I need to figure out how to get two OpenSSL functions for iPhone. I'm trying to keep it so I don't need another dylib, because I don't want Apple to reject my application for something so silly.
Anyways, I have an app that access an API, not one of my APIs, so I can't really change it, and also, I don't want anyone to know my public key, or use this specific 'private' api, so I can't just make a PHP script server side, which, would be easier, except that it just won't work out.
I need to be able to use something that will seal a request in OpenSSL, and also encode a public key in OpenSSL. I have the headers, and I can't seem to figure anything out.
Generally, the easiest approach to encryption and decryption on the iPhone is the Security.framework, instead of using OpenSSL directly.
See here:
http://developer.apple.com/iphone/library/DOCUMENTATION/Security/Conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html#//apple_ref/doc/uid/TP40001358-CH208-SW9
The example at the bottom (listings 2-8, 2-9 and 2-10) show RSA-1024 key pair creation plus encryption and decryption.
By using a different key, you can control the encryption/decryption method to match the requirements of your server.
You can also compile OpenSSL as a library for iOS. Here is an tutorial from me:
http://www.x2on.de/2010/07/13/tutorial-iphone-app-with-compiled-openssl-1-0-0a-library/
For me I found that implementing the OpenSSL pod from cocoapods was the easiest. No tutorial needed.
Info: http://cocoapods.org/?q=openssl
-> OpenSSL (1.0.1)
OpenSSL is an SSL/TLS and Crypto toolkit. Deprecated in Mac OS and gone in iOS, this spec gives your project non-deprecated OpenSSL support.
pod 'OpenSSL', '~> 1.0.1'
- Homepage: http://www.openssl.org/
- Source: https://github.com/endSly/OpenSSL-pod.git
- Versions: 1.0.1, 1.0.0 [master repo]
Related
I'm using Axios to post to a remote API. Although it has worked great for several years, the requests have suddenly started throwing an error "certificate has expired' - despite the fact that the certificate has not expired. The API's domain has a working Let's Encrypt cert which isn't up for its next auto-renewal for another 2 months. In addition, if I run the exact same code on a different OS, it works (I'm on Linux; if I reboot the same dual-boot machine to Windows, the same node script successfully completes all of its Axios calls).
Why might Axios have suddenly started reporting an expired certificate, when the certificate is not expired?
(Note: I'm aware that I can force Axios not to check the cert at all, but that is not the desired solution - I'd like to understand why it's failing and rectify it).
The DST root formerly used and by default still bridged by LetsEncrypt just expired.
(note edits 10/05)
nodejs should successfully connect to a server using a LetsEncrypt cert with the 'compatibility' chain (i.e. still using the bridge to DST, even though it's expired, for old Android) IF
it has the ISRG root cert in its truststore aka root list. By default nodejs uses a compiled-in root list and v8.0.0 up contains the ISRG root. However application code like axios can replace or extend the compiled-in list, in which case it's the version/contents used by the application that matter.
AND nodejs uses OpenSSL 1.1.0 up (my previous belief that 1.1.1 was needed proved wrong on more thorough testing) OR the DST root is removed from the truststore (you can't remove it from the compiled-in list, but if you use a replacement list, you can omit/remove it from that).
On Linux, at least a Linux distro with a package manager, nodejs is probably built to use the system-supplied OpenSSL; check what the package manager shows for dependencies, or whether ldd $(which node) lists some version of libssl and libcrypto (noting that different systems/packagers sometimes use version numbers for these library files that are related to, but NOT the same as, the OpenSSL version they contain!).
On Windows, OpenSSL is usually not installed, and when it is, not necessarily in a fixed place, so nodejs is normally built to use its own (static-linked) OpenSSL. In this case the version of nodejs must be new enough, and I don't know what the mapping is, but it appears yours is sufficient.
Problem for me was I was using an old Node version by accident, switching to the latest released version fixed the issue.
We are using Applet previously to get Key Store Certificates installed in client's machine. Now as chrome stops NPAPI, Applet is not working now, so finding some solution using Javascript / jQuery.
I am trying to get the total Certificate List for installs in KeyStore, but I can't find any solutions. Does any one know how to get the full Certificate List using JavaScript or jQuery?
You cannot do that with JavaScript running in the client.
See the following entry of the WebCrypto mailing list:
On Wed, Jun 24, 2015 at 1:50 PM, Jeffrey Walton
wrote:
I see the WebCrypto API will allow discovery of keys
(http://www.w3.org/TR/WebCryptoAPI/):
In addition to operations such as signature generation
and verification, hashing and verification, and encryption
and decryption, the API provides interfaces for key
generation, key derivation, key import and export, and
key discovery.
Certificates have public keys, and they are not as sensitive as private
keys.
Will the WebCrypto API allow discovery/enumeration of certificates?
Examples of what I would like to discover or enumerate (in addition to
the private keys):
Trusted roots
Client certs
Trusted Roots are in the platform's trust store. Client certs may be
in the trust store.
Thanks in advance,
Jeff
There are no plans from Chrome to implement such, on the hopefully obvious and significant privacy grounds.
Client certs contain PII. Trusted certs contain PII and
fingerprinting.
In modern, sandboxed operating systems, such as iOS and Android,
applications cannot enumerate either, as those platform providers
reached the same conclusion.
So no. Never.1
1 For some really long value of never
Get clone of below link https://github.com/scketches/ffPrintCert
install the jpm
npm install jpm --global
Create build for mozilla
jpm xpi
Upload extension in mozilla locally and check
Fire below url in mozilla
about:debugging
Load .xpi file from locally and check.
I am learning how to add in-app purchase receipt validation to my iOS/OSX projects.
There is a nice overview here and the WWDC14 has good videos on this topic.
Plenty of sample code, but everyone skips one step. How to import the openSSL header. The swift compiler complains that there is no such module.
import Foundation
import StoreKit
import openssl //no such module ???
I am already stuck before writing one line of code. Where is the openssl framework hiding?
There is no OpenSSL module built in. You have to compile it yourself - this is for security so that everyone doesn't implement the exact same security.
Take a look at :
https://gist.github.com/foozmeat/5154962
http://www.cvursache.com/2013/08/13/How-To-Build-openssl-For-iOS/
There is a also a cocoapods at http://cocoapods.org/?q=openssl
You should never use a static module provided by someone else. Always build your own.
Apples official explanation here - under OpenSSl - https://developer.apple.com/library/ios/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html
All,
I have a C# ServiceStack console listener application running on Ubuntu using Mono. Within that application I have one service that must authenticate first at Appcelerator Cloud Services (ACS). I have tested the code locally(Xamarin .NET on OSX) and can see the code is fine. Based on the error and investigation using the almighty Google, Mono doesn't trust any secure sites by default.
So far I have tried using mozroots to import all mozilla root certs, and have used certmgr -ssl to import the certs directly from https://api.cloud.appcelerator.com. Nothing has worked so far.
I don't want to put code in place to bypass SSL in order to accomplish this as I think that is a cheap/insecure hack. There has to be a proper way to make this work.
Any and all suggestions appreciated!
Bruce
All,
I had it right. I was just missing the reboot which allowed Ubuntu to load up all the certs in the store.
Victory is mine, sayeth the coder...
The security API's on iOS only seem to cover extracting certain parts of the certificate.
Has anyone used openSSL or asn1c to allow the retrieval of Extensions, Policies etc from the certificate bytes?
Yes, you can use openSSL to parse a certificate, but it is not a easy job, since the lack of openSSL iOS docs.
First, you need the openSSL lib for iOS, and use openSSL to generate x509 cert. Then use the method in the openSSL to try to parse it.
Here is an example of how to extract UPN from a certificate extension (I answered myself). It works fine by now. Other element is similar to fetch.