We use our app to generate a certificate signing request and recently migrated from using the openSSL library functions to Apple's native crypto functions. We based our code off https://github.com/ateska/ios-csr/blob/master/SCCSR.m. This works perfectly fine on macOS 10.15 - the version on which the app was developed. Strangely it works on macOS 10.8 as well. On all the versions from 10.9 to 10.14 if we do an openSSL verify (
openssl req -in req.csr -noout -text -verify
), we geterror:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:278
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218
This means our certificate request is rejected on those all the above mentioned versions.
We suspected it might be the
SecKeyRawSign
function but after looking at the key and the digest, we realised that the signature was correct and the problem was with the hash itself on these OS versions. We were trying to figure out if this was a known issue with these versions or are we doing something wrong.