1385 Views 7 Replies
      Latest reply on Feb 13, 2019 1:58 AM by eskimo
      sharadfromseattle Level 1 Level 1 (0 points)
      sharadfromseattle Mar 8, 2016 10:53 PM

        Hi Eskimo,

        I have read your suggestion to detect whether configuration profile has already installed on iPhone device .

        https://devforums.apple.com/thread/3336#3336

        So I am doing the same and it works for me, now my problem is little different from it .

        I mean I am to able to identify whether certificate has installed or not.

        In my case, firstly I check enrollment certificate to install or not, then to check root certificate associated with configuration profile and what we have facing that when we installed enrollment certificate and go to check for root certificate associated with configuration profile it gives me kSecTrustResultUnspecified. means that certificate is already installed, but in actually I only have enrollment certificate to installed on device.

        So what i guess, problem occur because both certificate has same issuer?

        Is there any way to detect two different certificate with same issuer name and different subject name?

        Please give your suggestion.

         

        Thanks,

        Sharad

        • Re: Check configuration profile has already installed on device
          eskimo Apple Staff Apple Staff (11,265 points)
          eskimo Mar 9, 2016 1:01 AM (in response to sharadfromseattle)

          Honestly, I don’t understand your question.  Can you post a specific example of the certificates involved?

          ps I’ve moved the thread to a more appropriate topic area (Core OS > Security).

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Check configuration profile has already installed on device
              sharadfromseattle Level 1 Level 1 (0 points)
              sharadfromseattle Mar 9, 2016 2:16 AM (in response to eskimo)

              Hi Eskimo,

               

              I have a enrollment certificate namely enroll.crt and configuration profile namely vpn.config, I want to check that certificate and configuration profile have already installed into device.

               

              For enroll.crt, I am able to check and if not installed, download and install it.

              For vpn.config, i guess that there is no API to check that configuration profile has already installed. So I found a article which tells that you can check that by checking associated root certificate namely root.crt.

              So i following this approach, now problem is  that both enroll.crt and root.crt have same issuer name and different subject name.

              And I have installed already enroll.crt, so when I am going to check for root.crt is installed or not, it says yes based on enroll.crt because both certificate have same issuer name and I believe that it checks based on issuer name.

              So I am not able to identify that vpn.config has installed or not?

              Is there any other approach to do so?


               

              Thanks,

              Sharad

                • Re: Check configuration profile has already installed on device
                  eskimo Apple Staff Apple Staff (11,265 points)
                  eskimo Mar 10, 2016 1:44 AM (in response to sharadfromseattle)

                  I think you’ve misunderstood how this hackaround works.  Here’s what you should do:

                  1. create a new CA, whose certificate we’ll call Root

                  2. have it issue a single certificate, let’s call it Leaf, for a non-sensical name

                  3. destroy the private key associated with Root so that it can’t issue any other certificates

                  4. destroy the private key for Leaf so that no one can use that certificate to get any value

                  5. include Root in your VPN configuration profile

                  6. bundle Leaf in your app

                  7. have your app do a trust evaluation on Leaf

                  If Root is installed, the trust evaluation will succeed.  If Root is not installed, the trust evaluation will fail.  And as Root is tied to your VPN configuration profile, you know that it’s installed as well.

                  IMPORTANT There’s a serious gotcha with this approach that I discussed on the old DevForums thread.  This gotcha makes it unsafe to rely on this technique as a security measure.  It’s still fine to use it as a convenience though.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Check configuration profile has already installed on device
                      ssakthivel85 Level 1 Level 1 (0 points)
                      ssakthivel85 Jun 23, 2016 9:12 AM (in response to eskimo)

                      Hi,

                       

                      I am also trying to do the same thing but getting evaulation result as kSecTrustResultRecoverableTrustFailure. I have mobile config which has root CA installed in the device and have leaf certificate in the app. I dont know the reason for getting always result as kSecTrustResultRecoverableTrustFailure.

                       

                      I have tried to print result of SecTrustCopyProperties of trust object and it shows error value as 'Root certificate is not trusted.'. Please suggest possible issue here

                      • Re: Check configuration profile has already installed on device
                        drinktea12 Level 1 Level 1 (0 points)
                        drinktea12 Jan 23, 2019 10:50 AM (in response to eskimo) 
                        IMPORTANT There’s a serious gotcha with this approach that I discussed on the old DevForums thread.  This gotcha makes it unsafe to rely on this technique as a security measure.

                        What's the serious gotcha you refer to here?  (The link to the old DevForums thread seems broken for me...)

                        Are there any serious security implications that still exists once we've thrown away the private keys?

                          • Re: Check configuration profile has already installed on device
                            eskimo Apple Staff Apple Staff (11,265 points)
                            eskimo Feb 13, 2019 1:58 AM (in response to drinktea12)

                            The link to the old DevForums thread seems broken for me

                            Indeed.  The old DevForums content is no longer available, alas )-:

                            Fortunately, I keep a copy of all my posts, so here’s the text I was referring to.

                            One of my colleagues pointed out to me that there’s a serious hole in this strategy.  A user could download the configuration profile, extract the custom CA certificate, install the custom CA certificate by itself (without the rest of the profile), and then run your app.

                            I guess that makes it even more important that folks who need a proper API for this file bugs, explain[ing] what they need and why.

                            If you do file a bug about this, please post your bug number here, just for the record.

                            Share and Enjoy

                            Quinn “The Eskimo!”
                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                            let myEmail = "eskimo" + "1" + "@apple.com"