将私钥导入Keychain在iphone中无法正常工作

Question

我需要在将请求发送到后端服务器之前对其进行签名.但是私钥是给我的.所以我需要导入它然后用它来签名.我可以导入和登录,但该数据与使用openssl签名时获得的数据不同.我知道它做错了,因为当我导入公钥时,我也无法验证它.如果有一种方法可以避免导入到钥匙串,那也会很棒. 几天来一直在努力工作,这对我们来说是一项很高的工作.请有人帮忙.

- (SecKeyRef) getPrivateKey {
//RSA KEY BELOW IS DUMMY. 

key = @"-----BEGIN RSA PRIVATE KEY-----\nORtMei3ImKI2ZKI636I4+uNCwFfZv9pyJzXyfr1ZNo7iaiW7A0NjLxikNxrWpr/M\n6HD8B2j/CSjRPW3bhsgDXAx/AI1aSfJFxazjiTxx2Lk2Ke3jbhE=\n-----END RSA PRIVATE KEY-----\n";

NSString * tag = @"adpPrivateKey";

    NSString *s_key = [NSString string];
    NSArray  *a_key = [key componentsSeparatedByString:@"\n"];
    BOOL     f_key  = FALSE;

    for (NSString *a_line in a_key) {
        if ([a_line isEqualToString:@"-----BEGIN RSA PRIVATE KEY-----"]) {
            f_key = TRUE;
        }
        else if ([a_line isEqualToString:@"-----END RSA PRIVATE KEY-----"]) {
            f_key = FALSE;
        }
        else if (f_key) {
            s_key = [s_key stringByAppendingString:a_line];
        }
    }
    if (s_key.length == 0) return(nil);

    // This will be base64 encoded, decode it.
    NSData *d_key = [NSData dataFromBase64String:s_key];

if(d_key == nil) return nil;

    NSData *d_tag = [NSData dataWithBytes:[tag UTF8String] length:[tag length]];

    // Delete any old lingering key with the same tag
    NSMutableDictionary *privateKey = [[NSMutableDictionary alloc] init];
    [privateKey setObject:(id) kSecClassKey forKey:(id)kSecClass];
    [privateKey setObject:(id) kSecAttrKeyTypeRSA forKey:(id)kSecAttrKeyType];
    [privateKey setObject:d_tag forKey:(id)kSecAttrApplicationTag];
    SecItemDelete((CFDictionaryRef)privateKey);

    CFTypeRef persistKey = nil;

    // Add persistent version of the key to system keychain
    [privateKey setObject:d_key forKey:(id)kSecValueData];
    [privateKey setObject:(id) kSecAttrKeyClassPrivate forKey:(id)
     kSecAttrKeyClass];
    [privateKey setObject:[NSNumber numberWithBool:YES] forKey:(id)
     kSecReturnPersistentRef];

    OSStatus secStatus = SecItemAdd((CFDictionaryRef)privateKey, &persistKey);
    if (persistKey != nil) CFRelease(persistKey);

    if ((secStatus != noErr) && (secStatus != errSecDuplicateItem)) {
        [privateKey release];
        return(nil);
    }

    // Now fetch the SecKeyRef version of the key
    SecKeyRef keyRef = nil;

    [privateKey removeObjectForKey:(id)kSecValueData];
    [privateKey removeObjectForKey:(id)kSecReturnPersistentRef];
    [privateKey setObject:[NSNumber numberWithBool:YES] forKey:(id)kSecReturnRef
     ];
    [privateKey setObject:(id) kSecAttrKeyTypeRSA forKey:(id)kSecAttrKeyType];
    secStatus = SecItemCopyMatching((CFDictionaryRef)privateKey,
                                    (CFTypeRef *)&keyRef);

    if(secStatus != noErr)
        return nil;

    [privateKey release];

    return keyRef;
}

以下代码用于签署.部分代码来自Apple示例(http://developer.apple.com/library/ios/#samplecode/CryptoExercise/Listings/Classes_SecKeyWrapper_m.html#//apple_ref/doc/uid/DTS40008019-Classes_SecKeyWrapper_m-DontLinkElementID_17)

- (NSData *)getSignatureBytes:(NSString *)plainText {

OSStatus sanityCheck = noErr;
NSData * signedHash = nil;
uint8_t * signedHashBytes = NULL;
size_t signedHashBytesSize = 0;
SecKeyRef privateKey = NULL;

privateKey = [self getPrivateKey];

signedHashBytesSize = SecKeyGetBlockSize(privateKey);

//Create a SHA Encoded 
NSString * shaEncoded = [self sha256:plainText];
NSLog(@"%@", shaEncoded);


// Malloc a buffer to hold signature.

signedHashBytes = malloc( signedHashBytesSize * sizeof(uint8_t) );
memset((void *)signedHashBytes, 0x0, signedHashBytesSize);


NSData *inputData = [self getHashBytes:[plainText dataUsingEncoding:NSUTF8StringEncoding]];
int bytesLengthUINT8 = [inputData length]; 

sanityCheck =  SecKeyRawSign ( privateKey, kSecPaddingPKCS1, (const uint8_t *)inputData, CC_SHA256_DIGEST_LENGTH,(uint8_t *)signedHashBytes, &signedHashBytesSize);


if(sanityCheck != noErr)
    return nil;


signedHash = [NSData dataWithBytes:(const void *)signedHashBytes length:(NSUInteger)signedHashBytesSize];    
NSString *string = [signedHash base64EncodedString];

NSLog(@"%@", string);


if (signedHashBytes) free(signedHashBytes);
return signedHash;

}

我使用http://blog.flirble.org/2011/01/05/rsa-public-key-openssl-ios/中的代码示例导入公钥并验证其失败.

Answer 1

也许您可以只在钥匙链中存储一个简单的字符串（作为 Secret_hash），而不是将所有密钥存储在钥匙链中。此外，还可以使用广泛采用的通用 AFNetworking 库对后端 Web 服务进行安全调用。

\n\n

因此，如果您需要使用私钥对后端服务的请求进行签名，我建议您通过 (a) 使用强大的包装库进行服务调用 (AFNetworking) 和 (b) 将私钥存储为 .pfx 文件来执行此操作位于应用程序可访问的位置（我将 .pfx 文件保留在项目根目录中。）

\n\n

因此，创建您自己的 AFHTTPClient 子类，并使用该子类创建 AFHTTPRequestOperations，并将质询块设置为使用从 .pfx 中提取的凭据。

\n\n

这样，就可以使用 AFHTTPClient 子类的 MySignedAFHTTPRequestOperation 方法来创建它们，而不是直接创建 AFHTTPRequestOperation。此方法应该创建 AFHTTPRequestOperation，然后像这样设置挑战块......

\n\n

    [myOperationObject setAuthenticationChallengeBlock:^(NSURLConnection *connection, NSURLAuthenticationChallenge *challenge)\n    {\n             NSString * pfxPath = [[NSBundle mainBundle]\n                           pathForResource:@\xe2\x80\x9cpvtKeyFile\xe2\x80\x9d ofType:@"pfx"];\n\n            NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile: pfxPath];\n            CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;    \n            SecIdentityRef identity;\n            SecTrustRef trust;\n            myIdentityAndTrustExtractionHelper(inPKCS12Data, &identity, &trust);\n\n            SecCertificateRef certificate = NULL;\n            SecIdentityCopyCertificate (identity, &certificate); \n\n            const void *certs[] = {certificate};\n            CFArrayRef certArray = CFArrayCreate(kCFAllocatorDefault, certs, 1, NULL);\n\n            NSURLCredential *credential = [NSURLCredential\n                                           credentialWithIdentity:identity\n                                           certificates:(__bridge NSArray*)certArray\n                                           persistence:NSURLCredentialPersistencePermanent];\n\n            [[challenge sender] useCredential:credential\n                forAuthenticationChallenge:challenge];\n            CFRelease(certArray);\n    } \n

\n\n

这是上面使用的身份提取辅助函数的更多详细信息......

\n\n

OSStatus myIdentityAndTrustExtractionHelper(CFDataRef inPKCS12Data,        \n                                 SecIdentityRef *mySecIdentityRef,\n                                 SecTrustRef *myTrustRef)\n{\n    //modify to get secret-hash from keychain \n    CFStringRef mySecretHash = CFSTR(secret_hash);\n    const void *keys[] =   { kSecImportExportPassphrase };\n    const void *values[] = { mySecretHash };\n\n\n    CFArrayRef pkscItems = CFArrayCreate(NULL, 0, 0, NULL);\n    OSStatus mySecurityError = SecPKCS12Import(inPKCS12Data,\n                                CFDictionaryCreate(NULL,keys, values, 1,\n                                NULL, NULL),\n                                &pkscItems);\n    if (mySecurityError == 0) \n    {                                 \n        CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (pkscItems, 0);\n        const void *tempIdentity = NULL;\n        tempIdentity = CFDictionaryGetValue (myIdentityAndTrust,\n                                             kSecImportItemIdentity);\n        *mySecIdentityRef = (SecIdentityRef)tempIdentity;\n        const void *tempTrust = NULL;\n        tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust);\n        *myTrustRef = (SecTrustRef)tempTrust;\n    }\n\n    return mySecurityError;\n}\n

\n\n

以这种方式创建 AFHTTPRequest 后（即通过 AFHTTPClient 子类的 MySignedAFHTTPRequestOperation 方法），将其添加到 NSOperationsQueue 中以供执行（当然，在创建操作时需要适当设置成功和失败处理程序块）

\n\n

总之：

\n\n

\n
• 使用强大的 AFNetworking 框架进行 Web 服务调用
\n
• 将证书私钥作为 .pfx 文件存储在应用程序中，并使用它来创建凭据和密钥
\n
• 通过在您创建的每个操作对象中设置凭据，允许 AFNetworking 为您进行加密。
\n

\n\n

希望这可以帮助。

\n