TrustKit
TrustKit copied to clipboard
datatheorem
Add support for RSA public keys of size 3072 or 1024 bits
Hi,
Would it be possible to add the support for pinning certificates with RSA public keys of size 3072 or 1024 bits ?
In TrustKit/Pinning/TSKSPKIHashCache.m, something like :
/*
* ASN1 header values for RSA public key of size 1024 and 3072 bits obtained from:
* https://www.brightec.co.uk/blog/kotlin-multiplatform-ios-certificate-pinning
*/
static const unsigned char rsa1024Asn1Header[] =
{
0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8D, 0x00
};
static const unsigned char rsa2048Asn1Header[] =
{
0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00
};
static const unsigned char rsa3072Asn1Header[] =
{
0x30, 0x82, 0x01, 0xA2, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x8F, 0x00
};
static const unsigned char rsa4096Asn1Header[] =
...
static BOOL isKeySupported(NSString *publicKeyType, NSNumber *publicKeySize)
{
if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 1024))
{
return YES;
}
else if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 2048))
{
return YES;
}
else if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 3072))
{
return YES;
}
else if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 4096))
...
static char *getAsn1HeaderBytes(NSString *publicKeyType, NSNumber *publicKeySize)
{
if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 1024))
{
return (char *)rsa1024Asn1Header;
}
else If (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 2048))
{
return (char *)rsa2048Asn1Header;
}
else if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 3072))
{
return (char *)rsa3072Asn1Header;
}
else if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 4096))
...
static unsigned int getAsn1HeaderSize(NSString *publicKeyType, NSNumber *publicKeySize)
{
if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 1024))
{
return sizeof(rsa1024Asn1Header);
}
else if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 2048))
{
return sizeof(rsa2048Asn1Header);
}
else if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 3072))
{
return sizeof(rsa3072Asn1Header);
}
else if (([publicKeyType isEqualToString:(NSString *)kSecAttrKeyTypeRSA]) && ([publicKeySize integerValue] == 4096))
...
Regards.
I am facing a similar problem. I have a intermediate pin with RSA 3072 bits. Is there a workaround to skip the intermediate and check the pin of the server certificate instead?
Hi team,
We have the same issue, and it took a very long time to identify this as the source of our problems.
Our new certificate is generated by Gandi, which is a well-known institution that generates thousands of certificates that need the intermediate certificate authority of Gandi.
However, their certificate is generated with a length of 3072 bits.
So, we have no option to change their certificate, and the TrustKit package generates errors when it tries to validate the chain certificate received from our server.
Your kind support would be really appreciated.
Thanks in advance. Louis-Marie
Looks like the original request is pretty old at this point but adding another +1 to this request to support 3072 bit RSA as we're seeing most of our new client certs be generated in 3072.
Can we get the changes from the first comment into a PR to help facilitate the review process? Or is this something already on the roadmap at this point?
I've put these changes and a corresponding test case into the PR noted above. @nabla-c0d3 any chance this could get on the road map to be reviewed and pulled in for release?