1 Reply
      Latest reply on Mar 26, 2020 5:14 PM by meaton
      gdoudou Level 1 Level 1 (0 points)

        Hello,

         

        We are doing TLS with mutual authentication.

         

        To do this, we use the method didReceiveChallenge and after SecPKCS12Import, we have the requirements of the URLCredential constructor.

        https://developer.apple.com/documentation/foundation/nsurlsessiontaskdelegate/1411595-urlsession?language=swift

         

        And everything works like a charm.

         

        Now, we have a probleme : the private key cannot be export.

        This private key is in a NFC document.

         

        Finally, this is my question :

         

        How to send the "Certificate Verify" message that contains a digitally signed copy of the previous handshake message.

        This message is signed using the client certificate's private key. The server can validate the message digest of the digital signature by using the client's public key (which is found in the client certificate). Once the digital signature is validated, the server knows that the public key belonging to the client matches the private key used to create the signature.

         

        We can ask to the card to sign data, we know how to do that, but I don't see a way to provide this data to the URLSession, except using URLCredential that needs the privateKey.

         

        I've already take a look on the Network Framework

        https://developer.apple.com/documentation/network?language=swift

        https://developer.apple.com/documentation/network/nwprotocoltls

        https://developer.apple.com/documentation/network/security_options?language=swift

         

        But found nothing interesting.

         

        Do you have any idea ?

         

        Regards,

         

        Greg.

        • Re: TLS - Mutual Authentication without the private key
          meaton Apple Staff Apple Staff (130 points)

          Greg,

           

          Based on the private key coming from an NFC document I am assuming you are trying to use CryptoTokenKit in your iOS project, sort of like CryptoTokenKit on macOS.  It also sounds like you are in need of accessing this key through CTK to create the digital signature during the "Certificate Verify" stage to complete the client authentication.  If this is correct then there is no way for the private key to be exposed from CTK so that it can be utilized by URLCredential to complete the client authentication.  Please file an enhancement request and follow up with this thread once you have the feedback number.

           

           

          Matt Eaton

          DTS Engineering, CoreOS

          meaton3 at apple.com