SecCertificate data access

Hi. I'm working on a security related swift application, and I need som info from certificates stored in SecIdentities. Although I can access to SecCertificate to extract some info (serialnumber, common name, subject name) y can't find any example of function (or OSX API documentation) for other data extraction, like validity date (from/until), DER encoded public key, certificate usage policies, etc.


I'm using Xcode 8.2.1 (Swift 3.0.2).


Thank you in advance.

Accepted Reply

You can use SecCertificateCopyValues on your SecCertificate to extract all of the values in it as a CFDictionary. You can then use the values in SecCertificateOIDs.h to look up individual attributes if you like.


Here I exported a copy of the WWDR CA certificate to my Desktop, read it in as Data, and simply dump it out with a Swift Playground.

let fileURL = URL(fileURLWithPath: "/Users/joshwisenbaker/Desktop/Apple Worldwide Developer Relations Certification Authority.cer")
let certificateData = try Data(contentsOf: fileURL)
let certificate = SecCertificateCreateWithData(nil, certificateData as CFData)
let values = SecCertificateCopyValues(certificate!, nil, nil) as! [String: Any]
print(values)

Values:

["2.16.840.1.113741.2.1.3.2.1": {
    label = "Signature Algorithm";
    "localized label" = "Signature Algorithm";
    type = section;
    value =     (
                {
            label = Algorithm;
            "localized label" = Algorithm;
            type = string;
            value = "1.2.840.113549.1.1.5";
        },
                {
            label = Parameters;
            "localized label" = Parameters;
            type = string;
            value = none;
        }
    );
}, "Fingerprints": {
    label = Fingerprints;
    "localized label" = Fingerprints;
    type = section;
    value =     (
                {
            label = "SHA-256";
            "localized label" = "SHA-256";
            type = data;
            value = <ce057691 d730f89c a25e916f 7335f4c8 a15713dc d273a658 c024023f 8eb809c2>;
        },
                {
            label = "SHA-1";
            "localized label" = "SHA-1";
            type = data;
            value = <ff679779 3a3cd798 dc5b2abe f56f73ed c9f83a64>;
        }
    );
}, "2.5.4.3": {
    label = CN;
    "localized label" = CN;
    type = array;
    value =     (
        "Apple Worldwide Developer Relations Certification Authority"
    );
}, "2.16.840.1.113741.2.1.1.1.7": {
    label = "Not Valid After";
    "localized label" = "Not Valid After";
    type = number;
    value = 697499327;
}, "2.5.29.35": {
    label = "2.5.29.35";
    "localized label" = "2.5.29.35";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = No;
        },
                {
            label = "Key Identifier";
            "localized label" = "Key Identifier";
            type = data;
            value = <2bd06947 947609fe f46b8d2e 40a6f747 4d7f085e>;
        }
    );
}, "2.16.840.1.113741.2.1.1.1.6": {
    label = "Not Valid Before";
    "localized label" = "Not Valid Before";
    type = number;
    value = 381966527;
}, "2.16.840.1.113741.2.1.1.1.5": {
    label = "Issuer Name";
    "localized label" = "Issuer Name";
    type = section;
    value =     (
                {
            label = "2.5.4.6";
            "localized label" = "2.5.4.6";
            type = string;
            value = US;
        },
                {
            label = "2.5.4.10";
            "localized label" = "2.5.4.10";
            type = string;
            value = "Apple Inc.";
        },
                {
            label = "2.5.4.11";
            "localized label" = "2.5.4.11";
            type = string;
            value = "Apple Certification Authority";
        },
                {
            label = "2.5.4.3";
            "localized label" = "2.5.4.3";
            type = string;
            value = "Apple Root CA";
        }
    );
}, "1.2.840.113635.100.6.2.1": {
    label = "1.2.840.113635.100.6.2.1";
    "localized label" = "1.2.840.113635.100.6.2.1";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = No;
        },
                {
            label = "Unparsed Data";
            "localized label" = "Unparsed Data";
            type = data;
            value = <0500>;
        }
    );
}, "2.5.29.14": {
    label = "2.5.29.14";
    "localized label" = "2.5.29.14";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = No;
        },
                {
            label = "Key Identifier";
            "localized label" = "Key Identifier";
            type = data;
            value = <88271709 a9b61860 8becebba f64759c5 5254a3b7>;
        }
    );
}, "2.16.840.1.113741.2.1.1.1.8": {
    label = "Subject Name";
    "localized label" = "Subject Name";
    type = section;
    value =     (
                {
            label = "2.5.4.6";
            "localized label" = "2.5.4.6";
            type = string;
            value = US;
        },
                {
            label = "2.5.4.10";
            "localized label" = "2.5.4.10";
            type = string;
            value = "Apple Inc.";
        },
                {
            label = "2.5.4.11";
            "localized label" = "2.5.4.11";
            type = string;
            value = "Apple Worldwide Developer Relations";
        },
                {
            label = "2.5.4.3";
            "localized label" = "2.5.4.3";
            type = string;
            value = "Apple Worldwide Developer Relations Certification Authority";
        }
    );
}, "2.16.840.1.113741.2.1.1.1.2": {
    label = Version;
    "localized label" = Version;
    type = string;
    value = 3;
}, "2.16.840.1.113741.2.1.3.2.2": {
    label = Signature;
    "localized label" = Signature;
    type = data;
    value = <4fcfef59 be2cf5b2 6c2f8fee 138732e8 0535a86e 8b7dc969 0cb9d917 bc772cd4 67e2fd9a 6d3a595c df8301bd b2ae2a61 72b1afcd c345308f a3830dce 1d47b4f1 938aa374 9ba4c398 72873b3e af450b92 54b932bb 9018536b 0a4e10b6 d91d506c 21800a89 4e578c6b 5b3c3da6 fddef70d 231d0b4a 26873fba 91924ca4 1912196d 57f57a58 877b688a e4868c4a ebe24914 aaa5dd55 00a9aebb 4b30aee1 a0b1bc29 80e60977 e5be34a2 01ca7fdc e20ae63b b8bbecba 6295f305 634182cd 0f3b1d4c 95a4dbab f9c995e9 4fe44de7 269981e9 bcf9b429 d2017a66 e12e8cf6 218ac5f8 78e181ae bfd3909d a9adf3af fd381a96 67301c51 a55cec71 8a82b46c 0f0c151f>;
}, "2.5.29.24": {
    label = Expires;
    "localized label" = Expires;
    type = date;
    value = "2023-02-07 21:48:47 +0000";
}, "2.16.840.1.113741.2.1.1.1.10": {
    label = "Public Key Data";
    "localized label" = "Public Key Data";
    type = data;
    value = <3082010a 02820101 00ca3854 a6cb56aa c8243948 e98ceeec 5fb87f26 91bc3453 7ace7c63 80617764 5ea50723 b639fe50 2d155658 702d7ec4 6ec14a85 3e2ff0de 841aa157 c9af7b18 ff6afa15 12491508 19acaadb 2a32ed96 63685215 3d8c8aec bf6b1895 e003ac01 7d970567 ce0e8595 376aed09 b6ae67cd 51649fc6 5cd1bc57 6e673580 7636a487 816e388f d82b154e 7b25d85a bf4e83c1 8dd293d5 1a71b560 9c9d334e 55f91258 0c86b816 0dc1e577 458d5048 ba2b2de4 9485e1e8 c49dc668 a5b0a3fc 677e70ba 02594b77 429139b9 f5cde14c efc03b48 8ca6e521 5dfd6a6a bba71635 60d2e6ad f34629c9 e8c38be9 79c06a61 6715b2f0 fde568bc 625f6ecf 99ddef1b 63fe9265 ab020301 0001>;
}, "2.5.29.31": {
    label = "2.5.29.31";
    "localized label" = "2.5.29.31";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = No;
        },
                {
            label = URI;
            "localized label" = URI;
            type = url;
            value = "http://crl.apple.com/root.crl";
        }
    );
}, "2.16.840.1.113741.2.1.1.1.9": {
    label = "Public Key Algorithm";
    "localized label" = "Public Key Algorithm";
    type = section;
    value =     (
                {
            label = Algorithm;
            "localized label" = Algorithm;
            type = string;
            value = "1.2.840.113549.1.1.1";
        },
                {
            label = Parameters;
            "localized label" = Parameters;
            type = string;
            value = none;
        }
    );
}, "2.5.29.15": {
    label = "Key Usage";
    "localized label" = "Key Usage";
    type = number;
    value = "-2147483551";
}, "2.16.840.1.113741.2.1.1.1.3": {
    label = "Serial Number";
    "localized label" = "Serial Number";
    type = string;
    value = 134752589830791184;
}, "2.5.29.19": {
    label = "2.5.29.19";
    "localized label" = "2.5.29.19";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = Yes;
        },
                {
            label = "Certificate Authority";
            "localized label" = "Certificate Authority";
            type = string;
            value = Yes;
        }
    );
}]

Replies

You can use SecCertificateCopyValues on your SecCertificate to extract all of the values in it as a CFDictionary. You can then use the values in SecCertificateOIDs.h to look up individual attributes if you like.


Here I exported a copy of the WWDR CA certificate to my Desktop, read it in as Data, and simply dump it out with a Swift Playground.

let fileURL = URL(fileURLWithPath: "/Users/joshwisenbaker/Desktop/Apple Worldwide Developer Relations Certification Authority.cer")
let certificateData = try Data(contentsOf: fileURL)
let certificate = SecCertificateCreateWithData(nil, certificateData as CFData)
let values = SecCertificateCopyValues(certificate!, nil, nil) as! [String: Any]
print(values)

Values:

["2.16.840.1.113741.2.1.3.2.1": {
    label = "Signature Algorithm";
    "localized label" = "Signature Algorithm";
    type = section;
    value =     (
                {
            label = Algorithm;
            "localized label" = Algorithm;
            type = string;
            value = "1.2.840.113549.1.1.5";
        },
                {
            label = Parameters;
            "localized label" = Parameters;
            type = string;
            value = none;
        }
    );
}, "Fingerprints": {
    label = Fingerprints;
    "localized label" = Fingerprints;
    type = section;
    value =     (
                {
            label = "SHA-256";
            "localized label" = "SHA-256";
            type = data;
            value = <ce057691 d730f89c a25e916f 7335f4c8 a15713dc d273a658 c024023f 8eb809c2>;
        },
                {
            label = "SHA-1";
            "localized label" = "SHA-1";
            type = data;
            value = <ff679779 3a3cd798 dc5b2abe f56f73ed c9f83a64>;
        }
    );
}, "2.5.4.3": {
    label = CN;
    "localized label" = CN;
    type = array;
    value =     (
        "Apple Worldwide Developer Relations Certification Authority"
    );
}, "2.16.840.1.113741.2.1.1.1.7": {
    label = "Not Valid After";
    "localized label" = "Not Valid After";
    type = number;
    value = 697499327;
}, "2.5.29.35": {
    label = "2.5.29.35";
    "localized label" = "2.5.29.35";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = No;
        },
                {
            label = "Key Identifier";
            "localized label" = "Key Identifier";
            type = data;
            value = <2bd06947 947609fe f46b8d2e 40a6f747 4d7f085e>;
        }
    );
}, "2.16.840.1.113741.2.1.1.1.6": {
    label = "Not Valid Before";
    "localized label" = "Not Valid Before";
    type = number;
    value = 381966527;
}, "2.16.840.1.113741.2.1.1.1.5": {
    label = "Issuer Name";
    "localized label" = "Issuer Name";
    type = section;
    value =     (
                {
            label = "2.5.4.6";
            "localized label" = "2.5.4.6";
            type = string;
            value = US;
        },
                {
            label = "2.5.4.10";
            "localized label" = "2.5.4.10";
            type = string;
            value = "Apple Inc.";
        },
                {
            label = "2.5.4.11";
            "localized label" = "2.5.4.11";
            type = string;
            value = "Apple Certification Authority";
        },
                {
            label = "2.5.4.3";
            "localized label" = "2.5.4.3";
            type = string;
            value = "Apple Root CA";
        }
    );
}, "1.2.840.113635.100.6.2.1": {
    label = "1.2.840.113635.100.6.2.1";
    "localized label" = "1.2.840.113635.100.6.2.1";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = No;
        },
                {
            label = "Unparsed Data";
            "localized label" = "Unparsed Data";
            type = data;
            value = <0500>;
        }
    );
}, "2.5.29.14": {
    label = "2.5.29.14";
    "localized label" = "2.5.29.14";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = No;
        },
                {
            label = "Key Identifier";
            "localized label" = "Key Identifier";
            type = data;
            value = <88271709 a9b61860 8becebba f64759c5 5254a3b7>;
        }
    );
}, "2.16.840.1.113741.2.1.1.1.8": {
    label = "Subject Name";
    "localized label" = "Subject Name";
    type = section;
    value =     (
                {
            label = "2.5.4.6";
            "localized label" = "2.5.4.6";
            type = string;
            value = US;
        },
                {
            label = "2.5.4.10";
            "localized label" = "2.5.4.10";
            type = string;
            value = "Apple Inc.";
        },
                {
            label = "2.5.4.11";
            "localized label" = "2.5.4.11";
            type = string;
            value = "Apple Worldwide Developer Relations";
        },
                {
            label = "2.5.4.3";
            "localized label" = "2.5.4.3";
            type = string;
            value = "Apple Worldwide Developer Relations Certification Authority";
        }
    );
}, "2.16.840.1.113741.2.1.1.1.2": {
    label = Version;
    "localized label" = Version;
    type = string;
    value = 3;
}, "2.16.840.1.113741.2.1.3.2.2": {
    label = Signature;
    "localized label" = Signature;
    type = data;
    value = <4fcfef59 be2cf5b2 6c2f8fee 138732e8 0535a86e 8b7dc969 0cb9d917 bc772cd4 67e2fd9a 6d3a595c df8301bd b2ae2a61 72b1afcd c345308f a3830dce 1d47b4f1 938aa374 9ba4c398 72873b3e af450b92 54b932bb 9018536b 0a4e10b6 d91d506c 21800a89 4e578c6b 5b3c3da6 fddef70d 231d0b4a 26873fba 91924ca4 1912196d 57f57a58 877b688a e4868c4a ebe24914 aaa5dd55 00a9aebb 4b30aee1 a0b1bc29 80e60977 e5be34a2 01ca7fdc e20ae63b b8bbecba 6295f305 634182cd 0f3b1d4c 95a4dbab f9c995e9 4fe44de7 269981e9 bcf9b429 d2017a66 e12e8cf6 218ac5f8 78e181ae bfd3909d a9adf3af fd381a96 67301c51 a55cec71 8a82b46c 0f0c151f>;
}, "2.5.29.24": {
    label = Expires;
    "localized label" = Expires;
    type = date;
    value = "2023-02-07 21:48:47 +0000";
}, "2.16.840.1.113741.2.1.1.1.10": {
    label = "Public Key Data";
    "localized label" = "Public Key Data";
    type = data;
    value = <3082010a 02820101 00ca3854 a6cb56aa c8243948 e98ceeec 5fb87f26 91bc3453 7ace7c63 80617764 5ea50723 b639fe50 2d155658 702d7ec4 6ec14a85 3e2ff0de 841aa157 c9af7b18 ff6afa15 12491508 19acaadb 2a32ed96 63685215 3d8c8aec bf6b1895 e003ac01 7d970567 ce0e8595 376aed09 b6ae67cd 51649fc6 5cd1bc57 6e673580 7636a487 816e388f d82b154e 7b25d85a bf4e83c1 8dd293d5 1a71b560 9c9d334e 55f91258 0c86b816 0dc1e577 458d5048 ba2b2de4 9485e1e8 c49dc668 a5b0a3fc 677e70ba 02594b77 429139b9 f5cde14c efc03b48 8ca6e521 5dfd6a6a bba71635 60d2e6ad f34629c9 e8c38be9 79c06a61 6715b2f0 fde568bc 625f6ecf 99ddef1b 63fe9265 ab020301 0001>;
}, "2.5.29.31": {
    label = "2.5.29.31";
    "localized label" = "2.5.29.31";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = No;
        },
                {
            label = URI;
            "localized label" = URI;
            type = url;
            value = "http://crl.apple.com/root.crl";
        }
    );
}, "2.16.840.1.113741.2.1.1.1.9": {
    label = "Public Key Algorithm";
    "localized label" = "Public Key Algorithm";
    type = section;
    value =     (
                {
            label = Algorithm;
            "localized label" = Algorithm;
            type = string;
            value = "1.2.840.113549.1.1.1";
        },
                {
            label = Parameters;
            "localized label" = Parameters;
            type = string;
            value = none;
        }
    );
}, "2.5.29.15": {
    label = "Key Usage";
    "localized label" = "Key Usage";
    type = number;
    value = "-2147483551";
}, "2.16.840.1.113741.2.1.1.1.3": {
    label = "Serial Number";
    "localized label" = "Serial Number";
    type = string;
    value = 134752589830791184;
}, "2.5.29.19": {
    label = "2.5.29.19";
    "localized label" = "2.5.29.19";
    type = section;
    value =     (
                {
            label = Critical;
            "localized label" = Critical;
            type = string;
            value = Yes;
        },
                {
            label = "Certificate Authority";
            "localized label" = "Certificate Authority";
            type = string;
            value = Yes;
        }
    );
}]

Thank you, that helped me a lot.

SecCertificateCopyValues is only available on MacOS! How do you do the same on iOS? Why hasn't Apple matched the API between iOS and MacOS?

SecCertificateCopyValues is only available on macOS!

Correct )-:

How do you do the same on iOS?

iOS does not have a general-purpose mechanism for delving into certificates. There are, however, some special-purpose APIs, such as SecCertificateCopySubjectSummary. If you can post details about the specific info you’re looking for, I can offer more details here.

Why hasn't Apple matched the API between iOS and macOS?

I can’t answer why questions. However, if you’d like to see this change in the future, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

  • @eskimo, How we can read few values called ? To be specific, how to read Organization Name on iOS?

Add a Comment

how to read Organization Name on iOS?

[I’m presuming you want the organisation name of the certificate’s subject, that is, the field with the OID 2.5.4.10.]

As I mentioned earlier, iOS does not have a general-purpose mechanism for delving into certificates but it does have some APIs for getting specific values. Unfortunately, the organisation name of the subject isn’t one of them. If you need that on current systems, you’ll have to write or acquire your own certificate parsing library.

And, again, if you’d like to see better support for this in the future, I encourage you to file an enhancement request describing your requirements.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo I want to get the extendedkeyUsage value from the certificate. Is there anything new came up in for iOS? if not, what is other way to extract the same?