8 Replies
      Latest reply on Feb 13, 2019 2:05 AM by eskimo
      Ivnosys Level 1 Level 1 (0 points)

        We have a cert cloud storage and signature service. We have developed PKCS11 libraries for OSX, Linux, Windows... a native CSP and KSP driver for Windows.

         

        Using Xamarin, we have developed a "WebViewClient" for android that can authenticate with client certificate (with cloud storaged certificates) BUT I could not find out how to do the same in IOS.

         

        I tried to override SecIdentity Class and SecKey class, so I can develop signature methods to signature in cloud, BUT at instantiation time SecIdentity needs a IntPtr and I don´t know how to create/assign it, I tried with:

        Snippet

                       

           try {

            var cred = new NSUrlCredential(new IVSSecIdentity(), new SecCertificate[] {

             cert

            }, NSUrlCredentialPersistence.ForSession);

           } catch (Exception e) {

            //never raised this error, always app crash                       

            Log(e);

         

         

           }

           try {

            var cred = new NSUrlCredential(new IVSSecIdentity(1), new SecCertificate[] {

             cert

            }, NSUrlCredentialPersistence.ForSession);

           } catch (Exception e) {

            //never raised this error, always app crash    

            Log(e);

           }

           try {

            var cred = new NSUrlCredential(new IVSSecIdentity("test"), new SecCertificate[] {

             cert

            }, NSUrlCredentialPersistence.ForSession);

           } catch (Exception e) {

            //never raised this error, always app crash

            Log(e);

           }

           public class IVSSecIdentity: SecIdentity {

            public IVSSecIdentity(): base(new IntPtr(1)) {}

            public IVSSecIdentity(int test1): base(new IntPtr(0)) {}

            public IVSSecIdentity(string test2): base(IntPtr.Zero) {}

              ... (All stuff and methods/properties/fields)...    

           }

         

        If could some one please help me (or redirect my question to some documentation) will be so thankfully

        • Re: IOS cloud certificate
          eskimo Apple Staff Apple Staff (10,585 points)

          First, let me confirm your goals here.  It seems that you’re creating an app that:

          • Uses a web view

          • Wants that web view to authenticate with the server using mutual TLS authentication

          • Wants to store the digital identity for that authentication on some sort of hardware token (hence the PKCS#11)

          Is that correct?

          If so, what web view are you using?  WKWebView?  Or UIWebView?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: IOS cloud certificate
              Ivnosys Level 1 Level 1 (0 points)

              Yes, we use a Webview (WKWebView), client authentication and we want some sort of hardware token (on code).

                • Re: IOS cloud certificate
                  eskimo Apple Staff Apple Staff (10,585 points)

                  It’s not possible to do this with WKWebView.  It is (mostly) possible to do this with the now-deprecated UIWebView, but it’s a lot of work.  Let me explain.

                  iOS does not currently provide a plug-in API for hardware tokens, thus it’s not possible to integrate your hardware token with the Security framework, and thus the built-in TLS implementation, and thus the built-in HTTPS implementation.

                  Note In contrast, macOS does support such an API, namely CryptoTokenKit.

                  To make this work you need two things:

                  • A way to intercept all network requests made by the web view (point A)

                  • An HTTPS stack that uses crypto routines that target your hardware token (point B)

                  With regards point A, you can’t intercept all network requests made by WKWebView because it does all of its networking in a separate process.  You can do this using UIWebView — see the CustomHTTPProtocol sample code — with the caveats that:

                  • UIWebView has been officially deprecated.

                  • You can’t intercept all traffic generated by the web view (specifically, you won’t be able to see WebSocket connections).

                  Note If your curious as to why that is, check WWDC 2018 Session 207 Strategies for Securing Web Content.

                  And this brings us to point B.  Your custom NSURLProtocol implementation gets HTTPS requests and has to run those requests using your hardware token.  This requires you to implement your own crypto primitives that target your token, your own TLS that uses those primitives, and your own HTTPS that uses that TLS.  That’s a lot of work.


                  Overall I’d rate this task as un-fun, and it’s clear that iOS should provide better support for hardware tokens, much like CryptoTokenKit on macOS.  I encourage you to file an enhancement request along those lines.

                  Please post your bug number, just for the record.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: IOS cloud certificate
                      Ivnosys Level 1 Level 1 (0 points)

                      Hello again eskimo and thank you for your time...

                       

                      We have to achieve this purpose, so even if it is long and tedious, we need to know how to do it.

                      In your answer you were talking about implementing our own "crypto primitives", in this sense, in which direction should we start?

                       

                      Thank you again!!

                        • Re: IOS cloud certificate
                          eskimo Apple Staff Apple Staff (10,585 points)

                          The approach I’ve seen other folks use is:

                          1. Revert to UIWebView.

                          2. Use an NSURLProtocol subclass to catch network requests made by the web view.  See the CustomHTTPProtocol sample code.

                          3. Write or acquire an HTTP implementation and use that to run those requests.

                          4. Write or acquire a TLS implementation and use that to carry your HTTP requests.

                          5. Modify that TLS implementation to do client identity cryptographic operations (get the certificate, encrypt using the private key associated with that certificate) on your hardware token.

                          Each and every step of this process is non-trivial.  Moreover, step 1 is specifically discouraged because UIWebView has been officially deprecated.

                          WARNING We’re not deprecating UIWebView arbitrarily.  Its architecture makes it impossible to solve specific security problems, as discussed in WWDC 2018 Session 207 Strategies for Securing Web Content.


                          ps Don’t forget to file an enhancement request for hardware token support.  As should be clear from the above, whatever solution  you implement today is going to require serious compromises, and it’s important that iOS Engineering understand why you’re choosing this path.

                          Please post your bug number, just for the record.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: IOS cloud certificate
                              Ivnosys Level 1 Level 1 (0 points)

                              Hello Again Eskimo and thank you for your time and attention.

                               

                              We have submitted the issue with num 47998491

                               

                              If more information needed, please, contact us!!

                              • Re: IOS cloud certificate
                                Ivnosys Level 1 Level 1 (0 points)

                                I checked the bug report this morning and it has been marked as duplicate from 47573830, but I can not see that issue, and I have not posted it... there is some way to watch that issue?

                                  • Re: IOS cloud certificate
                                    eskimo Apple Staff Apple Staff (10,585 points)

                                    Thanks for filing a bug about this.

                                    Two things:

                                    • If your bug is closed as a dup, you can’t get detailed information on the original via Apple Bug Reporter.  The only thing you can see is the Open/Closed state of the original.

                                    • In your specific case, your bug (r. 47573830) seems to be been dup’d to the wrong bug.  I’ve asked our bugs team to fix that.

                                    Share and Enjoy

                                    Quinn “The Eskimo!”
                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                    let myEmail = "eskimo" + "1" + "@apple.com"