Documentation for generating kCertTemplate value

[cmsj]

Hey

Thanks for this repo - it's the only place I've been able to find code that can generate a self-signed certificate without using loads of deprecated CDSA/OpenSSL APIs!

One thing I am trying to figure out though, is how to replace kCertTemplate with my own certificate template. Mainly I would like to do this so that my certs can appear in the Keychain with a name relating to my own app (Hammerspoon), rather than "Anonymous".

I generated myself a CA and then created/signed a certificate from that, did the hexdump and replaced the contents of kCertTemplate with the first 499 bytes of my certificate, but SecItemAdd() returns an error that the certificate format is invalid.

My suspicion is that this is because the various kFooOffset values in MYAnonymousIdentity.m are hard-coded for the particular certificate you generated.

So, I was wondering if it would be possible to get some more information about how you generated the template certificate and figured out those offsets.

(I did also attempt to use the MyCrypto code to generate a certificate completely from scratch, but it seemed like a pretty large amount of code to drop into a tiny plugin that happens to need a self-signed certificate!)

[cmsj]

I continued to bash my head against this, and figured out how to easily regenerate the cert template and offset values. Still might be handy to document somehow, to help folk figure this out:

$ cat openssl.conf
default_days=365
default_md=sha256

[req]
default_bits=2048
prompt=no
encrypt_key=no
distinguished_name=req_distinguished_name
x509_extensions=req_x509v3_extensions

[req_distinguished_name]
CN=Hammerspoon Remote
C=US

[req_x509v3_extensions]
keyUsage=critical,digitalSignature
extendedKeyUsage=critical,clientAuth,serverAuth
$

openssl req -x509 -newkey rsa:2048 -outform DER -out cert.cer -config openssl.conf -set_serial 106 >/dev/null
openssl asn1parse -inform DER -in cert.cer -dump -i >cert.cer.asn1

INCLUDE_FILE="certTemplate.h"
> ${INCLUDE_FILE}

SERIAL_OFFSET=$(( 2 + $(grep INTEGER cert.cer.asn1 | sed -n 2p | sed -e 's/:.*//') ))
ISSUED_OFFSET=$(( 2 + $(grep UTCTIME cert.cer.asn1 | sed -n 1p | sed -e 's/:.*//') ))
EXPIRY_OFFSET=$(( 2 + $(grep UTCTIME cert.cer.asn1 | sed -n 2p | sed -e 's/:.*//') ))
PUBKEY_OFFSET=$(( 5 + $(grep "BIT STRING" cert.cer.asn1 | sed -n 1p | sed -e 's/:.*//') ))
CSR_LENGTH=$(grep "BIT STRING" cert.cer.asn1 | sed -n 2p | sed -e 's/:.*//')

echo "#define kSerialOffset    ${SERIAL_OFFSET}" >>${INCLUDE_FILE}
echo "#define kIssueDateOffset ${ISSUED_OFFSET}" >>${INCLUDE_FILE}
echo "#define kExpDateOffset   ${EXPIRY_OFFSET}" >>${INCLUDE_FILE}
echo "#define kPublicKeyOffset ${PUBKEY_OFFSET}" >>${INCLUDE_FILE}
echo "#define kCSRLength       ${CSR_LENGTH}u" >>${INCLUDE_FILE}

echo "" >>${INCLUDE_FILE}

openssl x509 -C -inform DER -in cert.cer -noout | sed -n '/XXX_certificate/,$p' | sed -e 's/unsigned char XXX_certificate/static uint8_t const kCertTemplate/' >>${INCLUDE_FILE}

rm cert.cer
rm cert.cer.asn1

(Edit: and if anyone wants to see my fork of MYAnonymousIdentity with its MYUtilities dependencies removed, and the script/config/code I'm using, see: https://github.com/Hammerspoon/hammerspoon/tree/master/extensions/httpserver )