c - Inserting a certificate into the keychain -
c - Inserting a certificate into the keychain -
i have client retrieves certificate (.pfx), including private key, server , add together local keychain next code: -
void addcerttokeychain(const qbytearray& cert, const qstring& password) { seckeychainref keychain = nil; osstatus err = seckeychaincopydomaindefault(ksecpreferencesdomainuser, &keychain); if (err != errsecsuccess) { emit log("failed access scheme keychain: " + logmessageforstatus(err)); return; } secexternalformat format = ksecformatpkcs12; secexternalitemtype itemtype = ksecitemtypeaggregate; secitemimportexportflags flags = 0; secitemimportexportkeyparameters params; memset(¶ms, 0, sizeof(params)); params.version = sec_key_import_export_params_version; params.flags = 0; params.passphrase = password.tocfstring(); params.alerttitle = null; params.alertprompt = null; params.accessref = null; // create , populate key usage array cfmutablearrayref keyusage = cfarraycreatemutable( kcfallocatordefault, 0, &kcftypearraycallbacks ); cfarrayappendvalue(keyusage, ksecattrcanencrypt); cfarrayappendvalue(keyusage, ksecattrcandecrypt); cfarrayappendvalue(keyusage, ksecattrcanderive); cfarrayappendvalue(keyusage, ksecattrcansign); cfarrayappendvalue(keyusage, ksecattrcanverify); cfarrayappendvalue(keyusage, ksecattrcanwrap); cfarrayappendvalue(keyusage, ksecattrcanunwrap); keyusage = null; // error without - failed import certificate: key usage mask not supported. // create , populate key attributes array cfmutablearrayref keyattributes = cfarraycreatemutable( kcfallocatordefault, 0, &kcftypearraycallbacks ); // required import params.keyusage = keyusage; params.keyattributes = keyattributes; osstatus status = secitemimport(cert.tocfdata(), cfstr(".p12"), &format, &itemtype, flags, ¶ms, keychain, null); if(status == errsecsuccess) emit log("certificate imported"); else { emit log("failed import certificate: " + logmessageforstatus(status)); } } the certificate , private key appear in keychain, expected.
however, trying retrieve certificate problem, either programmatically or using keychain application.
if select export private key keychain, i'm provided next error in dialog: -
"an error has occurred. unable export item. contents of item cannot retrieved"
however, if certificate , key added keychain double-clicking on pfx, exporting key works expected.
so, why code above cause problem of not beingness able export key?
with assistance of quinn @ apple, seems method described in question should work, doesn't.
using old cdsa style flag instead in fact work, doing this: -
osstatus err; secexternalformat format; secitemimportexportkeyparameters params; params.version = sec_key_import_export_params_version; params.flags = 0; params.passphrase = (__bridge cfstringref) pkcs12password; params.alerttitle = null; params.alertprompt = null; params.accessref = null; params.keyusage = null; params.keyattributes = (__bridge cfarrayref) @[ @(cssm_keyattr_extractable) ]; format = ksecformatpkcs12; err = secitemimport( (__bridge cfdataref) pkcs12data, cfstr("p12"), &format, null, 0, ¶ms, keychain, null ); note setting of params.keyattributes, defines key extractable.
alternatively, older (deprecated) seckeychainitemimport api may used: -
bool success; osstatus err; nsarray * result; secexternalformat format; seckeyimportexportparameters params; cfarrayref importeditems; result = nil; importeditems = null; format = ksecformatpkcs12; memset(¶ms, 0, sizeof(params)); params.passphrase = password; params.keyattributes = cssm_keyattr_extractable; err = seckeychainitemimport( (cfdataref) pkcs12blob, // importeddata null, // filenameorextension &format, // inputformat null, // itemtype 0, // flags ¶ms, // keyparams self->keychain, // importkeychain &importeditems // outitems ); success = (err == noerr); while function seckeychainitemimport defined deprecated in apple's documentation, have been informed it's unlikely removed time soon.
c osx security ssl core-foundation
Comments
Post a Comment