Signing with SecKeyCreateSignature and verification with OpenSSL

At my app I have a SecKey which I want to sign some Data with it, and at my sever I need to do the verification process, but this time with openSSL.
I didn't find any common key or any steps to achieve this between Apple Security framework and OpenSSL.
For example, I've tried the following:
Signing (Apple Security):
Code Block 
let signedStrCFData = SecKeyCreateSignature(key, .rsaSignatureRaw, plaintextData, &error)

Verifying (OpenSSL):

ret = RSAverify(NIDrsaSignature, (const unsigned char *)challenge, (unsigned int)strlen(challenge), challengeenc,
challengeenc_size, rsa);

Which key to choose is not really important to me (as long as it's a reasonable signing key), so I tried multiple types of keys, but I wasn't able to do it.
Any idea what I'm missing here?





Up vote post of roee84 Down vote post of roee84
1k views
Posted by
roee84
Reply
Add a Comment

Replies

The CryptoCompatibility sample code shows how to do various crypto operations in a way that’s compatible with various third-party security toolkits.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Thanks for the reply! I have few questions regarding this approach -

  1. It's supported only from OSXApplicationExtension 10.15, what can I use for earlier version?

  2. I already have the SecKey - how can I use it as an argument for one of the signing functions?

Can I open a DTS for a little help on this one?
Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment

Can I open a DTS for a little help on this one?

Absolutely.

what can I use for earlier version?

CryptoCompatibility has a Compat file that includes three different implementations:

  • -runUsingUnified, using the modern API that works on all platforms

  • -runUsingTransforms, using the SecTransform API for older versions of macOS

  • -runUsingRaw, using the old SecKey ‘raw’ API for older versions of iOS

I already have the SecKey

  • how can I use it as an argument for one

of the signing functions?
I don’t understand this question. All of the APIs in play here take a SecKey.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Thanks! I submitted DTS 747436627
Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment
Yeah, that’s landed in my queue. I’ll respond from there later today.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

it is true that I confront the similar issue when using the API SecKeyCreateSignature to sign the raw data based on Apple Security framework.

signedDataRef = SecKeyCreateSignature(privKeyRef, kSecKeyAlgorithmRSASignatureRaw, signDataRef, &error);

When I choose the algorithm kSecKeyAlgorithmRSASignatureRaw with the same certificate, on iOS platform it works OK. But on MAC platform, this method return "algorithm not support" error.

It looks like CTK on mac not support this algorithm. What's about the way to sign the 'raw' data by using the SecTransform API if the algorithm not support on mac?

Posted by
hongshengl
Up vote reply of hongshengl Down vote reply of hongshengl
Add a Comment

But on Mac platform, this method return "algorithm not support" error.

macOS supports .rsaSignatureRaw. For example, this code runs just fine:

import Foundation

func main() throws {
    let privateKey = try secCall { SecKeyCreateRandomKey([
        kSecAttrKeyType: kSecAttrKeyTypeRSA,
        kSecAttrKeySizeInBits: 2048,
    ] as NSDictionary, $0) }
    let dataToSign = Data(repeatElement("Hello Cruel World!".utf8, count: 16).joined().prefix(256))
    let signature = try secCall { SecKeyCreateSignature(privateKey, .rsaSignatureRaw, dataToSign as NSData, $0) }
    print(signature)
    // prints: {length = 256, bytes = 0x7d12905d … 1ebadc0a }
}

try main()

Note It’s using the helper routines from here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

The private key ref I got from my physical smart card with below method:

SecIdentityRef identity = xxxx;
status = SecIdentityCopyPrivateKey(identity, &privKeyRef);

and I also check the algorithm with below lines and result is fail also:

if (!SecKeyIsAlgorithmSupported(privKeyRef, kSecKeyOperationTypeSign, kSecKeyAlgorithmRSASignatureRaw)) {
      NSLog(@"Cannot support RSA Signature Algorithm kSecKeyAlgorithmRSASignatureRaw");
}

Looks like the CTK on MAC platform not support this algorithm? for I can use the similar code to sign same data on iOS platform.

Posted by
hongshengl
Up vote reply of hongshengl Down vote reply of hongshengl
Add a Comment