My app contains a public certificate (cert A) that is used for https connection. It works by using this method URLSession:didReceiveChallenge:completionHandler:
But I would like to verify certificate (cert B) that is downloaded with additional data from server. Cert A is CA for cert B.
I cant find any solutions.
I use X.509 standard. (cert A is .pfx and cert B is .der)
Related
Using a self-signed certificate is only recommended for development, not production.
What certificate should a team buy when Application moves to Production - TIA
Ideally, certificates are bought from the certificate authority for production scenarios.
a certificate authority or certification authority (CA) is
an entity that issues digital
certificates. A digital certificate certifies the
ownership of a public key by the named subject of the certificate.
This allows others (relying parties) to rely upon signatures or on
assertions made about the private key that corresponds to the
certified public key. A CA acts as a trusted third party—trusted both
by the subject (owner) of the certificate and by the party relying
upon the certificate. The format of these certificates is specified by
the X.509 or
EMV standard.
Reference: https://thecodeblogger.com/2020/06/20/service-principal-and-certificate-with-azure-key-vault/
We're attempting to follow the Apple docs for using your own certificate authority (CA):
While a self-signed certificate is a reasonable approach during
development, there is a better way: create your own certificate
authority ... and have it issue a certificate for your test server.
You can then ... hard-wire your certificate authority's root
certificate into your app
I haven't been able to figure out how to hard wire the CA root cert using Swift. The paper mentions an approach but I haven't been able to translate this into Swift code:
Get a copy of the remote peer's certificate ...
Get the server
certificate from the trust object (pass an index of 0 to
SecTrustGetCertificateAtIndex)
Get the data for that server
certificate (SecCertificateCopyData)
Compare this to the certificate
data you got in step 1; if they match, you're talking to the correct
peer
How can you do this via Swift?
Openstack Keystone PKI uses two certificates as this document mentions:
https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/
CA certificate and the signing certificate.
My understanding so far: Signing key is used to sign the user token while the signing certificate contains the corresponding public key and will be shared with the service endpoint to be used while decrypting the user token.
Is this correct? If so, what is the purpose of the CA certificate and the CA key?
I'd suggest the OpenStack documentation at http://docs.openstack.org/admin-guide-cloud/content/certificates-for-pki.html
PKI stands for Public Key Infrastructure. Tokens are documents, cryptographically signed using the X509 standard. In order to work correctly token generation requires a public/private key pair. The public key must be signed in an X509 certificate, and the certificate used to sign it must be available as a Certificate Authority (CA) certificate.
Tokens are both signed and verified. There's no decryption.
The certificate and certificate authority used can be internal or external and how the cloud provider choses to configure it is up to them.
In PKI environment certificate(signing cert) is signed by CA. CA is usually external entity but if you use keystone-manage pki_setup to generate the signing keys it first setup the CA locally and sign the certificate which keystone uses.
CA key is used for CA, keystone do not have any use of it.
Keystone just need own private key, Signed Certificate and CA certificate.
Hope this is useful.
-Thanks
I want to only trust a specific certificate + all root certificates. For instance:
GeoTrust Global CA <= Automatically trusted
Google Internet Authority G2 <= Automatically trusted
*.google.com <= Trusted because in a .cer in the app bundle
But what happens now with AFNetworking 2.2.1 is this:
GeoTrust Global CA <= Not trusted because not in the bundle
Google Internet Authority G2 <= Not trusted because not in the bundle
*.google.com <= Trusted because in a .cer in the app bundle
How is it possible to accept root certificates as well?
Your certificate was issued by Google Internet Authority G2 CA, and the root CA is GeoTrust Global CA, so the certificate should be trusted by the iOS. It is indeed.
You can check the "List of available trusted root certificates" here.
https://developer.apple.com/library/ios/documentation/Security/Reference/certifkeytrustservices/#//apple_ref/c/func/SecTrustEvaluate
The SecTrustEvaluate function validates a certificate by verifying its signature plus the signatures of the certificates in its certificate chain, up to the anchor certificate, according to the policy or policies included in the trust management object.
If some of the certificates needed to verify the leaf certificate are missing from the trust management object, then SecTrustEvaluate searches for certificates in the following locations:
In any keychains currently on the caller’s keychain search list (see SecTrustSetKeychains).
Any certificates previously provided by calling SecTrustSetAnchorCertificates.
In a system-provided set of keychains provided for this purpose.
Over the network if certain extensions are present in the certificate used to build the chain.
So, if the SecTrustEvaluate return errSecSuccess and the result is kSecTrustResultUnspecified/kSecTrustResultProceed, it already trust the certificate chain.
In your situation, the validatesCertificateChain was YES, so it compared each certificate data in the certificate chain with the certificate files in the bundle. Usually it's used to validate self-signed certificate. You should disable it.
AFNetworking 2.1.0 added certificate chain validation, which defaults to YES (validate the chain). You can disable it:
// policy used by AFHTTPRequestOperation / AFHTTPRequestOperationManager
AFSecurityPolicy *securityPolicy = somePolicy;
securityPolicy.validatesCertificateChain = NO;
You hear a lot about how you can use SSL pinning to increase the security in your app. I was always under the assumption that SSL pinning is only helpful if you use a self-signed cert. Are there benefits of SSL pinning when using a cert signed by a cert authority, or does the CA make that unnecessary?
SSL/TLS has some issues, and the root of those issues is the CA system. By default, your browser trusts a bunch of CAs. Other than a few basic checks such as hostname, etc, the real power of the SSL comes from the verification of the certificate via the intermediaries until you get to a certificate that you trust.
Certificate pinning specifies that you will only trust a given certificate for a given web site. That is to say, if you received a "valid" certificate signed by a different CA (even if you trusted that CA) you would not trust it for this site.
In short, the fact that the CA has signed a cert does not reduce the need for certificate pinning.
For example: Companies sometimes intercept SSL. To do this, they actually serve the client a different SSL certificate that is valid for the host that the client is trying to access. Because they can insert any certificate into the trusted root (windows via GPO) they can insert their certificate instead of the actual one issued by the host. In this scenario, the SSL interception is transparent to the user. They are still being issued a "valid" certificate that is signed by a CA they trust (whether they know it or not). If you had been using certificate pinning, the new cert would be rejected.
There are cons to certificate pinning, mostly around the management of the cert as it expires etc.
See this link for more info.