Creating an identity - which as you know actually consists of
creating a key pair and a self-signed certificate - is nontrivial,
and unfortunately there is neither API nor published sample code for
it. I recommend you peruse the source of certttool - it's open source
in the Darwin project.
--dpm
On Jan 12, 2006, at 7:33 AM, Aaron Jacobs wrote:
I have created a Cocoa application with a client and a server, not
necessarily on the same machine, that communicate using a custom
protocol that sits on top of SSL (since the programs transmit
sensitive data back and forth). This is implemented using a socket
class I wrote that uses SecureTransport to provide SSL support.
When using SecureTransport, the server end of the connection must
specify an identity using SSLSetCertificate() and a SecIdentityRef.
Currently the server application just looks for an identity in the
keychain and uses the first one it finds, so the person who sets up
the server must manually import an identity into the keychain using
certtool. I would like to simplify this process for those who
don't need the security of a properly signed certificate or just
want to test the program by making certificate verification
optional in the client and allowing the server application to
automatically generate its own certificate if an existing one is
not found. I understand the security implications of this
(specifically the vulnerability to man in the middle attacks) but
want to offer the option to those who just want security good
enough to stop a casual packet sniffer on a wireless network from
obtaining sensitive data.
Anyway, the problem is this: it seems the ONLY way to get a
SecIdentityRef is to pull an identity from the keychain using
SecIdentitySearchCreate() and SecIdentitySearchCopyNext(); there
doesn't seem to be a facility for programmatically creating a new
identity. I don't want the admin of the server to have to run
anything like certtool outside of the program; I want this to be
just a drag and drop install. Ideally the server application would
generate its own identity if needed on the first run, but I can't
figure out how to do that. The best idea I've come up with so far
is to invisibly call a command-line OpenSSL tool to create a
certificate and a key on the hard drive and then use
SecKeychainItemImport() to get them into the keychain, but that
seems a bit inelegant and I haven't tried it yet so there is most
likely some problem lying down that road.
Does anyone have any hints?
Aaron Jacobs
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
