OpenSSL and X509 Certificate on iOS
I got a task last December to build the OpenSSL framework for the iOS platform. I immediately started to be skeptical: why do we need this particular framework on iOS, since we have so many things available from the iOS SDK and different Apple frameworks?
I couldn’t have been more wrong.
Apple is not offering OpenSSL in their system SDK (I believe due to licensing issues). Only BoringSSL is available, which seems not intended for general use. As for command line tools LibreSSL, a fork of OpenSSL is available.
In this post, I will give you a few reasons to consider including the OpenSSL framework in your iOS project and what options you have (with the pitfalls) to satisfy those reasons.
Why?
The first thing is to clarify why you need to use this external dependency in your project, and after I did some investigation, I can give some reasons why you want to rely (or not) on OpenSSL.
- For me, the reason was a complicated dependency graph, where other external frameworks required the OpenSSL framework, but essentially the Xcode project linked the OpenSSL and the external framework.
- I can imagine that, at your work, there is a requirement to use OpenSSL due to compatibility or security reasons. Maybe your product already has custom patches to OpenSSL, and this functionality needs to be on other platforms, too.
- Lack of support from Apple frameworks. A big surprise for me was that getting values (OIDs) out from X509 certificates is limited only to macOS at the time of writing.
I like to reduce the external dependencies in the codebase I work. The first case seems to be a wrong architectural and design decision, and the clear solution is to move the OpenSSL into the external framework.
The second case can be a legit requirement and use case. Fortunately, in my case, the solution for the first case moved those customizations into the external framework. For you, it might still require you to include OpenSSL in your Xcode project.
The third case inspired me to search what other solutions are available for the iOS platform, related to the X509 Digital Certificates.
Based on my findings, those were the options I saw:
- Build OpenSSL to iOS, and include the framework.
- Use a wrapper (dependency) to the OpenSSL for easier integration.
- Use 3rd-party frameworks or packages, like swift-certificates which was recently open-sourced by Apple.
Let me go through them in reverse order.
Swift-certificates
The open-sourcing announcements just happened when I was starting to burn out from integrating the OpenSSL framework with our Swift codebase. The swift-certificates project target is to bring the X509 Certificate related functionality to all supported platforms, including Linux. While the Security framework was only available on Apple systems, this project is aiming for more inclusion. The only caveat: it is still in beta 😕. However, if you are up to the challenge, feel free to contribute!
OpenSSL Swift Package
The OpenSSL Package by Marcin Krzyzanowski is probably the easiest way to integrate OpenSSL into your project. It supports Carthage, CocoaPods, and Swift Package Manager. You can even re-build the included OpenSSL binaries, making room for applying custom patches. Just be aware: the current OpenSSL version is 1.1.1, which soon will be obsolete. After installing the package, you can import the OpenSSL module, and most of the OpenSSL API will be available in your code.
Building OpenSSL
Well, this story requires a bit more length, patience, and explanation. Therefore, I will leave it until next time ;).