialize in PKCS#1 (i.e., SubjectPublicKeyInfo), and the function is documented at http://www.opensource.apple.com/source/Security/Security-55163.44/sec/Security/SecRSAKey.c.

PKCS#1 is an ASN.1 encoding of the public key (i.e., SubjectPublicKeyInfo). That format is fine for pinning. For those who are not familiar, pinning is a whitelist of expected certificates or public keys for a host. They are usually interchangeable when identifying a host, but there are occasions where they are not. For example, Google's public keys are static (fixed), but Google rotates the 'outer' X509 certificate. In this case, you would pin the public key, and not the certificate.

What are the proper headers and frameworks for SecRSAPublicKeyCopyPublicSerialization? I have included Security.framework, but the declaration for SecRSAPublicKeyCopyPublicSerialization is missing, and the function is missing during link. I did try to include SecRSAKey.h.

Sorry about the crummy tags.

Jeff

jww
  • 97,681
  • 90
  • 411
  • 885
  • Look at https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_as_data?language=objc – David H Dec 13 '18 at 15:32

1 Answers1

3
static OSStatus SecRSAPublicKeyCopyPublicSerialization(SecKeyRef key, CFDataRef* serialized)

is a static function used by the Security Framework internally, and you cannot call this function from outside the framework.

Have a look at SecItemExport. This function can convert a SecKeyRef to different external representations.

Update: I had missed the tag in the question. SecItemExport is available only on OSX 10.7 and later, but not on iOS.

On iOS, (I think) you have to add the key to the KeyChain (SecItemAdd) and then use SecItemCopyMatching() (with kSecReturnData set to YES) to retrieve the raw data.

The getPublicKeyRef method in SecKeyWrapper.m of the "CryptoExercise" sample project might help.

Martin R
  • 529,903
  • 94
  • 1,240
  • 1,382
  • Thanks Martin. `SecKeyRef` comes from `NSURLConnection` `connection:didReceiveAuthenticationChallenge:`. I use `SecTrustCopyPublicKey` to get the `SecKeyRef` in the delegate. Does that mean I have to put the `SecKeyRef` in the KeyChain before I can extract the public exponent and modulus? (I'm trying to avoid writing my own ASN.1 parser for this). – jww Feb 07 '13 at 09:46
  • @noloader: I am not sure. Perhaps you should update your question with the information what you really try to achieve. - You could try if you can use one of the SecItemExport formats (e.g. kSecFormatOpenSSL). I had the opposite problem once: Create a SecKeyRef from exponent and modulus, and I found no better solution than to ASN.1 encode the exponent and key. – Martin R Feb 07 '13 at 10:09
  • @noloader: Compare http://stackoverflow.com/questions/5988735/saving-seckeyref-device-generated-public-private-key-pair-on-disk. It seems that you have to add the SecKeyRef to the KeyChain, get the bytes using SecItemCopyMatching(), and parse the ASN.1 data. – Martin R Feb 07 '13 at 10:19
  • Thanks. I'm on the trail, but it might be elusive. http://stackoverflow.com/questions/12934743/ios-secitemcopymatching-rsa-public-key-format, http://stackoverflow.com/questions/3840005/how-to-find-out-the-modulus-and-exponent-of-rsa-public-key-on-iphone-objective-c, and http://lists.apple.com/archives/apple-cdsa/2011/Sep/msg00009.html. Apple has made this way too difficult. – jww Feb 07 '13 at 10:38
  • @noloader: [Here](http://stackoverflow.com/questions/6665832/iphone-rsa-algorithm-with-modulus-and-exponent) is a posting with a link to a [github project](https://github.com/StCredZero/SCZ-BasicEncodingRules-iOS) for BER encoding/decoding on iOS. Perhaps you can use that. - But just extracting exponent and modules from ASN.1 should not be too difficult. – Martin R Feb 07 '13 at 10:46
  • Apple has this soooo screwed up. `SecItemExport` is not available on iOS (only Mac OS X), and I can't even figure out how to go from `SecKeyRef` to `NSData` so I can parse it myself. – jww Feb 07 '13 at 10:57
  • @noloader: Sorry, I had missed your [ios] tag. I will update the answer accordingly. – Martin R Feb 07 '13 at 11:54