How do I get a DER public key into a SecKeyRef

Privacy & Security General
joconnor OP
Created Aug ’15
Replies 6
Boosts 0
Views 1.8k
Participants 2

The data works with OpenSSL in the following manner:


p = buf;

X509_PUBKEY *x = d2i_X509_PUBKEY(NULL, &p, len);

EVP_PKEY *x509 = X509_PUBKEY_get(x);


gets a usable EVP_PKEY.


p = buf;

509 *x509Ptr = d2i_X509(NULL, &p, len);


x509Ptr is NULL.


How do I use the public key in the buffer with the Security framework in a SecKeyRef?


SecTrustEvaluate always returns to me a fatal error and adding exceptions doesn't work.

Answered by DTS Engineer in 47359022

Did you mean to link to https://devforums.apple.com/message/944466#944466?

No. Sorry. I meant 

<https://devforums.apple.com/message/950088#950088>
, but the URL didn’t stick due to a Markdown failure at my end.

Trying to use it to do an encryption is failing regularly, so I'm still missing something.

There’s two things that could be causing this:

  • you’re importing the key incorrectly

  • your encryption code is wrong

To see which is which, try comparing your encryption code to the code in CryptoCompatibility. In fact, you should be able to take the encrypt operation from that code (QCCRSASmallCryptorT), which I know works, and wire it up to the key you imported.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Replies  6
Boosts  0
Views  1.8k
Participants  2
DTS Engineer OP
Apple
Aug ’15

How do I use the public key in the buffer with the Security framework in a SecKeyRef?

Which platform?

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
joconnor OP
Aug ’15

Mac OS 10.9 and up.

0
DTS Engineer OP
Apple
Aug ’15

Mac OS 10.9 and up.

OK. That’s important because, while there’s some overlap in the Security framework between iOS and OS X, they are largely different beasts.

You can import a DER-encoded public key using 

SecItemImport
. For details, see this post on the old DevForums.

Note The code in that post imports the key into a keychain. At the time I thought that was a requirement for 

SecItemImport
. My understanding now is that this is not a requirement, and you can get a SecKey object without actually putting the key into the keychain.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
joconnor OP
Aug ’15

Hi Quinn,

Did you mean to link to https://devforums.apple.com/message/944466#944466?

I can get the SecKeyRef now, thanks.

Trying to use it to do an encryption is failing regularly, so I'm still missing something.


CFArrayRef keysArray = NULL;

SecExternalFormat externalFormat = kSecFormatUnknown;

SecExternalItemType externalItemType = kSecItemTypeUnknown;

OSStatus secStatus = SecItemImport(keyData, (CFStringRef)NULL, &externalFormat, &externalItemType, (SecItemImportExportFlags)0, (const SecItemImportExportKeyParameters*)NULL, (SecKeychainRef)NULL, &keysArray);

SecKeyRef publicKey = (SecKeyRef)CFArrayGetValueAtIndex(keysArray, 0);

CFErrorRef error = NULL;

SecTransformRef encoder = SecEncryptTransformCreate(publicKey, &error);

SecTransformSetAttribute(encoder, kSecTransformInputAttributeName, sourceData, &error);

SecTransformSetAttribute(encoder, kSecPaddingKey, <tried each padding here>, &error);

CFDataRef resultData = reinterpret_cast<CFDataRef>(SecTransformExecute(encoder, &error));

0
DTS Engineer OP
Apple
Sep ’15
Accepted Answer

Did you mean to link to https://devforums.apple.com/message/944466#944466?

No. Sorry. I meant 

<https://devforums.apple.com/message/950088#950088>
, but the URL didn’t stick due to a Markdown failure at my end.

Trying to use it to do an encryption is failing regularly, so I'm still missing something.

There’s two things that could be causing this:

  • you’re importing the key incorrectly

  • your encryption code is wrong

To see which is which, try comparing your encryption code to the code in CryptoCompatibility. In fact, you should be able to take the encrypt operation from that code (QCCRSASmallCryptorT), which I know works, and wire it up to the key you imported.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
joconnor OP
Sep ’15

Thanks, Quinn.

The note about the padding being assumed and trying to set it to anything at all was what was biting me. I think I've got it now.

0
How do I get a DER public key into a SecKeyRef
First post date Last post date
 
 
Q