My iOS app is handling x509 certificates + keys (DER encoded) at runtime. The only way I am able to successfully import them into the keychain is to use PKCS12 using the function: SecPKCS12Import()
I have been trying hard to get it running using only SecItemAdd(). I used that function for the DER encoded certificate and again for the DER encoded key. But even though the call return with success, querying the keychain afterwards didn't yield a SecIdentityRef.
So I ended up using the OpenSSL PKCS12 implementation. I am very keen on getting rid of my dependency on OpenSSL. I have been looking around for alernative implementations of PKCS12. The only alternative lib I found was hosted in apples open source repo:
https://opensource.apple.com/source/Security/Security-57031.10.10/Security/libsecurity_pkcs12/
Though this is an OS X project that has (i suppose) many dependencies to other modules of the security framework. Before I start looking deeper into this
I was wondering:
Is there any chance for me to run libsecurity_pkcs12 on iOS?
Or better: is there any alternative small footprint PKCS12 library that I am not aware of?
Or even better: has anyone imported x509 + key into the iOS keychain (yielding a SecIdentityRef afterwards) without using PKCS12?
Related
I am trying to find a good library to do the following:
Generate RSA public and private key pairs
Encrypt / decrypt using keys
Sign using private key / verify with public key
Generate SHA256 hashes
I tried many libraries, but I can't seem to find something simple and straightforward with all these functions. In python pycrypto covers all this, it's really strange that there doesn't seem to be something like this available for Swift.
If you are using iOS 13 or above as the base SDK for your app then you should look at CryptoKit from Apple as it should cover what you are looking for.
https://developer.apple.com/documentation/cryptokit
If you need to support devices running versions of iOS older than iOS13 then you should look at CommonCrypto (also native to Apple) but if you can afford to only support iOS13 and above then CryptoKit is far better and easier to implement.
Is there a way in dart to generate a file in the PKCS12 / .p12 / .pfx Format by passing in a Certificate and it's Private Key in pure Dart?
The BouncyCastle Port has no support for PKCS 12
For Android, there is the Bouncy Castle Library (Java), I tested it and it works like a charm.
For iOS I find it difficult to build a Plugin with the Open SSL Library linked to it because there is currently no way to tell Xcode to include C Code inside a Flutter Plugin.
dart:ffi would be an option, but it seems like dart has problems with C pointers, so I am not sure how to tackle this.
I would like to encrypt a plist file at building time (XCode) and then decrypt it at running time when launching the app. As you can see, the purpose is to encrypt the entire plist file, and not just some text inside it.
I've tried to encrypt this file with a run script and OpenSSL, and decrypt it with RNCryptor for Swift, but I couldn't find a good result.
On the other hand, I've seen some posts talking about OpenSSL vs new Mac OS, and maybe this command is not good enough to encrypt due it's deprecated.
Please any idea about it?
Thanks!!
This question already has answers here:
Create CSR using existing private key
(2 answers)
Closed 5 years ago.
Apple, faithful to its extremely proprietary spirit, requires certificates used for iOS developer program to be generated with a mac. (as a .certSigningRequest file)
Obviously, they somehow use a standard for these keys, so my question is:
What does a .certSigningRequest look like? Could someone share a censured version of their file? (while keeping same length)
Then, I am sure we can figure out a way to generate the same thing with openssl, and eventually edit the csr file to make it match the format required by apple.
Ah, in fact it is strictly the same format than the files generated with openssl.
I just use to generate always 4096 and I did not expect apple to use 2048 only.
So to generate a set of keys for ios developer:
openssl genrsa -out ios-dev.key 2048
openssl req -new -key ios-dev.key -out ios-dev.csr
Though we can add a pass in the pass application in iOS 6.0 programmatically given we have .pkpass file in our document directory or we get it from the server. But i have searched all the apple documentation in which steps are given to generate the .pkpass file manually.
Is this feasible to create a .pkpass file programmatically using Xcode.
The .pkpass file is composed of several components. The most difficult component that must be done programmatically is the signature of the manifest file. The other parts are trivial to assemble on the iPhone platform programmatically. You may note that Apple's documentation uses a shell command to compute this value using the OpenSSL library. I had to manually write a function that signed the manifest files using the OpenSSL C library, however it is not trivial due to a lack of examples and the complexity of the library. The signing function selected by Apple for the manifest is not present in their CommonCrypto framework.
Also, in order to sign these passes on the phone, the credentials must be present in the binary's bundle or compiled assets which is probably not a good idea to distribute if you would like to protect the integrity of your profile and signing identities.
So in summary: This is certainly possible, and is doable using the existing specifications and libraries. However, I would not recommend doing this on the phone. It is fairly difficult, and may introduce security risks if not done properly. Additionally, if you incorporate the OpenSSL library in your binary then you must report to Apple that you incorporate encryption in your device and must register for an ERN with the government. There may also be other export conditions on your code depending on your locality (but of course I am not a lawyer so this is a guess).