Sample code for public key encryption/decryption on Mac?

Question

Where can I find some simple sample code for public key encryption and decryption on Mac OS X? I'm frustrated that Apple's "Certificate, Key, and Trust Services Programming Guide" shows how to do this stuff on iOS, but the needed APIs (SecKeyEncrypt, SecKeyDecrypt) are apparently not available on Mac OS X. There's probably a way to do it in "CryptoSample", but it doesn't look clear or simple, and the sample project is too old to open with the current version of Xcode.

Answer 1

The Security Framework APIs change rather frequently between Mac OS releases. The best approach depends on what version you target:

1. If your code only needs to run on 10.7 and above, you can use Security Transforms, a new high-level public API for cryptography transformations. The Security Transforms Programming Guide has useful (and simple!) example code:

https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecTransformPG/SecurityTransformsBasics/SecurityTransformsBasics.html

You'll want to create a transform using SecEncryptTransformCreate or SecDecryptTransformCreate, set its input using SecTransformSetAttribute and execute it with SecTransformExecute.

2. If you need to support Mac OS 10.6 or below, you must use the low-level and rather scary CDSA APIs. CryptoSample's cdsaEncrypt is a concise example.

https://developer.apple.com/library/archive/samplecode/CryptoSample/Listings/libCdsaCrypt_libCdsaCrypt_cpp.html

You can get a CSSM_CSP_HANDLE and a CSSM_KEY from a SecKeyRef by using SecKeyGetCSPHandle and SecKeyGetCSSMKey, respectively.

To learn more about CDSA, the full specification is available from the Open Group (free, but requires registration):

https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=11287

Good luck!

3. If the private key was created exportable, you can export it in an unprotected format and use openssl directly. This puts the raw key data directly in the address space of your application, so it defeats one of the primary purposes of the Keychain. Don't do this.

4. Finally, you can mess around with private functions. Mac OS 10.6 and 10.7 include, but do not publicly declare, SecKeyEncrypt and SecKeyDecrypt, with the same arguments as on iOS. The quick'n'dirty solution is to simply declare and use them (weakly linked, with the usual caveats). This is probably a bad idea to do in code that you plan to distribute to others.