HotspotConfiguration for EAP-PEAP fails to find server certificates

I am trying to use the hotspotConfiguration APIs to setup an EAP-PEAP configuration.

The issue is that the server certificates are causing the EAP configuration to fail.


For Background, I know everything works with a mobileconfig profile so username, password and the certificate used in the profile all work with the radius server. This is issue is with trying to do this through the hotspotConfiguration APIs in iOS11.


The process I follow is:


1. Store a certificate in the keychain. It is in DER format and I read it in B64 format but decode it programmatically,

The APIs all return successfully so seems ok. If I put in an incorrect certificate it fails so it looks like the certificate format is at least ok.

NSDictionary* addquery = @{ 
 (id)kSecValueRef: (__bridge id)certificate,
 (id)kSecClass: (id)kSecClassCertificate,
 (id)kSecAttrLabel: @"My Certificate",
};

OSStatus status = SecItemAdd((__bridge CFDictionaryRef)addquery, NULL); 
if (status != errSecSuccess) { 
  / 
}


2. retrieve a reference to the certificate ssems to work and a reference comes back.

NSDictionary *getquery = @{ (id)kSecClass: (id)kSecClassCertificate, 
  (id)kSecAttrLabel: @"My Certificate", 
  (id)kSecReturnRef: @YES, 
 };

SecCertificateRef certificate = NULL; 
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)getquery, 
(CFTypeRef *)&certificate);



3. Add it to the eap peap configuration

I configure the NEHotspotEAPSettings with EAPtype=25 (PEAP), username and password.

Then add the server trust with the following

setTrustedServerCertificates:(NSArray *)certificate;


4. Then try to apply the profile and it fails with the error message "invalid EAP configuration"


Removing the certificate from the profile and adding in a trustedServerName instead results in a succesful configuration and the app does configure the network and try to join. but this is not acceptable in my network (radius rejects it). So I need the certificate.


There seem to be a few nuances and I'm wondering what is the right setup to make this work.

- There is a mention in the documentation to a persistent reference so maybe this is something to do with it. But the above call returns true so I'm not sure that is it.

- The certificate we use is a wildcard certificate - it works in the mobileconfig so it should be ok?

- The certificate we are using is CA signed but not directly trusted unless the intermediate certificates are in place. I have tried setting up a NSArray of certificates and adding them all the the EAP configuration but that doesn't help - same error. I have tried making a single chain certificate but the import APIs fail to add it to the keychain.


Only other things I can think of is that there is some nuance or flags needed in the certificate for these APIs to accept it. But the same certificate works in a mobileconfig so I'm not sure it is that.


I guess it would be good to know that the APIs do work and if so maybe help put me right on whatever is going wrong. Maybe some example code for the above that is known to work?


Thanks

Up vote post of tumbler Down vote post of tumbler
2.9k views
Posted by
tumbler
Reply
Add a Comment

Replies

I should say that I forgot to include in the code excerpts above that in both the getquery and setquery I have added the key pair

(id)kSecAttrAccessGroupid)@"ABCDEE12345.com.apple.networkextensionsharing",

Where the prefix is the team id. This is similar but not exactly as per the documentation which asks for the following (note there is no dot between the prefix and com 

$(TeamIdentifierPrefix)com.apple.networkextensionsharing

(so this might be an error in the documentation.


I can see the certificates in the keychain when debugging in xcode so it looks fine but the console gives out these errors.



error 12:40:10.466294 +0100 nehelper -[NEHotspotConfiguration valid:587 NEHotspotConfiguration failed to find the certificate item in the keychain.

error 12:40:10.467728 +0100 nehelper -[NEHotspotConfiguration valid:653 NEHotspotConfiguration invalid trusted server certificate references

error 12:40:10.468039 +0100 nehelper -[NEHotspotConfiguration valid:743 NEHotspotConfiguration invalid EAP settings.

error 12:40:10.468380 +0100 nehelper -[NEHelperHotspotConfiguration:461 NEHelperHotspotConfigurationManager failed to validate the configuration data for add/update request.


In summary, the getquery and SecItemCopyMatching work well in the code. But the NEHelper is not able to access the certificate and I'm unsure why?

Posted by
tumbler
Up vote reply of tumbler Down vote reply of tumbler
Add a Comment

Hi,


Good day.


Is it possible for you to share your code on this?


I'm stuck (please refer to this https://forums.developer.apple.com/message/266547#266547


thank you in advance.

Posted by
FoodServices
Up vote reply of FoodServices Down vote reply of FoodServices
Add a Comment

Hi,


we are currently also trying to connect to a IoT - gadged which is protected via EAP-PEAP and EAP-TTLS.

We are using self signed ca certificates which are exchanged due to a offline mechanism.

The app is getting the certificate through an offline modus and should accept this.


Everything in that app should be done, except the user should accept the certificate via Apple Dialog and the connection request to connect to that wifi. Further input is not wished and shouldn't be done.


As described by tumbler and also in the documentation we tried to add that certificate into the $(TeamIdentifierPrefix)com.apple.networkextensionsharing Keystore but we get the an error that the entilement does not allow this.


How can we install a self signed certificate via code to the com.apple.networkextensionsharing keystore so if we try to connect to that hotspot, we can connect to it?


We were able to install the certificate to our local keystore but the networkextension need also access.


Thx

Posted by
marcBT
Up vote reply of marcBT Down vote reply of marcBT
Add a Comment