Getting the list of certificates that are installed on an user's iPhone

Hello everyone,

I am making an app that would allow an user to choose one of his installed certificates (from Profiles) and use it to sign xml files that he is sending.
Is it possible to make this work programmatically in Xcode? If it is, how?

Any help is appreciated.



Accepted Reply

Users will be regular users, who go to the IRS web site, download the

.p12
and then install it via manual profile ingest UI.

OK. To be clear, there is no way for an app to access a digital identity that’s been installed in this way. These identities are place in an Apple-only keychain access group.

All my usual tricks for getting around this are focused on managed environments. This sort of setup is relatively rare in for regular users.

I can see a couple of ways forward here:

  • You could use

    WKWebView
    to create an in-app browser that let’s the user go to the right place on the IRS web site and download the profile. Your app would catch that download via the navigation delegate, download the file itself (using
    NSURLSession
    ), and then import it into its own keychain access group (
    SecPKCS12Import
    ).
  • The user could download the

    .p12
    to the Files app so that you can choose it in a file picker (
    UIDocumentPickerViewController
    ).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Thanks for popping over to DevForums (-:

I presume you’re talking about digital identities, not certificates. That is, the payload type is

com.apple.security.pkcs12
. If you’re trying to sign something, you need the private key and it’s the presence of that private key that makes for a digital identity.

Unfortunately there isn’t a way to get at these directly. QA1745 Making Certificates and Keys Available To Your App explains this in some detail.

IMO it would be nice if configuration profiles had a way to place a digital identity in a specific keychain access group, so an admin could push a profile with a digital identity that’s available to your app. If you’d like to see such support added to the system, I encourage you to file an enhancement request describing your requirements.

As to workarounds, the best approach depends on the specific of your environment. First things first, are you deploying to a managed environment? Or to general users via the App Store?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for replying


I am not entirely sure if it is digital identity or certificate as we received a "certificate" file with .p12 extention that is used on identical app in Android OS.

Here are the details of the app:
The application is for cash register (POS terminal), where business owners have to report every transaction to the IRS. When they report a business to the IRS, they get a certificate that they will use to send fiscalized invocies to the IRS so that those invoices can be proccesed there. App is directly communicating with the goverment owned institution, Tax administration office (IRS) wich is also a certificate authority (CA) for all issued certificates.
The application will be on the App Store, but only users that have registered their business with the IRS will be able to use it.

Best Regards

AFAIK, IRS does not send a private key.

So it should be a public key for signing the invoice so that it cannot be tampered before processing by IRS.

What does the app do ? sign a digest of the document to authenticate it ?


Question: is it easier to import public key in your app (logically, it should).

Maybe not in the US

I didn't want to go into too many details, but the user needs an option to use his certificate to sign transactions.


The app will be used to report any and all transactions from any store that uses POS terminal. Let's say an user owns a coffe shop. Every transaction from that coffe shop has to be reported to the IRS. This app will serve as a POS terminal that sends transactions to the IRS server for fiscalization. Transactions will be stored in xml files and signed with the users certificate/identity. Depending on the answer from the server, the user can issue a fiscal or a non fiscal receipt to a customer.

I am not entirely sure if it is digital identity or certificate as we received a "certificate" file with

.p12
extention

While

.p12
files can contain a variety of things, they are almost always used to distribute digital identities. Try this:
  1. Run Keychain Access on your Mac.

  2. Create a new ‘victim’ keychain.

  3. Import the

    .p12
    file into that keychain.

Your victim keychain should now contain a private key and one or more certificates.

Here are the details of the app:

Thanks, but I have a few more questions (-:

Are the users of your app working in a managed environment? Such that this digital identity gets installed on the device as a configuration profile pushed via MDM? Or are these regular users, who go to the IRS web site, download the

.p12
, and then install it via the manual profile ingest UI.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

My .p12 does contain private key and one certificate, so it is digital identity.
Users will be regular users, who go to the IRS web site, download the .p12 and then install it via manual profile ingest UI.
Users will have to install their digital identities manually on their phones before installing this app.

Users will be regular users, who go to the IRS web site, download the

.p12
and then install it via manual profile ingest UI.

OK. To be clear, there is no way for an app to access a digital identity that’s been installed in this way. These identities are place in an Apple-only keychain access group.

All my usual tricks for getting around this are focused on managed environments. This sort of setup is relatively rare in for regular users.

I can see a couple of ways forward here:

  • You could use

    WKWebView
    to create an in-app browser that let’s the user go to the right place on the IRS web site and download the profile. Your app would catch that download via the navigation delegate, download the file itself (using
    NSURLSession
    ), and then import it into its own keychain access group (
    SecPKCS12Import
    ).
  • The user could download the

    .p12
    to the Files app so that you can choose it in a file picker (
    UIDocumentPickerViewController
    ).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I will try those.
Thank you