Add ability to use public RSA key for decryption using SecTransform API

Originator:armadsen
Number:rdar://23063471 Date Originated:10/11/2015
Status:Closed (Duplicate of 19155656) Resolved:25 May 2017 1:43 PM
Product:OS X SDK Product Version:Xcode 7.0.1 / 10.11 SDK
Classification:Enhancement Reproducible:AlwaysAn application I work on uses OpenSSL’s RSA_public_decrypt() function to decrypt data encrypted (server-side) using the private key like so: int decryptedSize = RSA_public_decrypt([signature length], [signature bytes], checkDigest, rsaKey, RSA_PKCS1_PADDING); BOOL success = [[NSData dataWithBytes:checkDigest length:decryptedSize] isEqualToData:[digest sha1Hash]]) Using the SecTransform API: SecTransformRef decryptor = CFAutorelease(SecDecryptTransformCreate(pubKey, &error)); if (error) { showSecError(error); return NO; } SecTransformSetAttribute(decryptor, kSecTransformInputAttributeName, (CFDataRef)signatureData, &error); if (error) { showSecError(error); return NO; } CFDataRef result = SecTransformExecute(decryptor, &error); if (error) { showSecError(error); return NO; } return CFEqual(result, (CFDataRef)[digest sha1Hash]); The call to SecTransformExecute() fails with a CSSMERR_CSP_INVALID_KEY_CLASS, presumably because decryption using the public key is not supported. It would be helpful to have this functionality in order to replace my use of OpenSSL with Security.framework.
 
An application I work on uses OpenSSL’s RSA_public_decrypt() function to decrypt data encrypted (server-side) using the private key like so:

int decryptedSize = RSA_public_decrypt([signature length], [signature bytes], checkDigest, rsaKey, RSA_PKCS1_PADDING);
BOOL success = [[NSData dataWithBytes:checkDigest length:decryptedSize] isEqualToData:[digest sha1Hash]]) 

Using the SecTransform API:

SecTransformRef decryptor = CFAutorelease(SecDecryptTransformCreate(pubKey, &error));
if (error) { showSecError(error); return NO; }
SecTransformSetAttribute(decryptor, kSecTransformInputAttributeName, (CFDataRef)signatureData, &error);
if (error) { showSecError(error); return NO; }

CFDataRef result = SecTransformExecute(decryptor, &error);
if (error) { showSecError(error); return NO; }
return CFEqual(result, (CFDataRef)[digest sha1Hash]);

The call to SecTransformExecute() fails with a CSSMERR_CSP_INVALID_KEY_CLASS, presumably because decryption using the public key is not supported.

It would be helpful to have this functionality in order to replace my use of OpenSSL with Security.framework.

I've figured out how to do this using the CDSA / CSSM APIs (see https://gist.github.com/armadsen/eb78563ef0d94d2f6267). As they are deprecated, it would be most helpful to have this capability using supported, non-deprecated API.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!