extract expiration date from p12 data

Hey,
I need seriously help with apple security framework.

i got p12 data which i load as SecKeyRef to decode encoded data recevied from the server.

the decoding works great.

my main goal is to extract the expiration data of the certifcate and in case the private key is expired - raise an exception.


i'm trying to extract the expiration data from the SecKeyRef but not sure how to do that.. i read all the documentation on the security framework but still coudln't manage..


attached also my question which i post on Stackoverflow.

http://stackoverflow.com/questions/32548710/ios-security-framework-p12-and-expeiration-date


Here is my code which load the p12 data. if anyone can show me how to validate the expiration date and raise an exception it will be very helpful 🙂


-(BOOL)setP12Data:(NSData*)data pass:(NSString*)pass {

    NSMutableDictionary * options = [[NSMutableDictionary alloc] init];

    SecKeyRef privateKeyRef = NULL;

    /
    [options setObject:pass forKey:(__bridge id)kSecImportExportPassphrase];

    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);

    OSStatus securityError = SecPKCS12Import((__bridge CFDataRef) data,
                                             (__bridge CFDictionaryRef)options, &items);

    if (securityError == noErr && CFArrayGetCount(items) > 0) {
        CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
        SecIdentityRef identityApp =
        (SecIdentityRef)CFDictionaryGetValue(identityDict,
                                             kSecImportItemIdentity);
        securityError = SecIdentityCopyPrivateKey(identityApp, &privateKeyRef);
        if (securityError != noErr) {
            privateKeyRef = NULL;
        }
    }
    /
    CFRelease(items);
    self.privateKeyRef =  privateKeyRef;
    return privateKeyRef != nil;
}



Thanks!

Up vote post of rorlich Down vote post of rorlich
2.7k views
Posted by
rorlich
Reply
Add a Comment

Replies

Private keys don’t have an expiry date. I think you’re looking for the ‘not after’ date in the certificate that’s part of the digital identity in the PKCS#12. You can get that certificate by calling 

SecIdentityCopyCertificate
in the place you’re currently calling 
SecIdentityCopyPrivateKey
.

From there things get trickier. iOS does not have a ‘get certificate expiry date’ API (on OS X you can use 

SecCertificateCopyValues
but that’s not available on iOS). Your only option is to get the certificate data ( 
SecCertificateCopyData
) and use some third-party library to parse that data to extract the ‘not after’ value.

If you'd like to see better API support for this added in the future, I encourage you to file an enhancement request describing your requirements. While we may have seen similar requests many times before, a fresh bug report will allow you to express your needs in your own terms, and allow iOS engineering to gauge the level of demand.

Please post your bug number, just for the record.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Four and a half years later I'm in the same situation. In my iOS app I need to show a certificate's expiry date to the user. I have opened a feedback for it: FB7709681. I hope SecCertificateCopyValues is made available in iOS.

Posted by
prathameshk
Up vote reply of prathameshk Down vote reply of prathameshk
Add a Comment