No API to extract the SPKI bits from an SSL certificate
| Originator: | nabla.c0d3 | ||
| Number: | rdar://22209593 | Date Originated: | 10-Aug-2015 12:30 PM |
| Status: | Open | Resolved: | |
| Product: | Product Version: | ||
| Classification: | Reproducible: |
Summary: On both iOS and OS X, there is no API to extract the Subject Public Key Info bits from an SSL certificate. This is useful when implementing SSL pinning, which requires pinning the SPKI as a best practice (as opposed to pinning the certificate or the public key - https://www.imperialviolet.org/2011/05/04/pinning.html). On OS X, the SecCertificateCopyValues() function seemed like a good candidate in combination with the kSecOIDX509V1SubjectPublicKeyAlgorithm and kSecOIDX509V1SubjectPublicKeyAlgorithmParameters OIDs. However the function only returns a parsed output (such as the OID corresponding to the key algorithm) instead of the actual bytes of the SPKI. Steps to Reproduce: Try to extract the Subject Public Key Info bytes from an SSL certificate. Expected Results: It would be nice to be able to retrieve the SPKI bytes from an SSL certificate, in order to implement SSL pinning. Actual Results: There is no function in the Security framework to extract the SPKI data from a certificate. Version: iOS 8 Notes: Configuration: iOS 8
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!