Get X509 Data without OpenSSL

Privacy & Security General
TyngJJ OP
Created Jun ’15
Replies 7
Boosts 0
Views 2.3k
Participants 2

I previously would check if one certificate signed another (used to construct a certificate chain, NOT to validate), using the following code to create the data representation for the leaf certificate:

    CFDataRef data = SecCertificateCopyData(certificate);
    const UInt8 *buffer = CFDataGetBytePtr(data);
    X509 *x = X509_new();
    d2i_X509(&x, &buffer, CFDataGetLength(data));
    CFRelease(data);
    int length = i2d_X509_CINF(x->cert_info, NULL);
    unsigned char *info = malloc(length), *infoPtr = info;
    i2d_X509_CINF(x->cert_info, &info);
    X509_free(x);
    return CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, infoPtr, length, kCFAllocatorMalloc);

OpenSSL is now gone from 10.11, is there another method of creating this representation?

I didn't see anything like this in CryptoCompatibility

Replies  7
Boosts  0
Views  2.3k
Participants  2
TyngJJ OP
Jun ’15

Filed as a request rdar://21410560

0
Peter2131 OP
Apr ’19

i am looking for some solution to get x509 data without openssl any suggestions ??

0
TyngJJ OP
Apr ’19

It strongly depends on what you're trying to do, but on macOS there's SecAsn1Coder.h which is essentially unsupported, but will work with X509Templates.h and other headers from the open source repository for Security. The coder will convert between the byte representation and structs in memory.

0
Peter2131 OP
Apr ’19

i wanted to fetch expiration date details from certificate in iOS. I tried using apple security framework calling method SecCertificateCreateWithData but its not supporting for iOS

0
TyngJJ OP
Apr ’19

If you just want to check if a certificate has expired, I think there's already a way to do that, SecTrust or other. Then there's SecCertificateCopyValues() and kSecOIDX509V1ValidityNotAfter. Otherwise you would need to decode the certificate, then the to-be-signed part, then the "validity" part which is basically text of the UTC time.

0
Peter2131 OP
Apr ’19

for Decoding the certificate do i need to use some openssl lib ??? if not what are ways to decode certificate?

0
TyngJJ OP
Apr ’19

I couldn't tell you for iOS, there probably is some well-regarded ASN1 library which has X509 templates, but I use SecAsn1Coder on macOS. Keep in mind this would be a big security risk (overflow, corruption, etc) if the library wasn't well-tested.

0
Get X509 Data without OpenSSL
First post date Last post date
 
 
Q