How to get public key hash from SecCertificateRef or SecKeyRef not in keychain?

Hi,


I can get a SecCertificateRef object and SecKeyRef object from signature by below code,


CFURLRef fmyURL = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)url.c_str(), url.length(), false);

SecStaticCodeRef staticCode = NULL;

OSStatus ret = SecStaticCodeCreateWithPath(fmyURL, kSecCSDefaultFlags, &staticCode);


if (errSecSuccess == ret) {

ret = SecStaticCodeCheckValidity(staticCode, kSecCSDefaultFlags|kSecCSDoNotValidateResources, NULL);

printf("SecStaticCodeCheckValidity: %d\r\n", (int)ret);

if (errSecSuccess == ret) {

CFDictionaryRef inform = NULL;

ret = SecCodeCopySigningInformation(staticCode, kSecCSSigningInformation, &inform);

if (errSecSuccess == ret) {

CFArrayRef array = (CFArrayRef)CFDictionaryGetValue(inform, kSecCodeInfoCertificates);

if (NULL != array) {

CFIndex count = CFArrayGetCount(array);

for (int j = 0; j < count; j++) {

SecCertificateRef certificate = (SecCertificateRef)CFArrayGetValueAtIndex(array, j);

SecKeyRef key;

SecCertificateCopyPublicKey(certificate, &key);

}

}

}

}


but I want to get it's public key's hash, just like kSecPublicKeyHashItemAttr.

But because this SecCertificateRef object is got from a signed file, it is not in the keychain, I can't use SecKeychainItemCopyAttributesAndData to get it's attributes. And so can't get it's public key's hash.

Is there any API for me to get it?

Thank you very much!

Replies

Given your use of the code signing API, I’m going to assume you’re working on macOS. If so, you should be able to do this with the following sequence:

  1. Call

    SecCertificateCopyPublicKey
    to get the public key from the certificate
  2. Get the key bits from the key reference using

    SecKeyCopyExternalRepresentation
  3. Hash that Common Crypto’s

    CC_SHA1
    .

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo,


Thank you for your answer.


Yes, I work with OS X.


I find this API SecKeyCopyExternalRepresentation in 10.12's SDK, and it declares supporting from 10.12.

But our programe needs to support lower OS X, such as 10.9/10.10/10.11.


So I think I can't use this API.


Is there any other API for this to support lower OS X version?


Thank you very much!

Is there any other API for this to support lower OS X version?

I think you can do this by getting the CSSM key from the SecKey (

SecKeyGetCSSMKey
) and then calling the CSSM APIs (those APIs are deprecated, but that doesn’t matter because you’ll only be using them on older OS releases where you know they’ll keep working). However, I don’t have enough experience with CSSM APIs to know for sure whether this will work, or to offer you an advice on the path you’d take.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo,


Thank you, I will try these CSSM APIs.

Thank you very much!