Add certificate to HTTP POST request

Hi,


How can i fetch the certificate from keychain and add into HTTP header. I want to share the certificate with server to validate if request send by valid comapny issued device or not. Please suggest.

Up vote post of shivendra6782 Down vote post of shivendra6782
1.5k views
Posted by
shivendra6782
Reply
Add a Comment

Replies

You don't want to use the presence of a certificate for authentication, certificates are public.


You would either want to use the certificate to perform TLS client authentication or use the certificate to sign something that only the holder of the certificate's private key could sign.

Posted by
Beast
Up vote reply of Beast Down vote reply of Beast
Add a Comment

Thanks for your response.

I am using SSL pinning in my app to confirm the server identity, but server is also asking client certificate to validate Client. I have company issued certificate in my keychain(e.g. @abc.com), how can read the certificate infomation to handle the cettificate challenge:



func URLSession(session: NSURLSession,task: NSURLSessionTask,

didReceiveChallenge challenge: NSURLAuthenticationChallenge,completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential?) -> Void) {

if challenge.protectionSpace.authenticationMethod == (NSURLAuthenticationMethodServerTrust)

{

// Send the trust.

}

else if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate

{

//How to handle this if i want to use certificate from keychain.

}



}


Please suggest.

Posted by
shivendra6782
Up vote reply of shivendra6782 Down vote reply of shivendra6782
Add a Comment

To understand where ***** is coming from here you have to understand that client certificate authentication, as the term is usually used, is somewhat misleading. It kinda makes sense from the server’s perspective — the server is checking the certificate of the client — but it misses out one key thing. TLS has crypto goo that guarantees that the client can only present that certificate to the server because the client holds the private key associated with the public key in that certificate. That is, the client must hold both the certificate and its matching private key, otherwise known as a digital identity. So, from the perspective of the client, this would be better known as client identity authentication.

With that out of the way, here’s how you respond to a client identity authentication challenge, aka 

NSURLAuthenticationMethodClientCertificate
: 
let identity: SecIdentity = … find the right identity …
let credential = URLCredential(identity: identity, certificates: nil, persistence: .forSession)
completionHandler(.useCredential, credential)

The code to get the right identity is very app specific. You said that you have the client certificate in your keychain. Hopefully that includes the matching private key, in which case you can get the client identity using keychain APIs (specifically, 

SecItemCopyMatching
).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment