TLS - Mutual Authentication without the private key

Hello,


We are doing TLS with mutual authentication.


To do this, we use the method didReceiveChallenge and after SecPKCS12Import, we have the requirements of the URLCredential constructor.

https://developer.apple.com/documentation/foundation/nsurlsessiontaskdelegate/1411595-urlsession?language=swift


And everything works like a charm.


Now, we have a probleme : the private key cannot be export.

This private key is in a NFC document.


Finally, this is my question :


How to send the "Certificate Verify" message that contains a digitally signed copy of the previous handshake message.

This message is signed using the client certificate's private key. The server can validate the message digest of the digital signature by using the client's public key (which is found in the client certificate). Once the digital signature is validated, the server knows that the public key belonging to the client matches the private key used to create the signature.


We can ask to the card to sign data, we know how to do that, but I don't see a way to provide this data to the URLSession, except using URLCredential that needs the privateKey.


I've already take a look on the Network Framework

https://developer.apple.com/documentation/network?language=swift

https://developer.apple.com/documentation/network/nwprotocoltls

https://developer.apple.com/documentation/network/security_options?language=swift


But found nothing interesting.


Do you have any idea ?


Regards,


Greg.

Accepted Reply

Greg,


Based on the private key coming from an NFC document I am assuming you are trying to use CryptoTokenKit in your iOS project, sort of like CryptoTokenKit on macOS. It also sounds like you are in need of accessing this key through CTK to create the digital signature during the "Certificate Verify" stage to complete the client authentication. If this is correct then there is no way for the private key to be exposed from CTK so that it can be utilized by URLCredential to complete the client authentication. Please file an enhancement request and follow up with this thread once you have the feedback number.



Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Replies

Greg,


Based on the private key coming from an NFC document I am assuming you are trying to use CryptoTokenKit in your iOS project, sort of like CryptoTokenKit on macOS. It also sounds like you are in need of accessing this key through CTK to create the digital signature during the "Certificate Verify" stage to complete the client authentication. If this is correct then there is no way for the private key to be exposed from CTK so that it can be utilized by URLCredential to complete the client authentication. Please file an enhancement request and follow up with this thread once you have the feedback number.



Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Thanks a lot Matt,


here is the feedback number FB7650375.

Greg,


Thank you for filing the enhancement request. I see it internally and have requested access to copy myself on future updates.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com