{"id":207,"date":"2013-05-25T09:34:26","date_gmt":"2013-05-25T08:34:26","guid":{"rendered":"http:\/\/oso.com.pl\/?p=207"},"modified":"2013-05-25T09:36:11","modified_gmt":"2013-05-25T08:36:11","slug":"the-curious-case-of-duplicated-certificates-sent-by-ios","status":"publish","type":"post","link":"https:\/\/oso.com.pl\/?p=207&lang=en","title":{"rendered":"The curious case of duplicated certificates sent by iOS"},"content":{"rendered":"

Here’s another one on certificates. Let’s say you are trying to do client certificate-based authentication in your iOS app and you came up with something like this:<\/p>\n

\r\n\r\n- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {\r\n if ([challenge previousFailureCount] > 0) {\r\n\r\n NSLog(@"Incorrect auth challenge %@", challenge);\r\n [[challenge sender] cancelAuthenticationChallenge:challenge];\r\n return;\r\n }\r\n\r\n \/\/ Checking the server certificate\r\n if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodClientCertificate &&\r\n self.account.clientCertificate.privateRepresentation.length > 0) {\r\n\r\n \/*\r\n Reading the certificate and creating the identity\r\n *\/\r\n\r\n NSData *p12Data = self.account.clientCertificate.privateRepresentation;\r\n\r\n CFStringRef password = (__bridge CFStringRef)(self.account.clientCertificate.privatePassword);\r\n const void *keys[] = { kSecImportExportPassphrase };\r\n const void *values[] = { password };\r\n CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);\r\n CFArrayRef p12Items;\r\n\r\n OSStatus result = SecPKCS12Import((__bridge CFDataRef)p12Data, optionsDictionary, &p12Items);\r\n\r\n if(result == noErr) {\r\n CFDictionaryRef identityDict = CFArrayGetValueAtIndex(p12Items, 0);\r\n SecIdentityRef identityApp =(SecIdentityRef)CFDictionaryGetValue(identityDict,kSecImportItemIdentity);\r\n\r\n SecCertificateRef certRef;\r\n SecIdentityCopyCertificate(identityApp, &certRef);\r\n\r\n SecCertificateRef certArray[1] = { certRef };\r\n CFArrayRef myCerts = CFArrayCreate(NULL, (void *)certArray, 1, NULL);\r\n CFRelease(certRef);\r\n\r\n NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identityApp certificates:(__bridge NSArray *)myCerts persistence:NSURLCredentialPersistencePermanent];\r\n CFRelease(myCerts);\r\n\r\n [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];\r\n }\r\n else {\r\n \/\/ Certificate is invalid or password is invalid given the certificate\r\n NSLog(@"Invalid certificate or password");\r\n return;\r\n }\r\n } else {\r\n \/\/ For normal authentication based on username and password. This could be NTLM or Default.\r\n if ([[challenge protectionSpace] authenticationMethod] == NSURLAuthenticationMethodClientCertificate) {\r\n NSLog(@"Certificate might be required");\r\n }\r\n NSURLCredential *credential = [NSURLCredential credentialWithUser:self.account.username\r\n password:self.account.password\r\n persistence:NSURLCredentialPersistenceNone];\r\n [[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];\r\n }\r\n\r\n}\r\n\r\n<\/pre>\n
All looks good, doesn’t it? And in most cases – it will even work fine. Unless your server handles the handshake, something goes wrong and you look at what happens on the wire:<\/p>\n
\"iOS<\/a><\/p>\n
Can you see what happens here? The client certificate is sent twice. That is not always an issue, but if your server is parsing the certificates, and expects them to be in order, and expects that the first one is the client certificate and what follows is the issuer… you are in trouble.<\/p>\n
You may argue whether this is a client bug or the server issue… I would say the client should be fixed. Per\u00c2\u00a0RFC2246<\/a> and RFC5246<\/a> the certificate structure should contain sender’s cert once.<\/p>\n
certificate_list
\nThis is a sequence (chain) of X.509v3 certificates. The sender’s
\ncertificate must come first in the list. Each following
\ncertificate must directly certify the one preceding it. Because
\ncertificate validation requires that root keys be distributed
\nindependently, the self-signed certificate which specifies the
\nroot certificate authority may optionally be omitted from the
\nchain, under the assumption that the remote end must already
\npossess it in order to validate it in any case.
\nThe same message type and structure will be used for the client’s
\nresponse to a certificate request message. Note that a client may
\nsend no certificates if it does not have an appropriate certificate
\nto send in response to the server’s authentication request.<\/em><\/p>\n
So how do we fix it? Fortunately the fix is trivial. Change this line:<\/p>\n
NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identityApp certificates:(__bridge NSArray *)myCerts<\/strong> persistence:NSURLCredentialPersistencePermanent];<\/p>\n
to this:<\/p>\n
NSURLCredential *credential = [NSURLCredential credentialWithIdentity:identityApp certificates:nil<\/strong> persistence:NSURLCredentialPersistencePermanent];<\/p>\n
And everybody is happy again. The app sends a single certificate only, no change on the server required.<\/p>\n","protected":false},"excerpt":{"rendered":"
Here’s another one on certificates. Let’s say you are trying to do client certificate-based authentication in your iOS app and you came up with something like this: – (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge { if ([challenge previousFailureCount] > 0) { NSLog(@"Incorrect auth challenge %@", challenge); [[challenge sender] cancelAuthenticationChallenge:challenge]; return; } \/\/ Checking the server certificate if … Czytaj dalej \u201eThe curious case of duplicated certificates sent by iOS\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[13],"tags":[],"class_list":["post-207","post","type-post","status-publish","format-standard","hentry","category-mdm-en"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p217OK-3l","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=207"}],"version-history":[{"count":16,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/207\/revisions"}],"predecessor-version":[{"id":224,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/207\/revisions\/224"}],"wp:attachment":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}