objective c - iOS: How to create PKCS12 (P12) keystore from private key and x509certificate in application programmatically? -
this question apparently similar had no answers of kind: programmatically create x509 certificate iphone without using openssl
in our application (server, client), implementing client authentication (ssl based on x509certificate). have way generate keypair, create pkcs10 certificate signing request, have signed self-signed ca , create x509certificate, send back. however, utilize certificate in ssl requests, private key , x509certificate have exported pkcs12 (p12) keystore.
does know how this, or if it's possible? client has generate p12 file (we don't want give out private key), , client running ios, , mobile device. solution worked android using bouncycastle (spongycastle), found nil ios.
edit: in java, export done following:
bytearrayoutputstream bos = new bytearrayoutputstream(); keystore ks = keystore.getinstance("pkcs12", bouncycastleprovider.provider_name); ks.load(null); ks.setkeyentry("key-alias", (key) key, password.tochararray(), new java.security.cert.certificate[] { x509certificate }); ks.store(bos, password.tochararray()); bos.close(); homecoming bos.tobytearray();
if utilize openssl, don't have re-create total source code project, plenty add together libs , headers, openssl library can used without size problem. can generate key , cert openssl:
evp_pkey * pkey; pkey = evp_pkey_new(); rsa * rsa; rsa = rsa_generate_key( 2048, /* number of bits key - 2048 sensible value */ rsa_f4, /* exponent - rsa_f4 defined 0x10001l */ null, /* callback - can null if aren't displaying progress */ null /* callback argument - not needed in case */ ); evp_pkey_assign_rsa(pkey, rsa); x509 * x509; x509 = x509_new(); asn1_integer_set(x509_get_serialnumber(x509), 1); x509_gmtime_adj(x509_get_notbefore(x509), 0); x509_gmtime_adj(x509_get_notafter(x509), 31536000l); x509_set_pubkey(x509, pkey); x509_name * name; name = x509_get_subject_name(x509); x509_name_add_entry_by_txt(name, "c", mbstring_asc, (unsigned char *)"ca", -1, -1, 0); x509_name_add_entry_by_txt(name, "o", mbstring_asc, (unsigned char *)"mycompany inc.", -1, -1, 0); x509_name_add_entry_by_txt(name, "cn", mbstring_asc, (unsigned char *)"localhost", -1, -1, 0); x509_set_issuer_name(x509, name); //x509_sign(x509, pkey, evp_sha1()); const evp_cipher *aconst = evp_des_ede3_cbc(); and can write pem format these functions:
pem_write_privatekey(f, pkey, null, null, 0, null, null); pem_write_x509( f, /* write certificate file we've opened */ x509 /* our certificate */ ); after possible write these files p12 file, source here: https://github.com/luvit/openssl/blob/master/openssl/demos/pkcs12/pkwrite.c
/* pkwrite.c */ #include <stdio.h> #include <stdlib.h> #include <openssl/pem.h> #include <openssl/err.h> #include <openssl/pkcs12.h> /* simple pkcs#12 file creator */ int main(int argc, char **argv) { file *fp; evp_pkey *pkey; x509 *cert; pkcs12 *p12; if (argc != 5) { fprintf(stderr, "usage: pkwrite infile password name p12file\n"); exit(1); } ssleay_add_all_algorithms(); err_load_crypto_strings(); if (!(fp = fopen(argv[1], "r"))) { fprintf(stderr, "error opening file %s\n", argv[1]); exit(1); } cert = pem_read_x509(fp, null, null, null); rewind(fp); pkey = pem_read_privatekey(fp, null, null, null); fclose(fp); p12 = pkcs12_create(argv[2], argv[3], pkey, cert, null, 0,0,0,0,0); if(!p12) { fprintf(stderr, "error creating pkcs#12 structure\n"); err_print_errors_fp(stderr); exit(1); } if (!(fp = fopen(argv[4], "wb"))) { fprintf(stderr, "error opening file %s\n", argv[1]); err_print_errors_fp(stderr); exit(1); } i2d_pkcs12_fp(fp, p12); pkcs12_free(p12); fclose(fp); homecoming 0; } ios objective-c ssl cryptography authentication
No comments:
Post a Comment