Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Finding a certificate on iOS

Note this question is was asked in 2001. Things have changed.

I have an iOS device that needs to access a Junos VPN. The opaque instructions from the Junos admin say that I have to retrieve a certificate that has been provisioned to the device using the Apple IPCU. I know that the cert is on the device (I can see it in Settings) and I can access the VPN though Mail, Safari and the Junos App.

The Apple docs state that each app has its own keychain and yet all three of these apps can see the cert. The fact that Jusos can access a cert provisioned by IPCU implies that any app can access this certificate. However when I try to locate it:

    CFTypeRef   certificateRef = NULL;                                                  // will hold a ref to the cert we're trying to retrieve
const char *certLabelString = "myCertificateName";                                      // c string of the certificate we're searching for.
CFStringRef certLabel = CFStringCreateWithCString( NULL, certLabelString, kCFStringEncodingUTF8); // the search we need - a string match for a UTF8 String.

const void *keys[] =   { kSecClass, kSecAttrLabel, kSecReturnRef };
const void *values[] = { kSecClassCertificate, certLabel, kCFBooleanTrue };
CFDictionaryRef dict = CFDictionaryCreate(NULL, keys, values, 3, NULL, NULL);       // set up a search to retrieve this certificate.
OSStatus status = SecItemCopyMatching(dict, &certificateRef);                               // Search the keychain, returning in dict

if(status != errSecSuccess)
    NSLog(@"keychain find returned %ld", status);

if(dict)
    CFRelease(dict);

It fails. My questions:

  • Is this code correct? Actually I know it isn't because SecItemCopyMatching returns errSecItemNotFound

  • What value should I use for certLabelString - I am assuming the human readable name shown in Settings.

In Settings, the cert looks like this (sadly obfuscated to death) the search text I specify is exactly the text shown in settings.

alt text

Cross posted to Apple developer forums

like image 771
Rog Avatar asked Dec 07 '10 16:12

Rog


People also ask

How do I find a device certificate?

To view certificates for the local deviceSelect Run from the Start menu, and then enter certlm. msc. The Certificate Manager tool for the local device appears. To view your certificates, under Certificates - Local Computer in the left pane, expand the directory for the type of certificate you want to view.

How do I view SSL certificates on my iPhone?

Tap the padlock icon. It's in the address bar beside the URL. This displays whether or not the connection is secure, and who assigned the SSL certificate. If you're using an iPhone or iPad, this is all the information you'll be able to see.

How do I manually install a certificate on my iPhone?

On your iOS device, go to: http://cert.incommon.org/InCommonRSAStandardAssuranceClientCA.crt. On the Install Profile screen, you will see the "Trusted" certificate file to install. Tap Install. A notice will inform you that installing this profile will change settings on your device; tap "Install Now".

How do I manage certificates on iPhone?

To manually remove an installed certificate, go to Settings > General > Device Management, select a profile, tap More Details, then tap the certificate to remove it. If you remove a certificate that's required for accessing an account or network, the iPhone or iPad can no longer connect to those services."


2 Answers

So the answer (on the Apple forums) is that mail.app and Safari.app share the Apple keychain identifier and this is the only keychain that you can push certificates to using the Apple MDM tool. Anyone else who comes up against this should file a defect in order to encourage Apple to do the right thing.

like image 144
Rog Avatar answered Oct 17 '22 00:10

Rog


Since middle of 2015, there is now the Safari Services framework (next to WKWebView and UIWebView, we now have a SFSafariViewController). SFSafariViewController has the ability to access the apple keychain and therefore can use all identities :) Very nice.

https://developer.apple.com/videos/play/wwdc2015/504/

https://developer.apple.com/library/ios/documentation/SafariServices/Reference/SafariServicesFramework_Ref/index.html#//apple_ref/doc/uid/TP40016218

like image 34
smat88dd Avatar answered Oct 17 '22 00:10

smat88dd