2 Replies
      Latest reply on May 21, 2020 10:10 AM by prathameshk
      rorlich Level 1 Level 1 (0 points)

        I need seriously help with apple security framework.

        i got p12 data which i load as SecKeyRef to decode encoded data recevied from the server.

        the decoding works great.

        my main goal is to extract the expiration data of the certifcate and in case the private key is expired - raise an exception.


        i'm trying to extract the expiration data from the SecKeyRef but not sure how to do that.. i read all the documentation on the security framework but still coudln't manage..


        attached also my question which i post on Stackoverflow.



        Here is my code which load the p12 data. if anyone can show me how to validate the expiration date and raise an exception it will be very helpful


        -(BOOL)setP12Data:(NSData*)data pass:(NSString*)pass {
            NSMutableDictionary * options = [[NSMutableDictionary alloc] init];
            SecKeyRef privateKeyRef = NULL;
            [options setObject:pass forKey:(__bridge id)kSecImportExportPassphrase];
            CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
            OSStatus securityError = SecPKCS12Import((__bridge CFDataRef) data,
                                                     (__bridge CFDictionaryRef)options, &items);
            if (securityError == noErr && CFArrayGetCount(items) > 0) {
                CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
                SecIdentityRef identityApp =
                securityError = SecIdentityCopyPrivateKey(identityApp, &privateKeyRef);
                if (securityError != noErr) {
                    privateKeyRef = NULL;
            self.privateKeyRef =  privateKeyRef;
            return privateKeyRef != nil;




        • Re: extract expiration date from p12 data
          eskimo Apple Staff Apple Staff (13,885 points)

          Private keys don’t have an expiry date.  I think you’re looking for the ‘not after’ date in the certificate that’s part of the digital identity in the PKCS#12.  You can get that certificate by calling SecIdentityCopyCertificate in the place you’re currently calling SecIdentityCopyPrivateKey.

          From there things get trickier.  iOS does not have a ‘get certificate expiry date’ API (on OS X you can use SecCertificateCopyValues but that’s not available on iOS).  Your only option is to get the certificate data (SecCertificateCopyData) and use some third-party library to parse that data to extract the ‘not after’ value.

          If you'd like to see better API support for this added in the future, I encourage you to file an enhancement request describing your requirements.  While we may have seen similar requests many times before, a fresh bug report will allow you to express your needs in your own terms, and allow iOS engineering to gauge the level of demand.

          Please post your bug number, just for the record.

          Share and Enjoy

          Quinn "The Eskimo!"
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"