Get X509 Data without OpenSSL

I previously would check if one certificate signed another (used to construct a certificate chain, NOT to validate), using the following code to create the data representation for the leaf certificate:

    CFDataRef data = SecCertificateCopyData(certificate);
    const UInt8 *buffer = CFDataGetBytePtr(data);
    X509 *x = X509_new();
    d2i_X509(&x, &buffer, CFDataGetLength(data));
    CFRelease(data);
    int length = i2d_X509_CINF(x->cert_info, NULL);
    unsigned char *info = malloc(length), *infoPtr = info;
    i2d_X509_CINF(x->cert_info, &info);
    X509_free(x);
    return CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, infoPtr, length, kCFAllocatorMalloc);

OpenSSL is now gone from 10.11, is there another method of creating this representation?

I didn't see anything like this in CryptoCompatibility

Replies

Filed as a request rdar://21410560

i am looking for some solution to get x509 data without openssl any suggestions ??

It strongly depends on what you're trying to do, but on macOS there's SecAsn1Coder.h which is essentially unsupported, but will work with X509Templates.h and other headers from the open source repository for Security. The coder will convert between the byte representation and structs in memory.

i wanted to fetch expiration date details from certificate in iOS. I tried using apple security framework calling method SecCertificateCreateWithData but its not supporting for iOS

If you just want to check if a certificate has expired, I think there's already a way to do that, SecTrust or other. Then there's SecCertificateCopyValues() and kSecOIDX509V1ValidityNotAfter. Otherwise you would need to decode the certificate, then the to-be-signed part, then the "validity" part which is basically text of the UTC time.

for Decoding the certificate do i need to use some openssl lib ??? if not what are ways to decode certificate?

I couldn't tell you for iOS, there probably is some well-regarded ASN1 library which has X509 templates, but I use SecAsn1Coder on macOS. Keep in mind this would be a big security risk (overflow, corruption, etc) if the library wasn't well-tested.