1. 首页
  2. 问答
  3. 将私钥导入钥匙串在iphone

将私钥导入钥匙串在iphone

2012-10-28 106 views
26

中按预期工作不正常我需要在将请求发送到后端服务器之前对其进行签名。然而,私钥给我。所以我需要导入它,然后用它来签名。我能够导入和登录,但是这些数据与使用openssl进行签名所获得的数据不同。我知道它做错了,因为当我导入公钥时,我无法验证它。如果有一种方法可以避免导入钥匙串,那也太好了。 几天来一直在努力工作,这对我们来说是一件高价值的工作。有人可以帮忙吗? 将私钥导入钥匙串在iphone

- (SecKeyRef) getPrivateKey { 
//RSA KEY BELOW IS DUMMY. 

key = @"-----BEGIN RSA PRIVATE KEY-----\nORtMei3ImKI2ZKI636I4+uNCwFfZv9pyJzXyfr1ZNo7iaiW7A0NjLxikNxrWpr/M\n6HD8B2j/CSjRPW3bhsgDXAx/AI1aSfJFxazjiTxx2Lk2Ke3jbhE=\n-----END RSA PRIVATE KEY-----\n"; 

NSString * tag = @"adpPrivateKey"; 

    NSString *s_key = [NSString string]; 
    NSArray *a_key = [key componentsSeparatedByString:@"\n"]; 
    BOOL  f_key = FALSE; 

    for (NSString *a_line in a_key) { 
     if ([a_line isEqualToString:@"-----BEGIN RSA PRIVATE KEY-----"]) { 
      f_key = TRUE; 
     } 
     else if ([a_line isEqualToString:@"-----END RSA PRIVATE KEY-----"]) { 
      f_key = FALSE; 
     } 
     else if (f_key) { 
      s_key = [s_key stringByAppendingString:a_line]; 
     } 
    } 
    if (s_key.length == 0) return(nil); 

    // This will be base64 encoded, decode it. 
    NSData *d_key = [NSData dataFromBase64String:s_key]; 

if(d_key == nil) return nil; 

    NSData *d_tag = [NSData dataWithBytes:[tag UTF8String] length:[tag length]]; 

    // Delete any old lingering key with the same tag 
    NSMutableDictionary *privateKey = [[NSMutableDictionary alloc] init]; 
    [privateKey setObject:(id) kSecClassKey forKey:(id)kSecClass]; 
    [privateKey setObject:(id) kSecAttrKeyTypeRSA forKey:(id)kSecAttrKeyType]; 
    [privateKey setObject:d_tag forKey:(id)kSecAttrApplicationTag]; 
    SecItemDelete((CFDictionaryRef)privateKey); 

    CFTypeRef persistKey = nil; 

    // Add persistent version of the key to system keychain 
    [privateKey setObject:d_key forKey:(id)kSecValueData]; 
    [privateKey setObject:(id) kSecAttrKeyClassPrivate forKey:(id) 
    kSecAttrKeyClass]; 
    [privateKey setObject:[NSNumber numberWithBool:YES] forKey:(id) 
    kSecReturnPersistentRef]; 

    OSStatus secStatus = SecItemAdd((CFDictionaryRef)privateKey, &persistKey); 
    if (persistKey != nil) CFRelease(persistKey); 

    if ((secStatus != noErr) && (secStatus != errSecDuplicateItem)) { 
     [privateKey release]; 
     return(nil); 
    } 

    // Now fetch the SecKeyRef version of the key 
    SecKeyRef keyRef = nil; 

    [privateKey removeObjectForKey:(id)kSecValueData]; 
    [privateKey removeObjectForKey:(id)kSecReturnPersistentRef]; 
    [privateKey setObject:[NSNumber numberWithBool:YES] forKey:(id)kSecReturnRef 
    ]; 
    [privateKey setObject:(id) kSecAttrKeyTypeRSA forKey:(id)kSecAttrKeyType]; 
    secStatus = SecItemCopyMatching((CFDictionaryRef)privateKey, 
            (CFTypeRef *)&keyRef); 

    if(secStatus != noErr) 
     return nil; 

    [privateKey release]; 

    return keyRef; 
}

下面的代码是用于签署。部分代码是从苹果公司的例子(http://developer.apple.com/library/ios/#samplecode/CryptoExercise/Listings/Classes_SecKeyWrapper_m.html#//apple_ref/doc/uid/DTS40008019-Classes_SecKeyWrapper_m-DontLinkElementID_17

- (NSData *)getSignatureBytes:(NSString *)plainText { 

OSStatus sanityCheck = noErr; 
NSData * signedHash = nil; 
uint8_t * signedHashBytes = NULL; 
size_t signedHashBytesSize = 0; 
SecKeyRef privateKey = NULL; 

privateKey = [self getPrivateKey]; 

signedHashBytesSize = SecKeyGetBlockSize(privateKey); 

//Create a SHA Encoded 
NSString * shaEncoded = [self sha256:plainText]; 
NSLog(@"%@", shaEncoded); 


// Malloc a buffer to hold signature. 

signedHashBytes = malloc(signedHashBytesSize * sizeof(uint8_t)); 
memset((void *)signedHashBytes, 0x0, signedHashBytesSize); 


NSData *inputData = [self getHashBytes:[plainText dataUsingEncoding:NSUTF8StringEncoding]]; 
int bytesLengthUINT8 = [inputData length]; 

sanityCheck = SecKeyRawSign (privateKey, kSecPaddingPKCS1, (const uint8_t *)inputData, CC_SHA256_DIGEST_LENGTH,(uint8_t *)signedHashBytes, &signedHashBytesSize); 


if(sanityCheck != noErr) 
    return nil; 


signedHash = [NSData dataWithBytes:(const void *)signedHashBytes length:(NSUInteger)signedHashBytesSize];  
NSString *string = [signedHash base64EncodedString]; 

NSLog(@"%@", string); 


if (signedHashBytes) free(signedHashBytes); 
return signedHash; 

}

我使用的代码示例中http://blog.flirble.org/2011/01/05/rsa-public-key-openssl-ios/导入公用密钥并验证其失败。

来源

2012-10-28 Kishore Bulusu

+0

'kSecPaddingPKCS1'的价值是什么?你可以尝试比较公钥和私钥的模数吗? –

+0

嗨@owlstead,你可以详细说明该怎么办?你也看到任何问题,我保存和检索私钥的方式。请让我知道是否有其他我可以使用的库。 –

+0

对不起,我不是ios专家。尽管我现在对加密有很多了解,所以我想我会给你一些一般性建议。例如。 'kSecPaddingPKCS1'不指定散列,并且SHA-1很可能是默认值。如果私钥和公钥的模数不匹配,则它们不属于同一个密钥对。在这两种情况下,签名验证都会失败。 –

回答

1

也许不是将所有的钥匙存放在钥匙串中,而只是将简单的字符串存储在钥匙链中(作为secret_hash)。此外,使用通用的广泛采用的AFNetworking库来安全调用后端Web服务。 (a)使用强健的包装库进行服务调用(AFNetworking)和(b)将私钥存储为(a)使用私有密钥作为后端服务的请求一个.pfx文件在应用程序可访问的位置(我会将.pfx文件保留在项目根目录下)。

因此,创建您自己的AFHTTPClient的子类,并使用子类创建AFHTTPRequestOperations,将挑战块设置为使用从.pfx中提取的凭据。

这样,而不是直接创建AFHTTPRequestOperation - 使用您的AFHTTPClient子类的MySignedAFHTTPRequestOperation方法创建它们。此方法应该创建AFHTTPRequestOperation,然后设置这样的挑战块...

[myOperationObject setAuthenticationChallengeBlock:^(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge) 
    { 
      NSString * pfxPath = [[NSBundle mainBundle] 
          pathForResource:@“pvtKeyFile” ofType:@"pfx"]; 

      NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile: pfxPath]; 
      CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;  
      SecIdentityRef identity; 
      SecTrustRef trust; 
      myIdentityAndTrustExtractionHelper(inPKCS12Data, &identity, &trust); 

      SecCertificateRef certificate = NULL; 
      SecIdentityCopyCertificate (identity, &certificate); 

      const void *certs[] = {certificate}; 
      CFArrayRef certArray = CFArrayCreate(kCFAllocatorDefault, certs, 1, NULL); 

      NSURLCredential *credential = [NSURLCredential 
              credentialWithIdentity:identity 
              certificates:(__bridge NSArray*)certArray 
              persistence:NSURLCredentialPersistencePermanent]; 

      [[challenge sender] useCredential:credential 
       forAuthenticationChallenge:challenge]; 
      CFRelease(certArray); 
    }

下面是上面所用的身份提取辅助函数的一些更详细...

OSStatus myIdentityAndTrustExtractionHelper(CFDataRef inPKCS12Data,   
           SecIdentityRef *mySecIdentityRef, 
           SecTrustRef *myTrustRef) 
{ 
    //modify to get secret-hash from keychain 
    CFStringRef mySecretHash = CFSTR(secret_hash); 
    const void *keys[] = { kSecImportExportPassphrase }; 
    const void *values[] = { mySecretHash }; 


    CFArrayRef pkscItems = CFArrayCreate(NULL, 0, 0, NULL); 
    OSStatus mySecurityError = SecPKCS12Import(inPKCS12Data, 
           CFDictionaryCreate(NULL,keys, values, 1, 
           NULL, NULL), 
           &pkscItems); 
    if (mySecurityError == 0) 
    {         
     CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (pkscItems, 0); 
     const void *tempIdentity = NULL; 
     tempIdentity = CFDictionaryGetValue (myIdentityAndTrust, 
              kSecImportItemIdentity); 
     *mySecIdentityRef = (SecIdentityRef)tempIdentity; 
     const void *tempTrust = NULL; 
     tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust); 
     *myTrustRef = (SecTrustRef)tempTrust; 
    } 

    return mySecurityError; 
}

一旦创建(即通过你的AFHTTPClient子类的MySignedAFHTTPRequestOperation方法),将它添加到NSOperationsQueue中执行(当然你需要在创建操作时适当地设置成功和失败处理程序块)

总结:

  • 使用稳定AFNetworking框架,使您的Web服务调用
  • 店的证书私钥作为应用一个.pfx文件,并使用它来创建证书和密钥
  • 允许AFNetworking通过设置您创建的每个操作对象内的凭据来为您执行加密。

希望这会有所帮助。

来源

2014-02-19 22:19:34 CoolDocMan

+0

在没有密码的情况下将普通文件存储在普通文件中听起来像一个坏主意。建议将其作为(移动)应用程序的文件进行分发似乎可以打败它被欺骗的任何安全目的。 KeyChain完全是为了存储敏感数据的目的而使用的。 –

+0

采取了点。我的解决方案更侧重于调用后端服务并将加密适配到该框架中(AFNetworking)我更新了上述解决方案,通过不存储密钥本身而存储密钥链中密钥的密码(特定的调用从keychain中获取密码短语需要在mySecretHash被提取的行中替换 – CoolDocMan

+0

即使有了这种变化,钥匙串仍然是存储敏感信息(如密钥)的好地方,也不清楚你的建议如何帮助海报,问题似乎是关于生成签名的机制,而不是发出HTTP请求。 –

3

采取了公认的答案来看看最后一种方法:Converting NSData to SecKeyRef

的问题是,iOS的处理公钥和私钥略有不同,其中识别头,通常存在,是由其他的安全API预期(以例如Java)不在iOS中。所以你必须去掉它们。

来源

2014-05-20 05:23:15 mikeho

0

如果您只是想将采用标准PHP兼容base64字符串类型格式的AES-256 RSA PEM存储到系统钥匙串中,则适用于我。

我在这里发布这是因为很多地方,我读过你不能直接将PEM文件粘贴到iOS中;否则你必须从它剥去一些标题;等等。但是,至少在iOS 9.3上,现在可以工作了,如果我在某个地方看到了这个,它会为我节省很多时间。 (注意:下面是部分的重大修改版,Objective-C-RSA from https://github.com/ideawu/Objective-C-RSA,请参阅适用的许可证,我暗示没有认可,他们在这里也有一个Swift版本:https://github.com/btnguyen2k/swift-rsautils,看起来功能更完整,可以解决问题很多人)

#define BR (__bridge id) 
#define BRD (__bridge CFDictionaryRef) 

+ (SecKeyRef)storePrivateKey:(NSString *)key inSystemKeychainWithTag:(NSString *)tag { 
    NSRange spos; 
    NSRange epos; 
    spos = [key rangeOfString:@"-----BEGIN RSA PRIVATE KEY-----"]; 
    if(spos.length > 0) { 
     epos = [key rangeOfString:@"-----END RSA PRIVATE KEY-----"]; 
    } 
    else { 
     spos = [key rangeOfString:@"-----BEGIN PRIVATE KEY-----"]; 
     epos = [key rangeOfString:@"-----END PRIVATE KEY-----"]; 
    } 
    if(spos.location != NSNotFound && epos.location != NSNotFound){ 
     NSUInteger s = spos.location + spos.length; 
     NSUInteger e = epos.location; 
     NSRange range = NSMakeRange(s, e-s); 
     key = [key substringWithRange:range]; 
    } 
    key = [key stringByReplacingOccurrencesOfString:@"\r" withString:@""]; 
    key = [key stringByReplacingOccurrencesOfString:@"\n" withString:@""]; 
    key = [key stringByReplacingOccurrencesOfString:@"\t" withString:@""]; 
    key = [key stringByReplacingOccurrencesOfString:@" " withString:@""]; 

    // This will be base64 encoded, decode it. 
    NSData *data = [[NSData alloc] initWithBase64EncodedString:key options:0]; 

    if(data == nil){ 
     return nil; 
    } 

    //a tag to read/write keychain storage 
    NSData *d_tag = [NSData dataWithBytes:[tag UTF8String] length:[tag length]]; 

    // Delete any old lingering key with the same tag 
    NSMutableDictionary *options = [ 
    @{ 
     BR kSecClass: BR kSecClassKey, 
     BR kSecAttrKeyType: BR kSecAttrKeyTypeRSA, 
     BR kSecAttrApplicationTag: d_tag, 
    } 
    mutableCopy]; 

    SecItemDelete(BRD options); 

    // Add persistent version of the key to system keychain 
    [options addEntriesFromDictionary: 
    @{ 
     BR kSecValueData:data, 
     BR kSecAttrKeyClass: BR kSecAttrKeyClassPrivate, 
     BR kSecReturnPersistentRef: @YES, 
    }]; 

    CFTypeRef persistKey = nil; 
    OSStatus status = SecItemAdd(BRD options, &persistKey); 
    if (persistKey != nil){ 
     CFRelease(persistKey); 
    } 
    if ((status != noErr) && (status != errSecDuplicateItem)) { 
     return nil; 
    } 

    [options removeObjectForKey:BR kSecValueData]; 
    [options removeObjectForKey:BR kSecReturnPersistentRef]; 

    [options addEntriesFromDictionary: 
    @{ 
     BR kSecReturnRef:@YES, 
     BR kSecAttrKeyType:BR kSecAttrKeyTypeRSA, 
    }]; 

    // Now fetch the SecKeyRef version of the key 
    SecKeyRef keyRef = nil; 
    status = SecItemCopyMatching(BRD options, (CFTypeRef *)&keyRef); 
    if(status != noErr){ 
     return nil; 
    } 
    return keyRef; 
}

来源

2016-08-13 02:53:45 CommaToast

相关问题

 相关问题