Thanks for the reply. For some reason, I didn't even think to check
if certtool was open source. I looked at the source (http://
darwinsource.opendarwin.org/10.4/security_certtool-4/src/
CertTool.cpp), and as I suspected it uses APIs at a lower level than
I care to dig into.
Luckily, I discovered through trial and error and a post of yours
(http://lists.apple.com/archives/Apple-cdsa/2005/Dec/msg00037.html)
that an identity is actually nothing special -- you can just import a
certificate and the matching key into the keychain and then next time
you search for an identity you will get it.
So for the reference of anyone who tries to do this in the future,
here is my plan. I will create a temporary file using something like
mkstemp(), then invoke a command like the following:
A -subj option can be added to that to put appropriate values into
the certificate. Finally I will suck up the data in the temporary
file and feed it to SecKeychainItemImport() to bring the generated
private key and certificate into the keychain. Once this is done, an
identity can be found in the keychain.
Aaron
On Jan 12, 2006, at 1:17 PM, Doug Mitchell wrote:
Creating an identity - which as you know actually consists of
creating a key pair and a self-signed certificate - is nontrivial,
and unfortunately there is neither API nor published sample code
for it. I recommend you peruse the source of certttool - it's open
source in the Darwin project.
--dpm
On Jan 12, 2006, at 7:33 AM, Aaron Jacobs wrote:
I have created a Cocoa application with a client and a server, not
necessarily on the same machine, that communicate using a custom
protocol that sits on top of SSL (since the programs transmit
sensitive data back and forth). This is implemented using a
socket class I wrote that uses SecureTransport to provide SSL
support. When using SecureTransport, the server end of the
connection must specify an identity using SSLSetCertificate() and
a SecIdentityRef.
Currently the server application just looks for an identity in the
keychain and uses the first one it finds, so the person who sets
up the server must manually import an identity into the keychain
using certtool. I would like to simplify this process for those
who don't need the security of a properly signed certificate or
just want to test the program by making certificate verification
optional in the client and allowing the server application to
automatically generate its own certificate if an existing one is
not found. I understand the security implications of this
(specifically the vulnerability to man in the middle attacks) but
want to offer the option to those who just want security good
enough to stop a casual packet sniffer on a wireless network from
obtaining sensitive data.
Anyway, the problem is this: it seems the ONLY way to get a
SecIdentityRef is to pull an identity from the keychain using
SecIdentitySearchCreate() and SecIdentitySearchCopyNext(); there
doesn't seem to be a facility for programmatically creating a new
identity. I don't want the admin of the server to have to run
anything like certtool outside of the program; I want this to be
just a drag and drop install. Ideally the server application
would generate its own identity if needed on the first run, but I
can't figure out how to do that. The best idea I've come up with
so far is to invisibly call a command-line OpenSSL tool to create
a certificate and a key on the hard drive and then use
SecKeychainItemImport() to get them into the keychain, but that
seems a bit inelegant and I haven't tried it yet so there is most
likely some problem lying down that road.
Does anyone have any hints?
Aaron Jacobs
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden
Attachment:
PGP.sig Description: This is a digitally signed message part
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden
