Thanks so much Jens, Is there any chance you could share the ComputeSHA1 message with me? I know you said it was only a wrapper for commonCrypto but I am so lost in this stuff I want t check everything.
Regards Damien On 09/02/2013, at 4:05 PM, Jens Alfke <j...@mooseyard.com> wrote: > > On Feb 8, 2013, at 1:31 PM, Damien Cooke <dam...@smartphonedev.com> wrote: > >> I am trying to put a public key into the ios keychain so I can get a >> SecKeyRef to use to verify a signature. > > Oh dear. Any time I have to deal with the iOS keychain APIs I get either > enraged or sick to my stomach or both. Seriously. > >> So I strip the begin and end markers plus remove all the \n (is this >> correct?) > > And also base64-decode it, right? It definitely won’t work unless you do that > too. > (This looks like a PEM-encoded key; to make sure, you could look up the docs > on that format. But I think you’ve basically got it right.) > >> The SecItemAdd succeeds but I can never get it out again as >> SecItemCopyMatching always returns null in the ref pointer but returns >> errSecSuccess so I am really confused. > > Yeah, this is a good example of where my rage/ulcer reactions come from. The > SecItem API is one of the worst things ever: it’s incredibly vague and > under-documented, and just does not seem to behave in reasonable ways or > return informative errors. > > Here’s some code I have for this purpose. It’s been about a year since I’ve > worked with it so I’m no longer clear on all the details. > One thing to note is that the app this is for is using the SHA-1 digest of > the key as the “application tag” property for looking up the key afterwards, > thus the usage of the digest in the parameters to SecItemAdd. > Also, the weird stuff about converting the persistent ref to a regular one is > to work around a bug(?) in the keychain code, where you apparently have to > request a persistent ref when adding a new item, but then can’t work with > that ref unless you convert it to a regular one. > This code is the boiled-down end product of literally about ten cumulative > hours of frustration and experimentation, so it may be messier than it needs > to be. If someone knows how to do this more elegantly, I’m all ears. > > —Jens > > PS: The apple-cdsa list is the appropriate one for talking about this stuff, > although I’ve noticed that the Apple engineers there never seem to answer > detailed questions about the keychain APIs :-p > > SHA1Digest digest = ComputeSHA1(keyData); // this is a fn of mine that > just calls CommonCrypto > NSData* digestData = [NSData dataWithBytes: &digest length: > sizeof(digest)]; > > NSMutableDictionary* attrs = [NSMutableDictionary > dictionaryWithObjectsAndKeys: > (id)kSecClassKey, (id)kSecClass, > (id)kSecAttrKeyTypeRSA, > (id)kSecAttrKeyType, > (id)kSecAttrKeyClassPublic, > (id)kSecAttrKeyClass, > digestData, > (id)kSecAttrApplicationTag, //???? > digestData, > (id)kSecAttrApplicationLabel, > keyData, (id)kSecValueData, > (id)kCFBooleanTrue, > (id)kSecReturnPersistentRef, > nil]; > CFTypeRef keyRef = NULL; > OSStatus err = SecItemAdd((CFDictionaryRef)attrs, &keyRef); > if (err) { > if (err != errSecDuplicateItem) > return err; > // Already have a key with this digest, so look it up to get its ref: > [attrs removeObjectForKey: (id)kSecValueData]; > [attrs setObject: digestData forKey: > (id)kSecAttrApplicationLabel];//?? > [attrs removeObjectForKey: (id)kSecReturnPersistentRef]; > [attrs setObject: (id)kCFBooleanTrue forKey: (id)kSecReturnRef]; > return SecItemCopyMatching((CFDictionaryRef)attrs, > (CFTypeRef*)outPublicKey); > } > > // Added it -- now convert the persistent ref to a regular one: > NSMutableDictionary* query = [NSMutableDictionary > dictionaryWithObjectsAndKeys: > (id)kSecClassKey, (id)kSecClass, > (id)kSecAttrKeyTypeRSA, > (id)kSecAttrKeyType, > digestData, > (id)kSecAttrApplicationTag, //???? > //(id)keyRef, (id)kSecValuePersistentRef, > (id)kCFBooleanTrue, (id)kSecReturnRef, > nil]; > //CFRelease(keyRef); > return SecItemCopyMatching((CFDictionaryRef)query, > (CFTypeRef*)outPublicKey); > _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com