0

我正在研发以创建 PKCS 10 CSR,我用谷歌搜索并在这个人的 github 上找到了非常好的帮助,我已经完成了 RSA kSecAttrKeyTypeRSA,现在我想对 Eliptic Curve 做同样的事情,kSecAttrKeyTypeEC但我无法找到在这方面需要帮助。

已编辑: 我尝试SCCR.m从 RSA 转换为 ECDSAwithSHA256

  • 我得到ECDSAWithSHA256的 OID并转换为hex
  • 在整个班级中将 SHA1 更改为 256,例如CC_SHA256_CTX.
  • kSecAttrKeyTypeEC使用而不是创建密钥对kSecAttrKeyTypeRSA

毕竟,我得到了签名无效的 PEM 文件。下面是我的全班。

SCCR.m

/*
This file is part of ios-csr.
Copyright (C) 2013-14 Ales Teska

ios-csr is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

ios-csr is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with ios-csr.  If not, see <http://www.gnu.org/licenses/>.
*/

#import "SCCSR.h"
#include <CommonCrypto/CommonDigest.h>

/*

Certification Request Syntax Specification: http://www.ietf.org/rfc/rfc2986.txt

*/




static uint8_t OBJECT_commonName[5] = {0x06, 0x03, 0x55, 0x04, 0x03};
static uint8_t OBJECT_countryName[5] = {0x06, 0x03, 0x55, 0x04, 0x06};
static uint8_t OBJECT_organizationName[5] = {0x06, 0x03, 0x55, 0x04, 0x0A};
static uint8_t OBJECT_organizationalUnitName[5] = {0x06, 0x03, 0x55, 0x04, 0x0B};

//1.2.840.10045.4.3.2
//\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02
//http://www.oid-info.com/get/1.2.840.10045.4.3.2


static uint8_t OBJECT_ECEncryptionNULL[11] = {0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x00};

static uint8_t SEQUENCE_OBJECT_sha256WithECEncryption[] = {0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x00};

//static uint8_t OBJECT_rsaEncryptionNULL[13] = {0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00};

// See: http://oid-info.com/get/1.2.840.113549.1.1.5
//static uint8_t SEQUENCE_OBJECT_SHA256WithRSAEncryption[] = {0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 1, 1, 5, 0x05, 0x00};

static uint8_t SEQUENCE_tag = 0x30;
static uint8_t SET_tag = 0x31;

///

@implementation SCCSR

@synthesize countryName;
@synthesize organizationName;
@synthesize organizationalUnitName;
@synthesize commonName;
@synthesize subjectDER;

-(SCCSR *)init
{
    self = [super init];
    if (!self) return self;

    countryName = nil;
    organizationName = nil;
    organizationalUnitName = nil;
    commonName = nil;

    subjectDER = nil;

    return self;
}

-(NSData *) build:(NSData *)publicKeyBits privateKey:(SecKeyRef)privateKey
{
    NSMutableData * CertificationRequestInfo = [self buildCertificationRequestInfo:publicKeyBits];

    // Build signature - step 1: SHA256 hash
    CC_SHA256_CTX SHA256;
    CC_SHA256_Init(&SHA256);
    CC_SHA256_Update(&SHA256, [CertificationRequestInfo mutableBytes], (unsigned int)[CertificationRequestInfo length]);
    unsigned char digest[CC_SHA256_DIGEST_LENGTH];
    CC_SHA256_Final(digest, &SHA256);

    // Build signature - step 2: Sign hash
    uint8_t signature[256];
    size_t signature_len = sizeof(signature);
    OSStatus osrc = SecKeyRawSign(
        privateKey,
        kSecPaddingPKCS1SHA256,
        digest, sizeof(digest),
        signature, &signature_len
    );
    assert(osrc == noErr);

    NSMutableData * CertificationRequest = [[NSMutableData alloc] initWithCapacity:1024];
    [CertificationRequest appendData:CertificationRequestInfo];
    [CertificationRequest appendBytes:SEQUENCE_OBJECT_sha256WithECEncryption length:sizeof(SEQUENCE_OBJECT_sha256WithECEncryption)];

    NSMutableData * signdata = [NSMutableData dataWithCapacity:257];
    uint8_t zero = 0;
    [signdata appendBytes:&zero length:1]; // Prepend zero
    [signdata appendBytes:signature length:signature_len];
    [SCCSR appendBITSTRING:signdata into:CertificationRequest];

    [SCCSR enclose:CertificationRequest by:SEQUENCE_tag]; // Enclose into SEQUENCE

    return CertificationRequest;
}


-(NSMutableData *)buildCertificationRequestInfo:(NSData *)publicKeyBits
{
    NSMutableData * CertificationRequestInfo = [[NSMutableData alloc] initWithCapacity:512];

    // Add version
    uint8_t version[3] = {0x02, 0x01, 0x00}; // ASN.1 Representation of integer with value 1
    [CertificationRequestInfo appendBytes:version length:sizeof(version)];


    // Add subject
    NSMutableData * Subject = [[NSMutableData alloc] initWithCapacity:256];
    if (countryName != nil) [SCCSR appendSubjectItem:OBJECT_countryName value:countryName into:Subject];
    if (organizationName != nil) [SCCSR appendSubjectItem:OBJECT_organizationName value:organizationName into:Subject];
    if (organizationalUnitName != nil) [SCCSR appendSubjectItem:OBJECT_organizationalUnitName value:organizationalUnitName into:Subject];
    if (commonName != nil) [SCCSR appendSubjectItem:OBJECT_commonName value:commonName into:Subject];
    [SCCSR enclose:Subject by:SEQUENCE_tag]; // Enclose into SEQUENCE

    subjectDER = [NSData dataWithData:Subject];

    [CertificationRequestInfo appendData:Subject];


    //Add public key info
    NSData * publicKeyInfo = [SCCSR buildPublicKeyInfo:publicKeyBits];
    [CertificationRequestInfo appendData:publicKeyInfo];

    // Add attributes
    uint8_t attributes[2] = {0xA0, 0x00};
    [CertificationRequestInfo appendBytes:attributes length:sizeof(attributes)];


    [SCCSR enclose:CertificationRequestInfo by:SEQUENCE_tag]; // Enclose into SEQUENCE

    return CertificationRequestInfo;
}

/// Utility class methods ...
+(NSData *)buildPublicKeyInfo:(NSData *)publicKeyBits
{
    NSMutableData * publicKeyInfo = [[NSMutableData alloc] initWithCapacity:390];

    [publicKeyInfo appendBytes:OBJECT_ECEncryptionNULL length:sizeof(OBJECT_ECEncryptionNULL)];
    [SCCSR enclose:publicKeyInfo by:SEQUENCE_tag]; // Enclose into SEQUENCE

    NSMutableData * publicKeyASN = [[NSMutableData alloc] initWithCapacity:260];

    NSData * mod = [SCCSR getPublicKeyMod:publicKeyBits];
    char Integer = 0x02; // Integer
    [publicKeyASN appendBytes:&Integer length:1];
    [SCCSR appendDERLength:[mod length] into:publicKeyASN];
    [publicKeyASN appendData:mod];

    NSData * exp = [SCCSR getPublicKeyExp:publicKeyBits];
    [publicKeyASN appendBytes:&Integer length:1];
    [SCCSR appendDERLength:[exp length] into:publicKeyASN];
    [publicKeyASN appendData:exp];

    [SCCSR enclose:publicKeyASN by:SEQUENCE_tag]; // Enclose into ??
    [SCCSR prependByte:0x00 into:publicKeyASN]; // Prepend 0 (?)

    [SCCSR appendBITSTRING:publicKeyASN into:publicKeyInfo];

    [SCCSR enclose:publicKeyInfo by:SEQUENCE_tag]; // Enclose into SEQUENCE

    return publicKeyInfo;
}

+(void)appendSubjectItem:(const uint8_t[5])what value:(NSString *)value into:(NSMutableData *)into
{
    NSMutableData * SubjectItem = [[NSMutableData alloc] initWithCapacity:128];
    [SubjectItem appendBytes:what length:5];
    [SCCSR appendUTF8String:value into:SubjectItem];
    [SCCSR enclose:SubjectItem by:SEQUENCE_tag]; // Enclose into SEQUENCE
    [SCCSR enclose:SubjectItem by:SET_tag]; // Enclose into SET

    [into appendData:SubjectItem];
}

+(void)appendUTF8String:(NSString *)string into:(NSMutableData *)into
{
    char strtype = 0x0C; //UTF8STRING
    [into appendBytes:&strtype length:1];
    [SCCSR appendDERLength:[string lengthOfBytesUsingEncoding:NSUTF8StringEncoding] into:into];
    [into appendData:[string dataUsingEncoding:NSUTF8StringEncoding]];
}

+(void)appendDERLength:(size_t)length into:(NSMutableData *)into
{
    assert(length < 0x8000);

    if (length < 128)
    {
        uint8_t d = length;
        [into appendBytes:&d length:1];
    }
    else if (length < 0x100)
    {
        uint8_t d[2] = {0x81, length & 0xFF};
        [into appendBytes:&d length:2];
    }
    else if (length < 0x8000)
    {
        uint8_t d[3] = {0x82, (length & 0xFF00) >> 8, length & 0xFF};
        [into appendBytes:&d length:3];
    }
}

+(void)appendBITSTRING:(NSData *)data into:(NSMutableData *)into
{
    char strtype = 0x03; //BIT STRING
    [into appendBytes:&strtype length:1];
    [SCCSR appendDERLength:[data length] into:into];
    [into appendData:data];
}


+(void)enclose:(NSMutableData *)data by:(uint8_t)by
{
    NSMutableData* newdata = [[NSMutableData alloc]initWithCapacity:[data length]+4];

    [newdata appendBytes:&by length:1];
    [SCCSR appendDERLength:[data length] into:newdata];
    [newdata appendData:data];

    [data setData:newdata];
}

+(void)prependByte:(uint8_t)byte into:(NSMutableData *)into
{
    NSMutableData* newdata = [[NSMutableData alloc]initWithCapacity:[into length]+1];

    [newdata appendBytes:&byte length:1];
    [newdata appendData:into];

    [into setData:newdata];
}

///

// From http://stackoverflow.com/questions/3840005/how-to-find-out-the-modulus-and-exponent-of-rsa-public-key-on-iphone-objective-c

+ (NSData *)getPublicKeyExp:(NSData *)publicKeyBits
{
    int iterator = 0;

    iterator++; // TYPE - bit stream - mod + exp
    [SCCSR derEncodingGetSizeFrom:publicKeyBits at:&iterator]; // Total size

    iterator++; // TYPE - bit stream mod
    int mod_size = [SCCSR derEncodingGetSizeFrom:publicKeyBits at:&iterator];
    iterator += mod_size;

    iterator++; // TYPE - bit stream exp
    int exp_size = [SCCSR derEncodingGetSizeFrom:publicKeyBits at:&iterator];
//  return publicKeyBits;
    return [publicKeyBits subdataWithRange:NSMakeRange(iterator, exp_size)];
}

+(NSData *)getPublicKeyMod:(NSData *)publicKeyBits
{
    int iterator = 0;

    iterator++; // TYPE - bit stream - mod + exp
    [SCCSR derEncodingGetSizeFrom:publicKeyBits at:&iterator]; // Total size

    iterator++; // TYPE - bit stream mod
    int mod_size = [SCCSR derEncodingGetSizeFrom:publicKeyBits at:&iterator];
//    return publicKeyBits;
    //TODO: Changed in Code
    return [publicKeyBits subdataWithRange:NSMakeRange(iterator, mod_size)];
}

+(int)derEncodingGetSizeFrom:(NSData*)buf at:(int*)iterator
{
    const uint8_t* data = [buf bytes];
    int itr = *iterator;
    int num_bytes = 1;
    int ret = 0;

    if (data[itr] > 0x80) {
        num_bytes = data[itr] - 0x80;
        itr++;
    }

    for (int i = 0 ; i < num_bytes; i++) ret = (ret * 0x100) + data[itr + i];

    *iterator = itr + num_bytes;
    return ret;
}

@end

问题

  • 当此 OID1.2.840.113549.1.1.5转换为十六进制时,这将成为{0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00}定义的,static uint8_t OBJECT_rsaEncryptionNULL[13] = {0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00};那么SEQUENCE_OBJECT_RSAEncryption定义的又是什么static uint8_t SEQUENCE_OBJECT_RSAEncryption[] = {0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 1, 1, 5, 0x05, 0x00};
  • SEQUENCE_OBJECT_sha256WithECEncryption如果是 SHA256withEC会怎样

从 OPENSSL 生成的 CSR

-----开始证书REQUEST----- MIIC8jCCAdoCAQAwfDELMAkGA1UEBhMCYXMxCzAJBgNVBAgTAnB1MQwwCgYDVQQH EwNsaHIxDDAKBgNVBAoTA3BhazERMA8GA1UECxMIYXNjZXJ0aWExDjAMBgNVBAMT BWFsZWVtMSEwHwYJKoZIhvcNAQkBFhJhbGVlbS5yekBnbWFpbC5jb20wggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzvlvXGw4/YPYbiiCQE2pmqu0x9Ib3 nHk3yMy8ewJIXWOuewVmB7ISBoiAaJ01ON9H/szYUvCGoU5fzz7UFgxCI7biypuy ixo74w7Bd2jRMsH7baZ2W0bhvGoBxN1IMJZHI53J2KF9P5tayLz7OyGQ4Qz8p63A A6Ag3rblIDEBiDr6Xkyxd2atUf4EwB4JcrsLx66RyGDWadXcyO8P39Jg6bgauBMh OW2tq3Y7WsnOnYrYj4m1r9Z1ZFZEIHtHJX9u0qtuHH8yZD/saP5RkUcjIZPHU6Yh gNByRAXCl5YAMTV9yah/AGq6SMwvSRbhX6zgCpI0/eIhvyuzFW/poRlvAgMBAAGg MTAWBgkqhkiG9w0BCQIxCRMHYXNjdGVzdDAXBgkqhkiG9w0BCQcxChMIODc2NTQz MjEwDQYJKoZIhvcNAQELBQADggEBADdv9TOQAV7hEtFsviyp9G08BJgSDBjdP63I Efplt2B1POGvdOKvR1OI5r/qgZZ8E7BTBaFyArUT4+sEdybpmXV9PdO8R7zawD/j 7vmKShYThlPxi/UDrZT8kAwrnBAKgChJ/KMSB6LGdM2wvZKvoN14LFj/KUHtTI97 LYRfhIKFk28yyeSQxK8a3zkPawiTWBYYay9GU13NiKXedps00eV14S7/jAzhL/bk e94LfFybyDcOa2zDWKZOwOGAEStCq4O+7A+t8wrA= -----结束证书申请-----

4

0 回答 0