将公钥和私钥从iOS导出到OpenSSL

时间:2016-12-14 06:19:22

标签: ios openssl public-key key-pair secure-element

我正在开发我需要创建CSR的app,通过使用Objective c或Swift这并不容易。所以我选择了OpenSSL来创建CSR并且我创建了成功的代码如下所示,但是我的另一个核心要求是将密钥存储在安全区域中,但是在我在线搜索时这在OpenSSL中是不可能的。 现在我想在安全区域中的目标c中创建密钥对,然后将这些公钥(带数据)和私钥(带参考)导出到openSSL(EC_KEY),然后从中创建CSR。我发现这个this link要导出密钥,但是没有办法导出私钥(数据不可能,但有参考)。

我需要一些指导如何做到这一点。

    - (void)genCSRX509ForEC
{
    int             ret = 0;
    DSA             *r = NULL;
    BIGNUM          *bne = NULL;


int             nVersion = 1;

unsigned long   e = RSA_F4;

X509_REQ        *x509_req = NULL;
X509_NAME       *x509_name = NULL;
EVP_PKEY        *pKey = NULL;
BIO             *out = NULL;

const char      *szCountry = "USA";
const char      *szProvince = "MA";
const char      *szCity = "Boston";
const char      *szOrganization = "MyComp";
const char      *szCommon = "MYC";

const char      *szPath = "x509Req.pem";

// 1. generate rsa key
bne = BN_new();
ret = BN_set_word(bne,e);
if(ret != 1){
    goto free_all;
}

r = DSA_new();
//    
//    EC_KEY* _ec_key = EC_KEY_new();
//    EC_GROUP* ec_group_new = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
//    const EC_GROUP* ec_group = ec_group_new;
//    if (!EC_KEY_set_group(_ec_key,ec_group))
//        NSLog(@"Error in initializeCrypto, EC_KEY_set_group failed!");

    // Segfault at this position


    //////////////////////////// CREATE KEYPAIR /////////////////////////////////////

    EC_KEY* _ec_key = EC_KEY_new();
    EC_GROUP* ec_group_new = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
    const EC_GROUP* ec_group = ec_group_new;
    if (!EC_KEY_set_group(_ec_key,ec_group))
        NSLog(@"Error in initializeCrypto, EC_KEY_set_group failed!");

    EC_KEY_generate_key(_ec_key);

    ret = EC_KEY_check_key(_ec_key);
    if (ret != 1){
        goto free_all;
    }

      const BIGNUM *privateKey = EC_KEY_get0_private_key(_ec_key);
      const EC_POINT *publicKey = EC_KEY_get0_public_key(_ec_key);

      privateKeySize = i2d_ECPrivateKey(_ec_key,NULL);
      unsigned char *privateKeyBuf = OPENSSL_malloc(privateKeySize);
      memset(privateKeyBuf, 0, privateKeySize);
      int status = i2d_ECPrivateKey(_ec_key,&privateKeyBuf);
      if (!ret){
        NSLog(@"Private key to DER failed\n");
        return;
      }
      else {
        NSLog(@"Private key %s",privateKeyBuf);
      }
    privateKeyUnsignedChar = privateKeyBuf;

      publicKeySize = i2o_ECPublicKey(_ec_key,NULL);
      unsigned char *publicKeyBuf = OPENSSL_malloc(privateKeySize);
      memset(publicKeyBuf, 0, privateKeySize);
      ret = i2o_ECPublicKey(_ec_key,&publicKeyBuf);
      if (!ret){
        NSLog(@"Public key to octed failed\n");
        return;
      }
      else {
        NSLog(@"Public key %s",publicKeyBuf);
      }
    publicKeyUnsignedChar = publicKeyBuf;
    NSLog(@"key generation generated");

    //////////////////////////// CREATE KEYPAIR END /////////////////////////////////////


    // 2. set version of x509 req
    x509_req = X509_REQ_new();
    ret = X509_REQ_set_version(x509_req, nVersion);
    if (ret != 1){
        goto free_all;
    }

    // 3. set subject of x509 req
    x509_name = X509_REQ_get_subject_name(x509_req);

    ret = X509_NAME_add_entry_by_txt(x509_name,"C", MBSTRING_ASC, (const unsigned char*)szCountry, -1, -1, 0);
    if (ret != 1){
        goto free_all;
    }

    ret = X509_NAME_add_entry_by_txt(x509_name,"ST", MBSTRING_ASC, (const unsigned char*)szProvince, -1, -1, 0);
    if (ret != 1){
        goto free_all;
    }

    ret = X509_NAME_add_entry_by_txt(x509_name,"L", MBSTRING_ASC, (const unsigned char*)szCity, -1, -1, 0);
    if (ret != 1){
        goto free_all;
    }

    ret = X509_NAME_add_entry_by_txt(x509_name,"O", MBSTRING_ASC, (const unsigned char*)szOrganization, -1, -1, 0);
    if (ret != 1){
        goto free_all;
    }

    ret = X509_NAME_add_entry_by_txt(x509_name,"CN", MBSTRING_ASC, (const unsigned char*)szCommon, -1, -1, 0);
    if (ret != 1){
        goto free_all;
    }

    // 4. set public key of x509 req
    pKey = EVP_PKEY_new();
    EVP_PKEY_assign_EC_KEY(pKey, _ec_key);
    r = NULL;   // will be free rsa when EVP_PKEY_free(pKey)

    ret = X509_REQ_set_pubkey(x509_req, pKey);
    if (ret != 1){
        goto free_all;
    }

    // 5. set sign key of x509 req
    ret = X509_REQ_sign(x509_req, pKey, EVP_sha256());    // return x509_req->signature->length
    if (ret <= 0){
        goto free_all;
    }

    out = BIO_new_file(szPath,"w");
    ret = PEM_write_bio_X509_REQ(out, x509_req);
    X509_REQ_print_fp(stdout, x509_req);


    [self createFileForPEM:x509_req];

    //    PEM_write_X509_REQ(pemFile, certSigningRequest);
    // 6. free
free_all:
    X509_REQ_free(x509_req);
    BIO_free_all(out);

    EVP_PKEY_free(pKey);
//    BN_free(bne);


}

1 个答案:

答案 0 :(得分:0)

参考https://www.openssl.org/docs/man1.0.2/crypto/d2i_ECPrivate_key.htmlhttps://www.openssl.org/docs/man1.0.2/crypto/d2i_ECPrivateKey.html

您可以调用i2d_ECPrivateKey将其转换为给定unsigned char数组中的DER格式,然后将其转换为Base64并写入文件。

//int i2d_ECPrivateKey(EC_KEY *key, unsigned char **out);
int len = -1;
unsigned char outbuf[2000]; /*large enough to hold the key.*/
len = i2d_ECPrivateKey(_ec_key, outbuf);
/*Now, you have outbuf with len bytes*/
/*Write it to file with in DER format and you can use d2i_ECPrivateKey to import it. */
相关问题
最新问题