2

Currently i am generating an Elliptic Curve KeyPair in my iOS App successfully:

let privateKeyParams: [String: Any] = [
    kSecAttrIsPermanent as String: true,
    kSecAttrApplicationTag as String: privateTag
]

let publicKeyParams: [String: Any] = [
    kSecAttrIsPermanent as String: true,
    kSecAttrApplicationTag as String: publicTag,
    kSecAttrAccessible as String: kSecAttrAccessibleAlways
]

let query: [String: Any] = [
    kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
    kSecPrivateKeyAttrs as String: privateKeyParams,
    kSecPublicKeyAttrs as String: publicKeyParams,
    kSecAttrKeySizeInBits as String: 256 as AnyObject,
]

let status = SecKeyGeneratePair(query as CFDictionary, &self.publicKey, &self.privateKey)

guard status == errSecSuccess else {
    print("Could not generate keypair")
    return
}

guard let pubKey = self.publicKey, let privKey = self.privateKey else {
    print("Keypair null")
    return
}

This one works because when i check if my keys exist they do and i can also encrypt/decrypt and sign/verify.

Soo.. in the next step i need to generate a SecCertificate which will basically hold my public key... this is simply a requirement.

But there is literally no API/Documentation on how to do this..the only api i saw is on how to generate SecCertificate from existing der file etc..

So my question is:

How do i generate an SecCertificate object from my existing Elliptic Curve KeyPair (SecKey)?

Thanks and Greetings!

Creative crypter
  • 1,348
  • 6
  • 30
  • 67

1 Answers1

2

Certificates and cryptographic functions in general are very bad documented and barely supported in Swift / iOS.

But the first question here is: Why do you need a certificate and what do you want to do? The main problem is that you just cannot create a valid certificate out of thin air. A certificate has to be signed by a a certificate authority (CA) so that anyone with the CA certificate can verify that the certificate is valid.

(Of course you can create a self signed certificate but this would be useless in most cases. Additionally, I do not know how to do this easily. All API calls in Swift / iOS assume that you already have a valid certificate. It seems that it is not intended to create certificates inside your app.)

So first, you need a certificate authority, which can sign your certificate. Then, you need to create a certificate signing request from your key pair and send it to your CA. You then will obtain a signed certificate, which you can use in your app. The steps in correct order are:

  1. Create / find a certificate authority (CA)
  2. Create your keypair
  3. Create a certificate signing request (CSR). I currently use CertificateSigningRequestSwift because Apple simply does not provide any functionality to do this.
  4. Send your CSR to the CA and receive the certificate (CRT).
  5. Save the CRT together with the private key in a P12 trust store. I use OpenSSL-for-iPhone to do this.
  6. Get the SecIdentity or the SecCertificate from the P12 trust store

This is a lot of work but after a long time of researching this is the only way I got certificates working in Swift / iOS. Especially the handling with OpenSSL is very tricky (have a look at this post of me to get an idea of the complexity). So, again, the question is what you want to do. If you want to create a SSL client, you need to go the full way, but if you just want to encrypt some stuff, the solution may be a lot easier.

sundance
  • 2,930
  • 1
  • 20
  • 25