How to make a valid p12 file to be correctly imported by SecPKCS12Import

Question

I've solved my previos problem of converting XML RSA private key to PEM file, but I run into another problem that I get null data when importing P12 private key. Following is my steps:

1. Convert PEM file to P12 file

   openssl> pkcs12 -export -in rsa.pem -inkey rsa.pem -out rsa.p12 -nocerts
   

2. Read P12 file to iOS project

   NSString *path = [[NSBundle bundleForClass:[self class]]    
                       pathForResource:@"MyPrivateKey" ofType:@"p12"];
   NSData *p12data = [NSData dataWithContentsOfFile:path];
   if (![self getPrivateKeyRef]) 
       RSAPrivateKey = getPrivateKeywithRawKey(p12data);
   

3. Import P12 Private Key

   SecKeyRef getPrivateKeywithRawKey(NSData *pfxkeydata)
   { 
       NSMutableDictionary * options = [[[NSMutableDictionary alloc] init] autorelease];
   
       // Set the public key query dictionary
       //change to your .pfx  password here 
       [options setObject:@"MyPassword" forKey:(id)kSecImportExportPassphrase];
   
       CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
   
       OSStatus securityError = SecPKCS12Import((CFDataRef) pfxkeydata,
                                                (CFDictionaryRef)options, &items);
   
       CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
       SecIdentityRef identityApp =
       (SecIdentityRef)CFDictionaryGetValue(identityDict,
                                            kSecImportItemIdentity);
       //NSLog(@"%@", securityError);
   
       assert(securityError == noErr);
       SecKeyRef privateKeyRef;
       SecIdentityCopyPrivateKey(identityApp, &privateKeyRef);
   
       return privateKeyRef;
   
   }
   

Thought there was no err(OSStatus value is 0), but the items array didn't get any identity data. I am wondering if i didn't get the correct p12 file format due to wrong OpenSSl usage. Has anyone successfully import p12 file? I've stuck in this problem for a couple of days, please give me advices if you got clues, thanks!

Hubert

Answer 1

I got some tips from the internet, and following is the steps to get iOS acceptable p12 key and certification file:

1. convert XML to PEM
   Shell> compile XMLSpec2PEM.java
   Shell> XMLSpec2PEM rsa.xml
   save the output result to rsa.pem
   (borrow from here)

2. convert PEM to RSA Private Key
   OpenSSL> rsa -in rsa.pem -out rsaPrivate.key

3. Generate a certification request
   OpenSSL> req -new -key rsaPrivate.key -out rsaCertReq.crt
   (input some basic certification data)
   

4. Sign certification of the request
   OpenSSL> x509 -req -days 3650 -in rsaCertReq.crt -signkey rsaPrivate.key -out rsaCert.crt
   

5. Convert the certification file format to DER (iOS acceptable format)
   OpenSSL> x509 -outform der -in rsaCert.crt -out rsaCert.der
   

6. Generate PKCS12 Private key(iOS acceptable format)
   OpenSSL> pkcs12 -export -out rsaPrivate.pfx -inkey rsaPrivate.key -in rsaCert.crt
   

No further steps, files generated in step 5 and 6 now can be used in iOS!

reference of OpenSSL instructions:
http://blogs.yaclife.com/?tag=ios%E3%80%80seckeyref%E3%80%80raw%E3%80%80key%E3%80%80rsa%E3%80%803des

http://devsec.org/info/ssl-cert.html