Re: Creating OpenSSH compatible key pairs

2020-04-11 Thread Jens Alfke via Cocoa-dev
The Sec* APIs are a world of pain. Of anything I’ve ever programmed in, um, 42 
years, they are the ones that have gotten me closest to throwing my computer 
through a window in a rage. (Runner-up: CoreAudio.) They’re very vague and 
poorly documented, and their capabilities and behaviors vary greatly between 
Mac and iOS devices and even the iOS Simulator.

It’s been a few years since I delved into them, so I can’t help as much as I’d 
like. A few thoughts:

- Shouldn’t you be using SecKeyCreatePair to create a key-pair?
- The header at the top of the PEM data you’ll probably just have to edit 
yourself.
- The incorrect data is probably a result of using different encoding/padding 
than what SSH uses.
- Have you considered just using NSTask to call the ssh-keygen tool? If you 
don’t want to go down the crypto rabbit-hole, this might save you a lot of pain.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com


Creating OpenSSH compatible key pairs

2020-04-09 Thread Dragan Milić via Cocoa-dev
Hello,

My question is not strictly related to Cocoa and I apologise for that, but this 
place seems to be the only useful resource for macOS related development and 
looking for information and questions (apart from noisy stack overflow). 
Secondly, I’m not very experienced in cryptography and related topics, so it 
may be possible I’m overlooking something quite obvious.

The straightforward question is: is it possible to create OpenSSH compatible 
key pairs, like ssh-keyget utility does, using Security framework? Let’s say, I 
want to do the equivalent of the following terminal command:

ssh-keygen -t rsa -b 4096 -C “m...@mail.com"

I’m trying that with this simplified piece of code:

CFMutableDictionaryRef privAttrs = 
CFDictionaryCreateMutable(kCFAllocatorDefault, 0, 
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(privAttrs, kSecAttrIsPermanent, kCFBooleanFalse);
CFDictionarySetValue(privAttrs, kSecAttrLabel, CFSTR("m...@mail.com"));
CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 
0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(attrs, kSecAttrKeyType, kSecAttrKeyTypeRSA);
CFDictionarySetValue(attrs, kSecAttrKeySizeInBits, CFSTR("4096"));
CFDictionarySetValue(attrs, kSecPrivateKeyAttrs, privAttrs);
CFErrorRef error = NULL;
SecKeyRef privateKey = SecKeyCreateRandomKey(attrs, &error);
if (privateKey)
{
CFDataRef data = NULL;
OSStatus status = SecItemExport(privateKey, kSecFormatSSH, 
kSecItemPemArmour, NULL, &data);
if (status == errSecSuccess)
{
// ... save private key data to a file ...
}
SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
if (publicKey)
{
status = SecItemExport(publicKey, kSecFormatSSH, kSecItemPemArmour, 
NULL, &data);
if (status == errSecSuccess)
{
// ... save public key data to a file ...
}
CFRelease(publicKey);
}
CFRelease(privateKey);
}
CFRelease(privAttrs);
CFRelease(attrs);

This seems to create valid RSA key pair, which I can add to the Keychain on 
creation if I choose to (setting permanent attribute to true), but the 
exporting operation doesn’t end up with files I expect. The PEM armour seems 
not to be correct, the text representation of the key begins and ends with 
-BEGIN/END RSA PRIVATE KEY- as opposed to -BEGIN/END OPENSSH 
PRIVATE KEY-  and the key structure looks different in general. If I try to 
show key fingerprint using 

ssh-keygen -l -f 

I get response that “ is not a key file. If I, for example, try to 
upload the public key to GitHub to use for SSH connection, it’s rejected, 
because “key is invalid, you must supply a key in OpenSSH public key format."

I’d appreciate if anyone points out what I’m doing wrong and whether this is 
achievable with Security framework at all.

Thanks,
-- Dragan

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com