SSL Mutual Authentication for webview request in iOS

Hi,

How do I perform SSL authentication with p12 certificate for a webview request as we do for NSUrlSession. I am able to handle the authentication with the certificate using the delegate "didReceiveChallenge". Please look at the below code snippet which i used for NSUrlSession:


    NSString *strAuthenticationMethod = challenge.protectionSpace.authenticationMethod;
    NSLog(@"authentication method: %@", strAuthenticationMethod);
    NSURLCredential *credential = nil;
    if([strAuthenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate])
    {
        credential = [self getCredentialsForClientTrust]; // This function will give me a NSURLCredential object for my p12 certificate
        if(credential)
        {
            NSLog(@"credentials obtained%@",credential);
            completionHandler(NSURLSessionAuthChallengeUseCredential,credential);
        }
        else{
            NSLog(@"failed to get credentials %@",credential);
            completionHandler(NSURLSessionAuthChallengeUseCredential,nil);
        }
    }
    else
    {
        completionHandler(NSURLSessionAuthChallengeUseCredential,nil);  
    }


This works perfectly, but how do I perform this operation for a webview request?


Thanks!!

Accepted Reply

I am looking for UIWebView

Ah, that explains things; I was confused because I misunderstood the context of the code snippet you posted.

UIWebView does not support an authentication handling delegate callback. In general I recommend that folks move to WKWebView, which does have such a callback; that callback provides a well-supported and easy way to handle authenticating challenges that the view encounters.

Unfortunately, WKWebView’s authentication challenge support is broken for

NSURLAuthenticationMethodClientCertificate
challenges (r. 22659960). The only way to work around this is to:
  • stick with UIWebView )-:

  • use an NSURLProtocol to intercept the network requests made by the web view and recursively dispatch them so that your code sees the authentication challenges

The CustomHTTPProtocol sample code shows the basic strategy (although it shows how to handle

NSURLAuthenticationMethodServerTrust
challenges, which is a bit pointless these days because WKWebView’s support for those challenges works just fine).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

What web view are you using? iOS has three! (UIWebView, WKWebView and SFSafariViewController)

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I am looking for UIWebView

I am looking for UIWebView

Ah, that explains things; I was confused because I misunderstood the context of the code snippet you posted.

UIWebView does not support an authentication handling delegate callback. In general I recommend that folks move to WKWebView, which does have such a callback; that callback provides a well-supported and easy way to handle authenticating challenges that the view encounters.

Unfortunately, WKWebView’s authentication challenge support is broken for

NSURLAuthenticationMethodClientCertificate
challenges (r. 22659960). The only way to work around this is to:
  • stick with UIWebView )-:

  • use an NSURLProtocol to intercept the network requests made by the web view and recursively dispatch them so that your code sees the authentication challenges

The CustomHTTPProtocol sample code shows the basic strategy (although it shows how to handle

NSURLAuthenticationMethodServerTrust
challenges, which is a bit pointless these days because WKWebView’s support for those challenges works just fine).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn,


if I read this correctly you're saying there's no way to use the built in hooks for client certificate authentication in WKWebView currently?


We're migrating our existing application from UIWebView to WKWebView and I'm currently trying to get our authentication with client certificate authentication logic that worked in UIWebView to perform in WKWebView (without success).


    func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) {
        if challenge.previousFailureCount < 5 {
            if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
                let credential = URLCredential.init(trust: challenge.protectionSpace.serverTrust!)
                completionHandler(.useCredential, credential)
            } else if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate {
                identity = self.getClientCertificate()
                if identity != nil {
                    var certificate : SecCertificate?
                    SecIdentityCopyCertificate(identity, &certificate)
                    let certs = [certificate!]
                  
                    let credential = URLCredential.init(identity: identity, certificates: certs, persistence: .none)
                    completionHandler(.useCredential, credential)
                }
            } else {
                completionHandler(.cancelAuthenticationChallenge, nil)
            }
        }
    }


Searching on NSURLAuthenticationMethodClientCertificate handling I found your above post, do you know if there a fix for this authenication scheduled for 2017 as we cannot complete our planned migration to WKWebView until this issue is resolved?


Regards, Brian.

if I read this correctly you're saying there's no way to use the built in hooks for client certificate authentication in WKWebView currently?

Correct.

… do you know if there a fix for this authenication scheduled for 2017 …

I’m not allowed to discuss The Future™.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

hello,


since The Future™ is now the past, can you confirm that the bug you mentioned is now fixed (at least is the latest iOS version which is currently 11.2.1) ?


thanks

Sylvain

can you confirm that the bug you mentioned is now fixed

No, alas. It’s still not possible to support client certificate authentication in

WKWebView
)-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Fixed in iOS 12.

Fixed in iOS 12.

Indeed. And yay!

Thanks for taking the time to follow up on this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Is there a sample about how to support certificate based authentication in wkwebveiw? Our customer complains our app doesn't support cba, how can I implement it in func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void)?

Hi

I have articulated the solution of this problem in my medium article. Please have a look. If it helps you, don't forget to give a clap. :-)


https://medium.com/@catchvarun25/ssl-certificate-pinning-with-uiwebview-dcdc742e4d01