c# - Get Apple Keychain to recognize Bouncy Castle .NET created PKCS12 (.p12) store -

-

our organization manages stable of ios applications multiple clients, means dealing lot of different developer identity certificates , push notification certificates.

i have had success bouncy castle c# crypto api in simplifying management of certificates , private keys push notifications, essentially eliminating need keychain our push notification certificates.

i extend developer identity certificates. goal store private key , certificate information in database each developer identity. when new developer or build machine needs provisioned, server side code wrap of certificates , private keys 1 p12 archive 1 password imported target mac's keychain.

unfortunately, mac keychain doesn't p12 files i'm generating. annoying since can import these files windows certificate manager fine.

the code i'm using (the important parts) looks this:

private byte[] getp12bytes(list<devidentity> identities, string password) {     pkcs12store store = new pkcs12store();      foreach(devidentity ident in identities)     {         // easiest create bouncy castle cert converting .net         var dotnetcert = new x509certificate2(ident.certificatebytes);         // method (not shown) parses cn= attribute out of cert's distinguished name         string friendlyname = getfriendlyname(dotnetcert.subject);           // reconstitute private key saved value strings         biginteger modulus = new biginteger(ident.privatekey.modulus);         biginteger publicexponent = new biginteger(ident.privatekey.publicexponent);         biginteger privateexponent = new biginteger(ident.privatekey.exponent);         biginteger p = new biginteger(ident.privatekey.p);         biginteger q = new biginteger(ident.privatekey.q);         biginteger dp = new biginteger(ident.privatekey.dp);         biginteger dq = new biginteger(ident.privatekey.dq);         biginteger qinv = new biginteger(ident.privatekey.qinv);         rsakeyparameters kp = new rsaprivatecrtkeyparameters(modulus, publicexponent, privateexponent, p, q, dp, dq, qinv);         asymmetrickeyentry privatekey = new asymmetrickeyentry(kp);          // let's convert bouncy castle cert , wrap packaging         org.bouncycastle.x509.x509certificate cert = dotnetutilities.fromx509certificate(dotnetcert);         x509certificateentry certentry = new x509certificateentry(cert);          // set private key , certificate store         store.setcertificateentry(friendlyname, certentry);         store.setkeyentry(ident.privatekeyname, privatekey, new x509certificateentry[] { certentry });     }      using (memorystream ms = new memorystream())     {         store.save(ms, password.tochararray(), new securerandom());         ms.flush();         byte[] p12bytes = ms.toarray();         return p12bytes;     } }

like said, works great import on windows, fails generic error when importing mac keychain.

there 1 major difference can see when loading keychain-generated p12 , own generated p12 file, not know if cause.

if load mac keychain generated p12 bouncy castle pkcs12store, , examine keys, on keychain p12, both certificate , private key have attribute key "1.2.840.113549.1.9.21" equivalent values (a deroctetstring value #af8a1d6891efeb32756c12b7bdd96b5ec673e11e).

if same generated p12 file, private key contains "1.2.840.113549.1.9.21" attribute, certificate not.

if google "1.2.840.113549.1.9.21", find out oid means pkcs_12_local_key_id . theory keychain relies on match certificate , private key, , generated file not have this, fails.

however, i've tried adding these values hashtable , using certificateentry constructor takes attribute hashtable. if that, , save bytes, , reload bytes, attribute again missing.

so i'm flummoxed. maybe attribute glitch in bouncy castle api? maybe there's i'm doing wrong. maybe keychain has ridiculous non-standard requirements incoming p12 files. in case, provided appreciated.

bouncycastle's pkcs12store takes care of setting both friendly name , local key id attributes (or @ least in 1.7 release, circa april 2011). guess must have used older version didn't work.

here's how i'm saving iphone developer identity pkcs12store instance (extra stuff , security omitted):

var store = new pkcs12store();  // pairs ienumerable<tuple<x509certificate, asymmetrickeyparameter>> foreach (var pair in pairs) {     var cn = pair.item1.subjectdn          .getvaluelist(x509name.cn).oftype<string>().single();      var certentry = new x509certificateentry(pair.item1);     store.setcertificateentry(cn, certentry);      var keyentry = new asymmetrickeyentry(pair.item2);     store.setkeyentry("developer name", keyentry, new[] { certentry }); }  store.save(stream, string.empty.toarray(), new securerandom());

importing store in keychain access.app on os x 10.7 correctly places certificate , private key in keychain , places certificate within private key in ui, certificate , key generated keychain access itself.

on side note, seems pkcs12store uses public key of certificate generate value of localkeyid attribute shared certificate , key entries.

you can see relevant section of pkcs12store source here.


Comments

Post a Comment

Popular posts from this blog

python - Scipy curvefit RuntimeError:Optimal parameters not found: Number of calls to function has reached maxfev = 1000 -

-
Image
i want make logharitmic fit. keep getting runtime error: optimal parameters not found: number of calls function has reached maxfev = 1000 i use following script. can tell me go wrong? use spyder still beginner. import math import matplotlib mpl scipy.optimize import curve_fit import numpy np #data f1=[735.0,696.0,690.0,683.0,680.0,678.0,679.0,675.0,671.0,669.0,668.0,664.0,664.0] t1=[1,90000.0,178200.0,421200.0,505800.0,592200.0,768600.0,1036800.0,1371600.0,1630800.0,1715400.0,2345400.0,2409012.0] f1n=np.array(f1) t1n=np.array(t1) plt.plot(t1,f1,'ro',label="original data") # curvefit def func(t,a,b): return a+b*np.log(t) t=np.linspace(0,3600*24*28,13) popt, pcov = curve_fit(func, t, f1n, maxfev=1000) plt.plot(t, func(t, *popt), label="fitted curve") plt.legend(loc='upper left') plt.show() your original data t1 , f1 . therefore curve_fit should given t1 second argument, not t . popt, pcov = curve_fit(func,
Read more

c# - How to add a new treeview at the selected node? -

-
i have treeview 4 levels; parent, child, grandchild, great-grandchild. selectednode @ grandchild level. what i'm trying create new "treeview" @ grandchild - no, dont wnat create new node "selectednode" (grandchild). should somelike this: parent child grandchild (new treeview) parent grandchild great-grandchild child great-grandchild child grandchild grandchild it similar parent table mother , father went off , had new childern different spouse other spouse of there existing children. private sub populaterootlevel() ' query find first round of parent populatenodes(dt, jcatreeview.nodes) end sub private sub populatenodes(byval dt datatable, byval nodes treenodecollection) each dr datarow in dt.rows dim tn new treenode() tn.text = dr("title").tostring()
Read more

java - netbeans "Please wait - classpath scanning in progress..." -

-
when try compile netbeans projects message/error : "please wait - classpath scanning in progress..." and nothing happens , have have wait enternity conmpile "hello world"... now first thing have moved new office building, laptop same. it's secure enviroment lot of "security", can't connect anywhere almost. have changed user dir in netbeans.conf save data in c:\program files\user any ideas how fix this? alrady tried reinstalling netbeans, changing save location between standart , newone... just ideas find problem look @ cpu - netbeans busy (100% on 1 core) or blocking (95% idle)? standard, ant or maven build? libraries , use absolute or relative paths? start simple "hello world" project (no dependencies), add 1 lib (log4j or similiar), located in project folder , - if works - move lib other locations (choose locations similiar libs on real classpath) there chance, don't have access rights folders/shares conta
Read more