目标-C/C从SecKeyRef中提取私钥(模数)

Question

我需要一种干净的方法来提取我的服务器公钥，并将其与本地数据进行比较，以防止未来的密钥过期/更新，但我似乎无法获得256位密钥，也无法将其表示为有用的比较数据。

到目前为止..。

-(BOOL)trustCertFromChallenge:(NSURLAuthenticationChallenge *)challenge
{

    SecTrustResultType trustResult;
    SecTrustRef trust = challenge.protectionSpace.serverTrust;
    OSStatus status = SecTrustEvaluate(trust, &trustResult);


    NSString *localKey = @"MY_PUBLIC_KEY";
    NSData *localKeyData = [localKey dataUsingEncoding:NSUTF8StringEncoding];

    SecCertificateRef serverCertificate = SecTrustGetCertificateAtIndex(trust, 0);
    SecKeyRef key = SecTrustCopyPublicKey(trust);

    DLog(@"Cert: %@  Key:%@",serverCertificate,key);

    // this prints the correct cert information and key information
    // for clarity....
    // Key: <SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 3, block size: 2048 bits, exponent: {hex: 10001, decimal: 65537}, modulus: MY_PUBLIC_KEY, addr: 0x7fa78b80bc00>

    // so far so good.. now for grabbing the key
    NSData *keyData = [self getPublicKeyBitsFromKey:key];

    DLog(@"Local: %@ - %li Key: %@ - %li",[localKeyData description],[localKeyData length],[keyData description],[keyData length]);


    if ([localKeyData isEqualToData:keyData])
        DLog(@"ITS THE SAME!");
    else
        DLog(@"NOT THE SAME!");

}

我做了一次苹果Crypto运动然后做了以下的.

- (NSData *)getPublicKeyBitsFromKey:(SecKeyRef)givenKey {

    static const uint8_t publicKeyIdentifier[] = "com.mydomain.publickey";
    NSData *publicTag = [[NSData alloc] initWithBytes:publicKeyIdentifier length:sizeof(publicKeyIdentifier)];

    OSStatus sanityCheck = noErr;
    NSData *publicKeyBits = nil;

    NSMutableDictionary *queryPublicKey = [[NSMutableDictionary alloc] init];
    [queryPublicKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass];
    [queryPublicKey setObject:publicTag forKey:(__bridge id)kSecAttrApplicationTag];
    [queryPublicKey setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];

    // Temporarily add key to the Keychain, return as data:
    NSMutableDictionary * attributes = [queryPublicKey mutableCopy];
    [attributes setObject:(__bridge id)givenKey forKey:(__bridge id)kSecValueRef];
    [attributes setObject:@YES forKey:(__bridge id)kSecReturnData];
    CFTypeRef result;
    sanityCheck = SecItemAdd((__bridge CFDictionaryRef) attributes, &result);
    if (sanityCheck == errSecSuccess) {
        publicKeyBits = CFBridgingRelease(result);

        // Remove from Keychain again:
        (void)SecItemDelete((__bridge CFDictionaryRef) queryPublicKey);
    }

    return publicKeyBits;
}

这将返回270字节，而不是预期的256。我无法用一种方式来将它与我的localData进行比较

本地密钥为512个ASCII (为什么？) 45323636 32323330，派生密钥为270个UTF8 223b70a0 56f28f68字节。

首先，我需要从getPublicKeyBitsFromKey获得256个字节，我还需要以相同的方式表示数据来进行比较。

同样值得注意的是

NSString *keyString = [NSString stringWithUTF8String:[keyData bytes]];

和

NSString *keyString = [[NSString alloc] initWithBytes:[keyData bytes] length:[keyData length] encoding:NSUTF8StringEncoding];

返回(空)

NSString *keyString = [NSString stringWithCharacters:[keyData bytes] length:[keyData length]];

连日志都没有

任何帮助都将是非常感谢的，所以提前谢谢。

Answer 1

我解决了这个问题，在本地拥有一个.der副本，并将其固定在公钥上。

-(BOOL)trustCertFromChallenge:(NSURLAuthenticationChallenge *)challenge
{
    SecTrustResultType trustResult;
    SecTrustRef trust = challenge.protectionSpace.serverTrust;
    OSStatus status = SecTrustEvaluate(trust, &trustResult);

    //DLog(@"Failed: %@",error.localizedDescription);
    //DLog(@"Status: %li | Trust: %@ - %li",(long)status,trust,(long)trustResult);

    if (status == 0 && (trustResult == kSecTrustResultUnspecified || trustResult == kSecTrustResultProceed)) {

        SecKeyRef serverKey = SecTrustCopyPublicKey(trust);

        NSString *certPath = [[NSBundle mainBundle] pathForResource:@"MYCert" ofType:@"der"];
        NSData *certData = [NSData dataWithContentsOfFile:certPath];
        SecCertificateRef localCertificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)certData);

        SecKeyRef localKey = NULL;
        SecTrustRef localTrust = NULL;
        SecCertificateRef certRefs[1] = {localCertificate};
        CFArrayRef certArray = CFArrayCreate(kCFAllocatorDefault, (void *)certRefs, 1, NULL);
        SecPolicyRef policy = SecPolicyCreateBasicX509();
        OSStatus status = SecTrustCreateWithCertificates(certArray, policy, &localTrust);

        if (status == errSecSuccess)
            localKey = SecTrustCopyPublicKey(localTrust);

        CFRelease(localTrust);
        CFRelease(policy);
        CFRelease(certArray);

         if (serverKey != NULL && localKey != NULL && [(__bridge id)serverKey isEqual:(__bridge id)localKey])
            return YES;
        else
            return NO;
    }

    //DLog(@"Failed: %@",error.localizedDescription);

    return NO;
}