iOS 9 NEPacketTunnelProvider and certificate auth

Hello, I have an NEPacketTunnelProvider extension and I'm trying to configure it for certificate authentication. To test, I created a mobileconfig profile that had a VPN payload and a PKCS12 payload, and in the VPN dict I set the PayloadCertificateUUID to the UUID of the PKCS12 payload. This seems to at least partially work, as my extension receives the config and protocolConfiguration.identityReference is a valid looking persistent reference. However when I try and pull that ref out of the keychain it's not found. I'm wondering which keychain identityReference is in and how I can access it? Thanks!

Up vote post of jaafray Down vote post of jaafray
927 views
Posted by
jaafray
Reply
Add a Comment

Accepted Reply

Have you looked at the Credential Storage section of the NETunnelProviderManager Class Reference?

Your app and provider extension should automatically get access to the correct keychain access group by way of your special provisioning profile, but you should double check that your final built binaries (the app and provider extension) have the entitlement set correctly.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Have you looked at the Credential Storage section of the NETunnelProviderManager Class Reference?

Your app and provider extension should automatically get access to the correct keychain access group by way of your special provisioning profile, but you should double check that your final built binaries (the app and provider extension) have the entitlement set correctly.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Don't know how I missed that. Working fine now. Thanks! Maybe a note for your docs team: the configuration profile reference (https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html) only mentions PayloadCertificateUUID for the IPSec and IKEv2 VPN types, not for packet-tunnel.

Posted by
jaafray
Up vote reply of jaafray Down vote reply of jaafray
Add a Comment

Don't know how I missed that.

Yeah, I missed it the first time as well, resulting in an embarrassing conversation with the VPN Engineering team: “How do I do this?” … “It’s covered in the docs.” … “D’oh!” )-:

Working fine now.

Excellent news.

Maybe a note for your docs team …

The best way to get feedback to the docs team is to file a bug against that doc.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi,


I have a problem that is related to what you were seeing. I have created a mobileconfig with the certificate included and I have added the apple keychain group to my entitlements. I get the identityReference from the protocolConfiguration, but when I try to get hold of the persistent refernce using the identityReference SecItemCopyMatching fails with secItemNotFound. What really confuses me is if I skip the identityReference in the query in SecItemCopyMatching and just asks for all certificates in the key chain it succeeds and I get one response that is the correct certificate (I am able to retrieve the common name of the certificate). That could be OK if it wasn´t for that I cannot get functions like SecKeyRawSign (it always returns errSecParam) to work using the private key from the same persistent reference so I suspect I cannot just ignore the fact that I cannot get hold of the certificate using the identity reference.


I suspect I am doing something wrong here, but I have a hard time figuring out what. Would I be able to even get hold of the certificate in the first place if my entitlements for some reason are wrong? Also, do I need to take the certificate and private key from the system key chain and import it into my own key chain to be able to use it in my packet tunnel extension?


Rgds,

Lars

Posted by
lala113
Up vote reply of lala113 Down vote reply of lala113
Add a Comment

Hello @eskimo, could you take a look at my post: https://forums.developer.apple.com/thread/29626


I've made a working tunnel extension with my own VPN protocol but the app was not allowed to create tunnel manager signed with prod provisioning profile.


Thanks a lot.

Posted by
hidemevpn
Up vote reply of hidemevpn Down vote reply of hidemevpn
Add a Comment