IOS cloud certificate

We have a cert cloud storage and signature service. We have developed PKCS11 libraries for OSX, Linux, Windows... a native CSP and KSP driver for Windows.


Using Xamarin, we have developed a "WebViewClient" for android that can authenticate with client certificate (with cloud storaged certificates) BUT I could not find out how to do the same in IOS.


I tried to override SecIdentity Class and SecKey class, so I can develop signature methods to signature in cloud, BUT at instantiation time SecIdentity needs a IntPtr and I don´t know how to create/assign it, I tried with:

Snippet

               

try {

var cred = new NSUrlCredential(new IVSSecIdentity(), new SecCertificate[] {

cert

}, NSUrlCredentialPersistence.ForSession);

} catch (Exception e) {

//never raised this error, always app crash

Log(e);



}

try {

var cred = new NSUrlCredential(new IVSSecIdentity(1), new SecCertificate[] {

cert

}, NSUrlCredentialPersistence.ForSession);

} catch (Exception e) {

//never raised this error, always app crash

Log(e);

}

try {

var cred = new NSUrlCredential(new IVSSecIdentity("test"), new SecCertificate[] {

cert

}, NSUrlCredentialPersistence.ForSession);

} catch (Exception e) {

//never raised this error, always app crash

Log(e);

}

public class IVSSecIdentity: SecIdentity {

public IVSSecIdentity(): base(new IntPtr(1)) {}

public IVSSecIdentity(int test1): base(new IntPtr(0)) {}

public IVSSecIdentity(string test2): base(IntPtr.Zero) {}

... (All stuff and methods/properties/fields)...

}


If could some one please help me (or redirect my question to some documentation) will be so thankfully

Replies

First, let me confirm your goals here. It seems that you’re creating an app that:

  • Uses a web view

  • Wants that web view to authenticate with the server using mutual TLS authentication

  • Wants to store the digital identity for that authentication on some sort of hardware token (hence the PKCS#11)

Is that correct?

If so, what web view are you using?

WKWebView
? Or
UIWebView
?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yes, we use a Webview (WKWebView), client authentication and we want some sort of hardware token (on code).

It’s not possible to do this with

WKWebView
. It is (mostly) possible to do this with the now-deprecated
UIWebView
, but it’s a lot of work. Let me explain.

iOS does not currently provide a plug-in API for hardware tokens, thus it’s not possible to integrate your hardware token with the Security framework, and thus the built-in TLS implementation, and thus the built-in HTTPS implementation.

Note In contrast, macOS does support such an API, namely CryptoTokenKit.

To make this work you need two things:

  • A way to intercept all network requests made by the web view (point A)

  • An HTTPS stack that uses crypto routines that target your hardware token (point B)

With regards point A, you can’t intercept all network requests made by

WKWebView
because it does all of its networking in a separate process. You can do this using
UIWebView
— see the CustomHTTPProtocol sample code — with the caveats that:
  • UIWebView
    has been officially deprecated.
  • You can’t intercept all traffic generated by the web view (specifically, you won’t be able to see WebSocket connections).

Note If your curious as to why that is, check WWDC 2018 Session 207 Strategies for Securing Web Content.

And this brings us to point B. Your custom

NSURLProtocol
implementation gets HTTPS requests and has to run those requests using your hardware token. This requires you to implement your own crypto primitives that target your token, your own TLS that uses those primitives, and your own HTTPS that uses that TLS. That’s a lot of work.

Overall I’d rate this task as un-fun, and it’s clear that iOS should provide better support for hardware tokens, much like CryptoTokenKit on macOS. I encourage you to file an enhancement request along those lines.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello again eskimo and thank you for your time...


We have to achieve this purpose, so even if it is long and tedious, we need to know how to do it.

In your answer you were talking about implementing our own "crypto primitives", in this sense, in which direction should we start?


Thank you again!!

The approach I’ve seen other folks use is:

  1. Revert to

    UIWebView
    .
  2. Use an

    NSURLProtocol
    subclass to catch network requests made by the web view. See the CustomHTTPProtocol sample code.
  3. Write or acquire an HTTP implementation and use that to run those requests.

  4. Write or acquire a TLS implementation and use that to carry your HTTP requests.

  5. Modify that TLS implementation to do client identity cryptographic operations (get the certificate, encrypt using the private key associated with that certificate) on your hardware token.

Each and every step of this process is non-trivial. Moreover, step 1 is specifically discouraged because

UIWebView
has been officially deprecated.

WARNING We’re not deprecating

UIWebView
arbitrarily. Its architecture makes it impossible to solve specific security problems, as discussed in WWDC 2018 Session 207 Strategies for Securing Web Content.

ps Don’t forget to file an enhancement request for hardware token support. As should be clear from the above, whatever solution you implement today is going to require serious compromises, and it’s important that iOS Engineering understand why you’re choosing this path.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello Again Eskimo and thank you for your time and attention.


We have submitted the issue with num 47998491


If more information needed, please, contact us!!

I checked the bug report this morning and it has been marked as duplicate from 47573830, but I can not see that issue, and I have not posted it... there is some way to watch that issue?

Thanks for filing a bug about this.

Two things:

  • If your bug is closed as a dup, you can’t get detailed information on the original via Apple Bug Reporter. The only thing you can see is the Open/Closed state of the original.

  • In your specific case, your bug (r. 47573830) seems to be been dup’d to the wrong bug. I’ve asked our bugs team to fix that.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi again eskimo...


We placed the issue on February 12 2019, 2:36 PM in iOS + SDK, but no longer response received... how I do know it is going?

Earlier I wrote:

In your specific case, your bug (r. 47573830) seems to be been dup’d to the wrong bug. I’ve asked our bugs team to fix that.

Looking at your bug (r. 47998491) today, I can confirm that it’s landed in the right place. Alas, I can’t say much more than that. As with all ERs, the engineering team has to balance your request against all the other demands on their time.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi again Eskimo,


We haven´t any news about the issue or the developer team... how could we ask about this?


Thanks again

Hi again Eskimo,


We have no notices from the developer team and you aren´t responding also... it is everything ok?

you aren’t responding also

To be clear, DevForums is not an official support channel and thus you can’t expect responses here. As it happens, your previous post came in while I was out of the office for two weeks, which is why I didn’t see it.

I discussed your issue with one of my colleagues, who supports CryptoTokenKit, and it seems that Apple added support for CryptoTokenKit to iOS with iOS 13. Given that, you may be able to get out of this bind by implementing a CryptoTokenKit extension for iOS.

I say “may” because I’ve not actually tried this myself and it’s possible that you might hit some unexpected snags. Still, it’s worth a shot.

If you run into trouble, my recommendation is that you open a DTS tech support incident to get help from the above-mentioned DTS CryptoTokenKit specialist.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Really thanks for your time and for the reply, we will try it.