4

I am trying to create certificate request programmatically in iOS using openSSL. I got testKey.pem(private key) and test.csr finally and the first works well in linux(by openssl command), however test.csr seams strange and cannot be recognized and used properly. here is my code in OC.

- (void)genCertReq {
    if (!X509_REQ_set_version(csr.req, csr.ver)) {
        LOG(@"set_version failed");
        goto error;
    }
    [self fillDN]; 
    /* subject name */
    if (!X509_REQ_set_subject_name(csr.req, csr.subject)) {
        LOG(@"subject_name failed");
        goto error;
    }
    rsaPair = RSA_generate_key(bits, e, NULL, NULL);
    const char *keyPathChar = [SPFileManager openFile:testKey];
    BIO *bp = NULL;
    bp = BIO_new_file(keyPathChar, "w");
    PEM_write_bio_RSAPrivateKey(bp, rsaPair, NULL, NULL, 0, NULL, NULL);
    BIO_free(bp);
    /* pub key */
    if (1 != EVP_PKEY_assign_RSA(evpKey, rsaPair)) {
        LOG(@"assign_RSA failed");
        goto error;
    }
    if (!X509_REQ_set_pubkey(csr.req, evpKey)) {
        LOG(@"set_pubkey failed");
        goto error;
    }
    /* attribute */
    csr.md = EVP_sha1();
    if (!X509_REQ_digest(csr.req, csr.md, (unsigned char *)csr.mdout, (unsigned int *)&csr.mdlen)) {
        LOG(@"req_digest failed");
        goto error;
    }
    if (!X509_REQ_sign(csr.req, evpKey, csr.md)) {
        LOG(@"req_sign failed");
        goto error;
    }
    const char *csrPathChar = [SPFileManager openFile:csrName];
    bp = BIO_new_file(csrPathChar, "w");
    PEM_write_bio_X509_REQ(bp, csr.req);
    BIO_free(bp);

    OpenSSL_add_all_algorithms();
    if (X509_REQ_verify(csr.req, evpKey) < 0) {
        LOG(@"req_verify failed");
        goto error;
    }
    X509_REQ_free(csr.req);
    return;
error:
    X509_REQ_free(csr.req);
    return;
}

testKey.pem is in PKCS1 format and looks like --BEGIN RSA PRIVATE KEY---, and test.csr looks like ---BEGIN CERTIFICATE REQUEST--- which however I don't think is right.

Any help will be appreciated, thanks.

jww
  • 97,681
  • 90
  • 411
  • 885
shinyathena
  • 43
  • 2
  • 4
  • There's a lot to programmatically creating a CSR. You should probably look at the source code in [`/apps/req.c`](https://github.com/openssl/openssl/blob/master/apps/req.c). Its the source code that handles the `openssl req ...` command. Be sure to add the *Authority Key Identifier*, *Subject Key Identifier*, *Serial Number*, *Subject Alt Names* (etc) if its a server certificate. `---BEGIN CERTIFICATE REQUEST---` is probably correct. Its [PKCS #10/RFC 2986](https://tools.ietf.org/html/rfc2986) syntax with PEM encoding. – jww Jun 08 '17 at 04:32
  • Related, see [Programmatically Create X509 Certificate using OpenSSL](https://stackoverflow.com/q/256405/608639) on SO, [Create certificate request programmatically using OpenSSL API](http://openssl.6102.n7.nabble.com/create-certificate-request-programmatically-using-OpenSSL-API-td29197.html) on the OpenSSL user list, etc. – jww Jun 08 '17 at 04:40

0 Answers0