Pascal (Lazarus/Delphi)
Pascal (Lazarus/Delphi)
RSA Decrypt using Private Key on Smartcard or USB Token via Apple Keychain
See more Apple Keychain Examples
RSA decryption using a certificate's private key located on a hardware token or smartcard via the Apple Keychain.Note: This example requires Chilkat v10.1.2 or greater.
Chilkat Pascal (Lazarus/Delphi) Downloads
program ChilkatDemo;
// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.
{$IFDEF FPC}
{$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}
uses
{$IFDEF UNIX}
cthreads,
{$ENDIF}
SysUtils,
CkDllLoader,
Chilkat.BinData,
Chilkat.Rsa,
Chilkat.Cert;
// ---------------------------------------------------------------------------
procedure RunDemo;
var
success: Boolean;
bd: TBinData;
cert: TCert;
rsa: TRsa;
begin
success := False;
// Beforehand, we generated a 256-bit AES key, RSA encrypted, and saved to a file as in this example:
// Generate a Random 256-bit AES Key and RSA Encrypt
// The RSA public key used to encrypt in the above example was obtained from the Apple Keychain
// like this:
// Export a Public Key from USB Token or Smartcard using the Apple Keychain
// This example will load the encrypted data and will RSA decrypt using the
// private key of a certificate on a USB token (or smart card) via the Keychain.
// You can list the Keychain certificates on hardware tokens using the following example:
// Apple Keychain - List Certs on Smartcards and USB Tokens
// Get the RSA encrypted data to be decrypted.
bd := TBinData.Create;
// In all Chilkat methods expecting a path, you can pass either absolute or relative paths.
success := bd.LoadFile('rsaEncrypted/myAes.key');
if (success = False) then
begin
WriteLn('Failed to load the encrypted AES key.');
Exit;
end;
// Load the certificate having the private key from the Apple Keychain
// On MacOS and iOS, the LoadByCommonName function will search the Apple Keychain for the matching certificate.
cert := TCert.Create;
// To potentially prevent the PIN dialog from being displayed,
// we'll need to provide the USB token (or smart card) PIN
// Note: It might not be possible to prevent the PIN dialog from being displayed
//
cert.SmartCardPin := '123456';
success := cert.LoadByCommonName('Test 2048 bit RSA');
if (success = False) then
begin
WriteLn(cert.LastErrorText);
Exit;
end;
rsa := TRsa.Create;
// Specify we wish to use the certificate's private key for decryption.
success := rsa.SetX509Cert(cert,True);
if (success = False) then
begin
WriteLn(rsa.LastErrorText);
Exit;
end;
// RSA Decrypt
rsa.VerboseLogging := True;
success := rsa.DecryptBd(bd,True);
if (success = False) then
begin
WriteLn(rsa.LastErrorText);
Exit;
end;
// The contents of bd are now decrypted.
WriteLn('Num bytes after decryption: ' + bd.NumBytes);
// Some additional notes:
//
// If using a Yubikey token, the certificate must be installed in the Key Management slot.
// The Digital Signature slot is for RSA keys to be used for signing,
// and the Key Management slot is for RSA keys to be used for decrypting.
//
// If you try to use the RSA key from the Digital Signature slot, you'll get an error such as this:
// The operation couldn't be completed.
// (OSStatus error -50 - algid:encrypt:RSA:PKCS1: algorithm not supported by the key
// <SecKeyRef:('com.apple.pivtoken:AF7172EB60DDCBF1D28459AE24398E11') 0x600001ecca90>)
bd.Free;
cert.Free;
rsa.Free;
end;
// ---------------------------------------------------------------------------
begin
try
RunDemo;
except
on E: Exception do
WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
end;
WriteLn;
{$IFDEF MSWINDOWS}
WriteLn('Press Enter to exit...');
ReadLn;
{$ENDIF}
end.