Creating OpenSSH compatible key pairs
Creating OpenSSH compatible key pairs
- Subject: Creating OpenSSH compatible key pairs
- From: Dragan Milić via Cocoa-dev <email@hidden>
- Date: Thu, 9 Apr 2020 15:43:02 +0200
Hello,
My question is not strictly related to Cocoa and I apologise for that, but this
place seems to be the only useful resource for macOS related development and
looking for information and questions (apart from noisy stack overflow).
Secondly, I’m not very experienced in cryptography and related topics, so it
may be possible I’m overlooking something quite obvious.
The straightforward question is: is it possible to create OpenSSH compatible
key pairs, like ssh-keyget utility does, using Security framework? Let’s say, I
want to do the equivalent of the following terminal command:
ssh-keygen -t rsa -b 4096 -C “email@hidden"
I’m trying that with this simplified piece of code:
CFMutableDictionaryRef privAttrs =
CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(privAttrs, kSecAttrIsPermanent, kCFBooleanFalse);
CFDictionarySetValue(privAttrs, kSecAttrLabel, CFSTR("email@hidden"));
CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(kCFAllocatorDefault,
0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(attrs, kSecAttrKeyType, kSecAttrKeyTypeRSA);
CFDictionarySetValue(attrs, kSecAttrKeySizeInBits, CFSTR("4096"));
CFDictionarySetValue(attrs, kSecPrivateKeyAttrs, privAttrs);
CFErrorRef error = NULL;
SecKeyRef privateKey = SecKeyCreateRandomKey(attrs, &error);
if (privateKey)
{
CFDataRef data = NULL;
OSStatus status = SecItemExport(privateKey, kSecFormatSSH,
kSecItemPemArmour, NULL, &data);
if (status == errSecSuccess)
{
// ... save private key data to a file ...
}
SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
if (publicKey)
{
status = SecItemExport(publicKey, kSecFormatSSH, kSecItemPemArmour,
NULL, &data);
if (status == errSecSuccess)
{
// ... save public key data to a file ...
}
CFRelease(publicKey);
}
CFRelease(privateKey);
}
CFRelease(privAttrs);
CFRelease(attrs);
This seems to create valid RSA key pair, which I can add to the Keychain on
creation if I choose to (setting permanent attribute to true), but the
exporting operation doesn’t end up with files I expect. The PEM armour seems
not to be correct, the text representation of the key begins and ends with
-----BEGIN/END RSA PRIVATE KEY----- as opposed to -----BEGIN/END OPENSSH
PRIVATE KEY----- and the key structure looks different in general. If I try to
show key fingerprint using
ssh-keygen -l -f <keyfile>
I get response that “<keyfile> is not a key file. If I, for example, try to
upload the public key to GitHub to use for SSH connection, it’s rejected,
because “key is invalid, you must supply a key in OpenSSH public key format."
I’d appreciate if anyone points out what I’m doing wrong and whether this is
achievable with Security framework at all.
Thanks,
-- Dragan
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden