Note this question is was asked in 2001. Things have changed.
I have an iOS device that needs to access a Junos VPN. The opaque instructions from the Junos admin say that I have to retrieve a certificate that has been provisioned to the device using the Apple IPCU. I know that the cert is on the device (I can see it in Settings) and I can access the VPN though Mail, Safari and the Junos App.
The Apple docs state that each app has its own keychain and yet all three of these apps can see the cert. The fact that Jusos can access a cert provisioned by IPCU implies that any app can access this certificate. However when I try to locate it:
CFTypeRef certificateRef = NULL; // will hold a ref to the cert we're trying to retrieve
const char *certLabelString = "myCertificateName"; // c string of the certificate we're searching for.
CFStringRef certLabel = CFStringCreateWithCString( NULL, certLabelString, kCFStringEncodingUTF8); // the search we need - a string match for a UTF8 String.
const void *keys[] = { kSecClass, kSecAttrLabel, kSecReturnRef };
const void *values[] = { kSecClassCertificate, certLabel, kCFBooleanTrue };
CFDictionaryRef dict = CFDictionaryCreate(NULL, keys, values, 3, NULL, NULL); // set up a search to retrieve this certificate.
OSStatus status = SecItemCopyMatching(dict, &certificateRef); // Search the keychain, returning in dict
if(status != errSecSuccess)
NSLog(@"keychain find returned %ld", status);
if(dict)
CFRelease(dict);
It fails. My questions:
Is this code correct? Actually I know
it isn't because
SecItemCopyMatching
returns
errSecItemNotFound
What value should I use for
certLabelString
- I am assuming the
human readable name shown in
Settings.
In Settings, the cert looks like this (sadly obfuscated to death) the search text I specify is exactly the text shown in settings.
Cross posted to Apple developer forums
To view certificates for the local deviceSelect Run from the Start menu, and then enter certlm. msc. The Certificate Manager tool for the local device appears. To view your certificates, under Certificates - Local Computer in the left pane, expand the directory for the type of certificate you want to view.
Tap the padlock icon. It's in the address bar beside the URL. This displays whether or not the connection is secure, and who assigned the SSL certificate. If you're using an iPhone or iPad, this is all the information you'll be able to see.
On your iOS device, go to: http://cert.incommon.org/InCommonRSAStandardAssuranceClientCA.crt. On the Install Profile screen, you will see the "Trusted" certificate file to install. Tap Install. A notice will inform you that installing this profile will change settings on your device; tap "Install Now".
To manually remove an installed certificate, go to Settings > General > Device Management, select a profile, tap More Details, then tap the certificate to remove it. If you remove a certificate that's required for accessing an account or network, the iPhone or iPad can no longer connect to those services."
So the answer (on the Apple forums) is that mail.app and Safari.app share the Apple keychain identifier and this is the only keychain that you can push certificates to using the Apple MDM tool. Anyone else who comes up against this should file a defect in order to encourage Apple to do the right thing.
Since middle of 2015, there is now the Safari Services framework
(next to WKWebView
and UIWebView
, we now have a SFSafariViewController
). SFSafariViewController
has the ability to access the apple keychain and therefore can use all identities :) Very nice.
https://developer.apple.com/videos/play/wwdc2015/504/
https://developer.apple.com/library/ios/documentation/SafariServices/Reference/SafariServicesFramework_Ref/index.html#//apple_ref/doc/uid/TP40016218
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With