4

I would like to make HTTPS request with a server require client-certificate authentication. I looked into this Creating a SecCertificateRef for NSURLConnection Authentication Challenge. It worked as expected.

However, it needs to prepare the p12 file which includes the private key. It would be secured as it needs a password to import the p12 file using SecPKCS12Import().

However, there could be other option. That is the iOS-client should make a certificate signing request(.CSR) and let a third party (the server) sign it.

For my search, I see that I can use SecKeyGeneratePair() for generating a key pair. But I don't see any API that generate a CSR.

Do I really need OpenSSL to achieve this?

Also, a bit off topic, once the iOS-client somehow receives the signed certificate. I can use SecCertificateCreateWithData() to retrieve an SecCertificateRef(). However, to fill in a NSURLCredential. I also need the SecIdentityRef which come from p12 file using SecPKCS12Import(). How can I retrieve a SecIdentityRef without SecPKCS12Import() but just a certificate file like crt or der?

Josh Correia
  • 3,807
  • 3
  • 33
  • 50
Yeung
  • 2,202
  • 2
  • 27
  • 50
  • I eventually build the `OpenSSL` to generate the CSR file. To get `SecIdentityRef` without p12 file, I look into [this](http://stackoverflow.com/questions/4241590/how-to-establish-a-secidentityref-in-an-iphone-keychain-without-a-p12) – Yeung Jul 12 '13 at 08:22

2 Answers2

12

There is no explicit support for CSR in Security Framework in iOS. However, it is not that difficult to build CSR 'manually' - it is just ASN.1 DER block of data that are available at iOS runtime.

Here is pseudo code of that:

  1. Use SecKeyGeneratePair() from Security Framework to create fresh public/private key
  2. Implement getPublicKeyBits method to retrieve NSData-form of fresh public key (see https://developer.apple.com/library/ios/samplecode/CryptoExercise/Introduction/Intro.html )
  3. Implement getPrivateKey method to retrieve SecKeyRef from Keychain
  4. Follow http://www.ietf.org/rfc/rfc2986.txt to construct ASN.1 DER of CSR in NSMutableData
  5. Use CC_SHA1_* to create signature hash of Certification Request Info (part of CSR)
  6. Use SecKeyRawSign and private key to sign CSR

This will create proper CSR (in form of NSData) that can be sent to CA for approval.

My implementation is available on GitHub: http://github.com/ateska/ios-csr .

Ales Teska
  • 1,198
  • 1
  • 17
  • 38
  • I am very interested in seeing this class, no need to polish it. I have tried to generate a csr on iOS for 2 days now. – joakimb May 23 '14 at 16:20
  • @ateska Do you know how you can save this as a proper file? – Codezy Jan 14 '15 at 21:28
  • What do you mean by 'proper file' - you can just dump that NSData content to file - it will be CSR in DER format. – Ales Teska Jan 15 '15 at 00:10
  • does anyone know which OID should I use to insert also the email address into the CSR ? The one I used 1.2.840.113549.1.9.1 does not work. – i-developer Sep 05 '16 at 13:51
  • @i-developer - an email is part of a subject, not a dedicated item of CSR (the most commonly). – Ales Teska Sep 06 '16 at 23:29
  • @AlesTeska Can we create CSR with Elliptic Curve by using ecdsa-with-SHA256 ad you describe with RSA "https://github.com/ateska/ios-csr"(its quite helpful for me.), I've tried but its keep getting failed. Can you please help me on this how could I do this. – Aleem Nov 24 '16 at 14:05
  • I tried and getting this PEM -----BEGIN CERTIFICATE REQUEST----- MIG+MGkCAQAwSDERMA8GA1UEBgwIUGFraXN0YW4xETAPBgNVBAoMCEFzY2VydGlh MQwwCgYDVQQLDANBU0MxEjAQBgNVBAMMCUQgU2lnbmluZzAYMA0GCSqGSIb3DQEB AQUAAwcAMAQCAAIAoAAGCCqGSM49BAMCA0cAMEQCIHIifMMGs+r+lhN8id2ka5iJ V/ieCtvinsYYGC8UohBjAiA9IkU0k+oUzTeYQnYxSDyPT1h2MRZUmQm/hz+0KjUk Xg== -----END CERTIFICATE REQUEST----- – Aleem Nov 24 '16 at 14:05
  • @Aleem - well, my class is very 'RSA-centric'. You will need to adjust all RSA-specific parts to EC ones. Shouldn't be too difficult, I suggest to start with CSR generated by OpenSSL, identify differences using hex editor and adjust ASN.1 generator part accordingly. – Ales Teska Nov 24 '16 at 17:58
  • @AlesTeska Could you please change the license for your library? That would help a lot (it's possibly illegal to distribute on [App Store with GPL-licensed software](http://www.fsf.org/blogs/licensing/more-about-the-app-store-gpl-enforcement)). Thanks! – Ben Aubin Jan 04 '18 at 17:38
2

To anyone who comes across this in the future, I encountered outfoxx's Shield library which makes it super easy to create CSRs via Swift.

Josh Correia
  • 3,807
  • 3
  • 33
  • 50