20 Replies
      Latest reply on Jun 4, 2018 11:12 PM by bftmb
      bftmb Level 1 Level 1 (0 points)

        Hello,

         

        Currently I need to find a solution to get a Certificate from our Companys Certificate Authority, to use Wi-Fi and VPN.

         

        To get a certificate I need to build a CSR first. For this, I generate a Keypair in the Secure Enclave. After that I build the CSR in Swift and sign them with the private key. Then I can send them to the CA what currently makes some problems. But that is not the main question.

         

        The Problem is, when I get the Certificate back, I need to use it for Wi-Fi and VPN. But when I want to choose the Certificate it did not appear in the dropdown. I think the problem is, that the keychain does not know the private key. Every certificate i can select, has in the keychain a dropdown, where it shows a private key.

         

        Does anyone can explain me how to link my certificate with the private key in the secure enclave?

        I would also be happy for ideas how to send them to the CA.

         

        Best Regards

        Moritz

        • Re: Secure Enclave for MS Active Directory Certificate Enrollment
          eskimo Apple Staff Apple Staff (9,180 points)

          The problem here is keychain access groups.  When you create your key pair it goes into your app’s keychain access group.  However, for a digital identity to be usable by Settings > Wi-Fi the components of that identity, the private key and the certificate, need to be in the system’s keychain access group.  There’s no programmatic way for you to modify the system keychain access group, and thus there’s no way for you to move the private key there.

          One possibility is for you to set up Wi-Fi and VPN programmatically (using NEHotspotConfigurationManager and NEVPNManager, respectively).  Such configurations use credentials from your keychain access group.

          ps I’ve never tried this with a Secure Enclave-based private key, so it’ll be interesting to see if that works.  To start off I recommend that you generate the key pair in the normal keychain and then, if that works, move on to using the Secure Enclave.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Secure Enclave for MS Active Directory Certificate Enrollment
              bftmb Level 1 Level 1 (0 points)

              Hi Eskimo,

               

              thanks for your fast reply. Are you sure that I can use NEHotspotConfigurationManager for macOS? I only found documents in the apple developer search for iOS.

               

              Best Regards

              Moritz

                • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                  eskimo Apple Staff Apple Staff (9,180 points)

                  Are you sure that I can use NEHotspotConfigurationManager for macOS?

                  Oh, you’re on the Mac!  I was originally going to bounce this back with a “What platform are you on?” but then decided that, given that you mentioned the Secure Enclave, it’s most likely an iOS thing [1].

                  With regards the two technologies in play here:

                  • VPN setup is supported by NEVPNManager on both platforms

                  • Wi-Fi setup differs by platform:

                    • On iOS you can use NEHotspotConfigurationManager

                    • On macOS you can use the CoreWLAN framework

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                  [1] And yes, I know that Secure Enclave is available on the Mac but the vast majority of Secure Enclave questions I see relate to iOS.

                  1 of 1 people found this helpful
                    • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                      bftmb Level 1 Level 1 (0 points)

                      Hi Eskimo,

                       

                      perfect I hope that this works 

                      Do you know how to use CoreWLAN with EAP-TLS Certificates?

                       

                      Best Regards

                      Moritz

                        • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                          eskimo Apple Staff Apple Staff (9,180 points)

                          Do you know how to use CoreWLAN with EAP-TLS Certificates?

                          I don’t have any direct experience with that.  I will note that CoreWLAN has specific API for keychain management that’s supposed to help with this sort of things.  Check out <CoreWLAN/CoreWLANUtil.h>.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                              bftmb Level 1 Level 1 (0 points)

                              Is there no way to create a keypair in the secure enclave, which I can access from the keychain? Maybe use "com.apple.keychain" for kSecAttrApplicationTag or whatever?

                                • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                  eskimo Apple Staff Apple Staff (9,180 points)

                                  Is there no way to create a keypair in the secure enclave, which I can access from the keychain?

                                  I’m not sure what you’re asking here.  When you create a key pair in the Secure Enclave is is accessible via keychain APIs.

                                  Share and Enjoy

                                  Quinn “The Eskimo!”
                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                    • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                      bftmb Level 1 Level 1 (0 points)

                                      I need to access the private key from the keychain. But you told me, that this is not possible because of the keychain access group. You said When I create a key pair it goes into my app’s keychain access group. Now I'm wondering if I can modify the access group, so that I can access it from the system keychain. There should be a possibility, otherwise the secure enclave is useless...

                                        • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                          eskimo Apple Staff Apple Staff (9,180 points)

                                          I think you need to have a look at the specific APIs I’m recommending here.  In both cases the system mediates the application of your credentials to the configuration, and thus the specific keychain access group may not matter.

                                          Having said that, I’m kinda doubtful that a Secure Enclave key will work for either case, which is why I recommend that you start with a normal key and only move on to using a Secure Enclave key if you can get that working.

                                          Share and Enjoy

                                          Quinn “The Eskimo!”
                                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                          let myEmail = "eskimo" + "1" + "@apple.com"

                                            • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                              bftmb Level 1 Level 1 (0 points)

                                              Hi Eskimo,

                                               

                                              I think we talk about two different topics. I don't can use your CoreWLAN and NEVPNManager framework. It didn't work for our Company. I really need to access the Private Key from the Secure Enclave in the System Keychain. I don't think that Apple has no function build in to grant access for other Keychain Access Groups (e.g. the System Keychain).

                                               

                                              Is there any posibility to grant my keychain access to the private key in the secure enclave?

                                                • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                  eskimo Apple Staff Apple Staff (9,180 points)

                                                  I think we talk about two different topics.

                                                  I definitely agree that there’s a bunch of confusion here.

                                                  I don't can use your CoreWLAN and NEVPNManager framework.

                                                  What does “don’t can use” mean?  You don’t use them?  Or you can’t use them?

                                                  The reason I’m suggesting that you use these APIs is that they are the only way to set credentials on a network configuration.  And, just to be clear about our expectations here, I’m not confident that you’ll be able to make this work with a Secure Enclave key at all, but these APIs are the only approach that offers any hope.

                                                  Is there any posibility to grant my keychain access to the private key in the secure enclave?

                                                  I don’t understand this question.  If you create the key in the Secure Enclave then it’s accessible to you via keychain APIs, that is, your keychain already has access to it.

                                                  Share and Enjoy

                                                  Quinn “The Eskimo!”
                                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                                  WWDC runs Mon, 4 Jun through to Fri, 8 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face.

                                                    • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                      bftmb Level 1 Level 1 (0 points)

                                                      Hi,

                                                      If you create the key in the Secure Enclave then it’s accessible to you via keychain APIs, that is, your keychain already has access to it.

                                                       

                                                      No, when I create a Keypair in the Secure Enclave, I only have access to them via my own application. I build a CSR in my application and send them to the CA. When I import the returning Certificate in my Keychain, I dont have access to my private key. But I need them for our Applications.

                                                       

                                                      Lets clarify that first

                                                      Thank you

                                                        • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                          eskimo Apple Staff Apple Staff (9,180 points)

                                                          When I import the returning Certificate in my Keychain …

                                                          What API are you using to import the certificate?

                                                          Share and Enjoy

                                                          Quinn “The Eskimo!”
                                                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                          let myEmail = "eskimo" + "1" + "@apple.com"

                                                          WWDC runs Mon, 4 Jun through to Fri, 8 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face.

                                                            • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                              bftmb Level 1 Level 1 (0 points)

                                                              Hi Eskimo,

                                                               

                                                              I use the Security framework with the SecItemAdd function to add the certificate to my keychain. But I can't find the private key in my keycain and I also can't find a way how to link the private key to the certificate.

                                                               

                                                              thank you

                                                                • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                                  eskimo Apple Staff Apple Staff (9,180 points)

                                                                  If you generate the key pair in the standard keychain, not the Secure Enclave, does it match up with the added certificate to form an identity?

                                                                  Share and Enjoy

                                                                  Quinn “The Eskimo!”
                                                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                                                  WWDC runs Mon, 4 Jun through to Fri, 8 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face.

                                                                    • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                                      bftmb Level 1 Level 1 (0 points)

                                                                      Hi Eskimo,

                                                                       

                                                                      I just created the key pair in the standard keychain. after that the key pair was directly visible in the keychain and after I let my csr signed, the certificate matched with the private key.

                                                                       

                                                                      Then I tried this another time in the secure enclave, and it did not appear in the keychain, and it did not match with the certificate.

                                                                      So how do I get my keypair accessible from the keychain?

                                                                       

                                                                      thank you!

                                                                        • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                                          eskimo Apple Staff Apple Staff (9,180 points)

                                                                          Then I tried this another time in the secure enclave, and it did not appear in the keychain, and it did not match with the certificate.

                                                                          How are you testing this?  With the Keychain Access app?  Or via some API?

                                                                          Share and Enjoy

                                                                          Quinn “The Eskimo!”
                                                                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                          let myEmail = "eskimo" + "1" + "@apple.com"

                                                                          WWDC runs Mon, 4 Jun through to Fri, 8 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face.

                                                                            • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                                              bftmb Level 1 Level 1 (0 points)

                                                                              Hi Eskimo,

                                                                               

                                                                              that I review with the Keychain Application. And there should it be visible, otherwise we cant use 'Cisco AnyConnect' Client.

                                                                               

                                                                              thanks

                                                                                • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                                                                                  eskimo Apple Staff Apple Staff (9,180 points)

                                                                                  that I review with the Keychain Application

                                                                                  I presume you mean Keychain Access.

                                                                                  otherwise we cant use 'Cisco AnyConnect' Client.

                                                                                  Ah, I didn’t realise you were using a third-party VPN client.  In that case I don’t think you’re going to be able to achieve your goal.  macOS has two keychain models, the traditional file-based keychain and an iOS-style keychain used for, amongst other things, iCloud Keychain.  The Secure Enclave is only accessible via the iOS-style keychain, and that keychain has a security model, keychain access groups, that prevents app A from creating credentials that can be used by app B.

                                                                                  Share and Enjoy

                                                                                  Quinn “The Eskimo!”
                                                                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                                                                  WWDC runs Mon, 4 Jun through to Fri, 8 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face.