Creating x509 certificates programmatically in Objective-C using the Security Framework

Question

I am struggling hard to find a way to create x509 certificates programmatically (Self-signed) in Objective-C using the Security Framework. I am NOT using OpenSSL for my project. So I can't consider using OpenSSL. Here are the few things I already created:

• Created RSA key pair. Used - (void)generateKeyPairPlease function per Apple's docs

• Used ios-csr (https://github.com/ateska/ios-csr) to create CSR. See the below code

  SCCSR *sccsr = [[SCCSR alloc]init];
  sccsr.commonName = @"some name";
  sccsr.organizationName = @"some organisation";
  
  NSData *certificateRequest = [sccsr build:pPublicKey privateKey:privateKey];
  NSString *str = [certificateRequest base64EncodedStringWithOptions:NSDataBase64Encoding64CharacterLineLength];
  
  NSString *strCertificateRequest = @"-----BEGIN CERTIFICATE REQUEST-----\n";
  strCertificateRequest = [strCertificateRequest stringByAppendingString:str];
  strCertificateRequest = [strCertificateRequest stringByAppendingString:@"\n-----END CERTIFICATE REQUEST-----\n"];
  

• Now I need to create X509 Certificate (self-signed). I used the below code.

  // Convert to Base64 data
  NSData *base64Data = [certificateRequest base64EncodedDataWithOptions:0];
  SecCertificateRef cer = SecCertificateCreateWithData ( NULL, (__bridge CFDataRef) base64Data);
  NSLog(@"%@", cer);
  

• cer seems to be NULL.SecCertificateCreateWithData needs "A DER (Distinguished Encoding Rules) representation of an X.509 certificate" as per the documentation.

Is my approach correct? To reiterate: I have an RSA key pair (public and private keys), successfully generated CSR (Certificate Signing Request). Now I need the X509 Certificate to be generated programatically.

I am using version 6.2 (6C131e) and iOS SDK 8.2.

Answer 1

I don't think it's actually possible using the Security Framework. AFAICT, the only way to do this on iOS/OSX is to use the (deprecated) CDSA library, or the (deprecated) OpenSSL library.

There is a library at https://github.com/snej/MYCrypto which can do it, but it uses some of the (deprecated) CDSA/CSSA calls, and depends on a lot of the same author's utility/library functions, which I found to be unhelpful.

I suggest you file a bug at bugreporter.apple.com to express your desire to be able to generate x.509 certificates. I have!

Edit: The MYCrypto author (snej) also has a simplified version, MYAnonymousIdentity, which takes a pre-created x.509 self-sign certificate, and uses minimum SDK calls to inject a new RSA key/signature into the existing certificate. It also used some of his utility/library stuff, but I have stripped all of that out for my own project and you can find the modified code, the script I use to generate the pre-canned certificate (and a header file containing all the offsets for modification) at: https://github.com/Hammerspoon/hammerspoon/tree/master/extensions/httpserver