iOS:如何以编程方式在应用程序中从私钥和x509certificate创建PKCS12(P12)密钥库?

前端之家收集整理的这篇文章主要介绍了iOS:如何以编程方式在应用程序中从私钥和x509certificate创建PKCS12(P12)密钥库?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
这个问题显然很相似,但没有任何答案: Programmatically create a x509 certificate for iPhone without using OpenSSL

在我们的应用程序(服务器,客户端)中,我们正在实现客户端身份验证(基于X509Certificate的SSL).我们已经有办法生成密钥对,创建PKCS10证书签名请求,由自签名CA签名并创建X509Certificate,然后发回.但是,要在SSL请求中使用此证书,必须将私钥和X509Certificate导出到PKCS12(P12)密钥库.

有没有人知道如何做到这一点,或者即使它可能?客户端必须生成P12文件(我们不想发出私钥),客户端正在运行iOS,并且是移动设备.该解决方案适用于Android使用BouncyCastle(SpongyCastle),但我们没有找到任何iOS.

编辑:在Java中,此导出由以下内容完成:

ByteArrayOutputStream bos = new ByteArrayOutputStream();
    KeyStore ks = KeyStore.getInstance("PKCS12",BouncyCastleProvider.PROVIDER_NAME);
    ks.load(null);
    ks.setKeyEntry("key-alias",(Key) key,password.tocharArray(),new java.security.cert.Certificate[] { x509Certificate });
    ks.store(bos,password.tocharArray());
    bos.close();
    return bos.toByteArray();

解决方法

如果使用openssl,则不必将完整的源代码复制到项目中,只需添加lib和头文件即可,因此可以使用openssl库而不会出现任何大小问题.
您可以使用openssl生成密钥和证书:
EVP_PKEY * pkey;
pkey = EVP_PKEY_new();

RSA * rsa;
rsa = RSA_generate_key(
        2048,/* number of bits for the key - 2048 is a sensible value */
        RSA_F4,/* exponent - RSA_F4 is defined as 0x10001L */
        NULL,/* callback - can be NULL if we aren't displaying progress */
        NULL    /* callback argument - not needed in this case */
);

EVP_PKEY_assign_RSA(pkey,rsa);

X509 * x509;
x509 = X509_new();

ASN1_INTEGER_set(X509_get_serialNumber(x509),1);

X509_gmtime_adj(X509_get_notBefore(x509),0);
X509_gmtime_adj(X509_get_notAfter(x509),31536000L);

X509_set_pubkey(x509,pkey);

X509_NAME * name;
name = X509_get_subject_name(x509);

X509_NAME_add_entry_by_txt(name,"C",MBSTRING_ASC,(unsigned char *)"CA",-1,0);
X509_NAME_add_entry_by_txt(name,"O",(unsigned char *)"MyCompany Inc.","CN",(unsigned char *)"localhost",0);

X509_set_issuer_name(x509,name);

//X509_sign(x509,pkey,EVP_sha1());

const EVP_CIPHER *aConst = EVP_des_ede3_cbc();

你可以用这些函数把它写成pem格式:

PEM_write_PrivateKey(f,NULL,NULL);


PEM_write_X509(
            f,/* write the certificate to the file we've opened */
            x509 /* our certificate */
);

之后可以将这些文件写入p12文件,源自此处:
https://github.com/luvit/openssl/blob/master/openssl/demos/pkcs12/pkwrite.c

/* pkwrite.c */

#include <stdio.h>
#include <stdlib.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>

/* Simple PKCS#12 file creator */
int main(int argc,char **argv)
{
    FILE *fp;
    EVP_PKEY *pkey;
    X509 *cert;
    PKCS12 *p12;
    if (argc != 5) {
        fprintf(stderr,"Usage: pkwrite infile password name p12file\n");
        exit(1);
    }
    SSLeay_add_all_algorithms();
    ERR_load_crypto_strings();
    if (!(fp = fopen(argv[1],"r"))) {
        fprintf(stderr,"Error opening file %s\n",argv[1]);
        exit(1);
    }
    cert = PEM_read_X509(fp,NULL);
    rewind(fp);
    pkey = PEM_read_PrivateKey(fp,NULL);
    fclose(fp);
    p12 = PKCS12_create(argv[2],argv[3],cert,0);
    if(!p12) {
        fprintf(stderr,"Error creating PKCS#12 structure\n");
        ERR_print_errors_fp(stderr);
        exit(1);
    }
    if (!(fp = fopen(argv[4],"wb"))) {
        fprintf(stderr,argv[1]);
        ERR_print_errors_fp(stderr);
        exit(1);
    }
    i2d_PKCS12_fp(fp,p12);
    PKCS12_free(p12);
    fclose(fp);
    return 0;
}

猜你在找的iOS相关文章