5

My understanding is that OpenSSL is deprecated in OSX 10.7 in favor of Common Crypto, but I can't seem to get a good handle on how to transition from OpenSSL code to Common Crypto code. In particular, I'm looking at App Store receipt validation with ValidateStoreReceipt. I started by trying to find a way to get at the contents of the PKCS#7 container, which seems to be the first step in dictionaryWithAppStoreReceipt, but I couldn't find any documentation on how to do it.

Is it possible to rewrite this code so as not to depend on OpenSSL? If so, how? Is there documentation or a tutorial that I've missed?

Community
  • 1
  • 1
Isaac
  • 10,668
  • 5
  • 59
  • 68

1 Answers1

3

There is no need to stop using OpenSSL. What is deprecated is the OpenSSL dynamic library, you can still obtain the static library/source from openssl.org and statically link it to your code.

The reason given by Apple for the deprecation is that OpenSSL themselves advise against dynamic linking as the library changes too much between versions. By statically linking your code will always use the version of the library you built with and not a later, possibly incompatible version, currently installed on the system.

CRD
  • 52,522
  • 5
  • 70
  • 86
  • 4
    Well, there *is* a need to stop using it. If you carry on using OpenSSL, you can either (a) link with the system version, which might change in an incompatible way or might never be updated to fix security holes; or (b) link with your own version, which you'll need to update whenever an OpenSSL security patch affects you. The latter might mean your users have to reinstall lots of apps at around the same time to fix the same OpenSSL problem. – al45tair Aug 12 '13 at 13:07
  • Would be nice to know if OpenSSL is replaceable in this use or if there is no other way to extract the payload information and verify it with the built in libraries. – Conor Dec 14 '15 at 21:09
  • 1
    @Conor - Yes you can replace the use of OpenSSL with CommonCrypto for store receipt validation. The SHA routines are more-or-less 1-1 replacements just with a name change; pulling the PKCS7 apart is a little more than name changes but not a huge difference. The documentation is basic/non-existant so, following Apple's exhortation not to copy code in this instance, start with your OpenSSL code and search for (near) equivalents with help from Google - there are examples out there - and you should find you'll be able to convert your unique OpenSSL solution into CC reasonably quickly. Good luck! – CRD Dec 14 '15 at 21:18
  • Thank you for the info. The situation is incredible mismanaged by Apple and the lack of documentation is horrible. This whole mess should be a single call into a library provided by Apple. Security by obfuscation is no security at all. – Conor Dec 15 '15 at 14:17
  • @Conor - were you ever able to replace OpenSSL with CommonCrypto for receipt validation? If so, were you able to find more documentation on it or are you willing to shed light on it for me? I'm trying to go through the transition right now. – Christine Loh Jun 30 '16 at 19:30
  • Hi Christine,Sadly it was too complicated and time intensive, so gave up. It was quicker to bundle a static library for openSSL, the libcrypto.a lib, although it does give me warning on the linker phase `libcrypto.a(x86cpuid.o)) was built for newer OSX version (10.6) than being linked (10.5)`, but soon I'll be able to leave 10.5 behind. – Conor Jul 01 '16 at 14:15