Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: SHA1 hash for public cert in keyachain
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHA1 hash for public cert in keyachain



On Nov 09 2009 05:48 PM, Keith Moores wrote:
> We have an app built to support 10.4 and up that needs to set an
> identity preference when running on 10.5 and up systems.  As we need
> to support the lowest common denominator (10.4) we believe we're
> left with using the CLI, "security set-identity-preference" with the
> -Z option (as our user certificates' "CNs" are not necessarily
> unique).  But how to get the "SHA-1 hash of certificate"...

The security tool on 10.4 did not support a set-identity-preference command. However, the identity preference API functions are present on 10.4, just not listed in the header file.

>
> Is there an CDSA/Apple API to retrieve the fingerprint (SHA-1 hash)
> of a certificate from the keychain?

It isn't necessary to go down to the CDSA level for this. You presumably have a SecIdentityRef, from which you can get the certificate (via SecIdentityCopyCertificate), and then a pointer to the certificate's data (via SecCertificateGetData). Now you want to get a SHA-1 digest (or hash) of that data.

Probably the easiest way is to use Common Crypto (#include <CommonCrypto/CommonDigest.h>). These functions are built into the system library, and documented in man pages ('man "Common Crypto"', 'man CC_SHA'). A single call will give you the hash:

char hashValue[CC_SHA1_DIGEST_LENGTH];
CC_SHA1(certData.Data, certData.Length, & hashValue);

At a higher level, the security tool will give you a SHA-1 hash for certificates or identities it finds based on search criteria. That may or may not help if you cannot be sure of an exact match for your query. Here's an example:

$ security find-identity -p ssl-client -v | grep 'UVA' | awk '{print $2}' | sed -e '2,$d'

This asks security to find all valid identities which can be used as a SSL client certificate, then pipes the results to a grep command filtering on a particular common name, then extracts the SHA-1 hash field using awk, and finally throws away everything after the first match.

Here's another example, which finds certificates regardless of whether they are part of an identity, and prints the hash:

$ security find-certificate -c 'UVA Standard Assurance Primary' -Z | grep ^SHA | sed -e 's/.*: //'
4316409E05D0809C798093C4CE6E88C38E29C539

If the certificate is in a file by itself, you could do something like this instead:

$ openssl x509 -sha1 -fingerprint -inform DER -in ~/Desktop/UVA.cer -noout | sed -e 's/.*=//' -e 's/://g'
4316409E05D0809C798093C4CE6E88C38E29C539

-ken

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >SHA1 hash for public cert in keyachain (From: Keith Moores <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.