1

The question is pretty straight forward. How is it possible to create a x509 certificate in osx with just using the SecurityFramework API. I want to create the certificate with a publicKey I generated with SecKeyGeneratePair.

I only found in the docu so far the method SecCertificateCreateWithData, but this requires already a x509 certificate as a parameter, so this doesn't do the trick for me. I couldn't find any method with which i can create a certificate from scratch. Also i am not very experienced with this topic, so it is very likely that I am missing something here. Any help is greatly appreciated.

Also using openSSL or any deprecated API is not an option for my project.

I already came across this question Creating x509 certificates programmatically in Objective-C using the Security Framework, but since this is a year old i wondered if there is maybe now a possibility to do it,

Community
  • 1
  • 1
mahagony
  • 21
  • 3

1 Answers1

1

I don't think it's actually possible using the Security Framework. AFAICT, the only way to do this on iOS/OSX is to use the (deprecated) CDSA library, or the (deprecated) OpenSSL library.

There is a library at https://github.com/snej/MYCrypto which can do it, but it uses some of the (deprecated) CDSA/CSSA calls, and depends on a lot of the same author's utility/library functions, which I found to be unhelpful.

I suggest you file a bug at bugreporter.apple.com to express your desire to be able to generate x.509 certificates. I have!

Edit: The MYCrypto author (snej) also has a simplified version, MYAnonymousIdentity, which takes a pre-created x.509 self-sign certificate, and uses minimum SDK calls to inject a new RSA key/signature into the existing certificate. It also used some of his utility/library stuff, but I have stripped all of that out for my own project and you can find the modified code, the script I use to generate the pre-canned certificate (and a header file containing all the offsets for modification) at: https://github.com/Hammerspoon/hammerspoon/tree/master/extensions/httpserver

From:
Creating x509 certificates programmatically in Objective-C using the Security Framework

Community
  • 1
  • 1
Destrif
  • 2,104
  • 1
  • 14
  • 22
  • Thank you for your answer, but this seems not to be what i was searching for, because i don't want to import a specific key but create a certificate with the key created from the SecKeyGeneratePair, which already provides a SecKeyRef object. Also encrypting something with public or private key is not the issue i am facing. – mahagony Jun 09 '16 at 12:38
  • Some other question that might help: http://stackoverflow.com/questions/29296657/creating-x509-certificates-programmatically-in-objective-c-using-the-security-fr another way with example: http://stackoverflow.com/questions/7715426/what-is-the-reason-of-ksectrustresultrecoverabletrustfailure/8937798#8937798 hope it helps... – Destrif Jun 10 '16 at 07:46