I have an iOS application that uses certificates for messaging-signing following the Digital Signature Algorithm (DSA). In order to perform this signing, the app needs the certificate as well as the private key associated with the certificate. And, I cannot embed the certificate in the app as my customers need to be able to generate and distribute their own certificates to be used by the app whenever they need. (And, embedding a certificate would constitute a security risk anyway.)
Does anyone have any thoughts on how I might go about distributing the certificates and private keys?
PS. We do the same thing on BlackBerry and, there, we use BlackBerry Enterprise Server and APIs on the BlackBerry device to push certificates to the devices in the organization. I'm hoping there's a MDM solution to this for iOS but haven't been able to find anything yet.
Thanks much
You ask:
Does anyone have any thoughts on how I might go about distributing the certificates and private keys?
I'm sorry I don't know enough about your specific situation to tell you exactly how to meet your requirement, but I can tell that's not how it's usually done. Instead the public/private key pair is normally generated on the device, then the public key (only) is submitted with additional data (in a Certificate Signing Request, CSR, for example), to a server (Certification Authority, CA), which generates the certificate and returns it to the requester (and possibly publishes it in a directory).
An important security benefit to this approach is no third party has access to the private key (the CA needs the public key and doesn't need the private key). This is required for non-repudiation (so the device owner can't claim someone got his private key from the central server).
On iOS, there is no straight forward way to distribute a certificate and it's private key to an app. Apple suggests using PKCS12 and provides some guidance in this document: Technical Q&A QA1745: Making Certificates and Keys Available To Your App.
Related
Is there a best way to do certificate pinning in iOS to avoid Man in middle attack. Or is there any substitute approach that apple provides to make a secure connection?
Currently I'm using A certificate pining approach where either I've to store the .der file in my app to compare with Server Certificate or as option2 to do SHA1 or MD5 validation. But in this case app need regular updates with change in those certificates.
Is there any other concrete approach that apple provides for SSL /TLS validation.
Any demo code sample will be helpful
Thanks in advance
OWASP provides good information about this topic, including sample code for various OS, including iOS.
AFNetworking provides AFSecurityPolicy class to deal with certificate and public key pinning.
I need to generate PDF in my app (which has been done), and then, mark it with a digital signature for security purposes(which still needs to be taken care of).
Here, I am not talking about simply pasting an image (containing signature) in the pdf file; but actually use public-key/private-key for this purpose.
I have Googled a lot, but all I could find was how to add a signature image in the pdf. Does Apple provide any libraries for digital signature?
Note that you also need to understand and discuss (with the right business person) the security of the digital certificate(s) used for signing.
If you want to ensure that no one/nothing except for authorized people and processes will be able to sign with the certificate, then the certificate must be stored in a secure hardware device.
The two common secure signing system types are smart cards and signing servers. Smart cards can be difficult to interface to. Signing servers are easy to use via network APIs. Example signing server APIs. Signing servers are available as web services if you want.
I realize there was a question about allowing multiple servers to send Push Notifications to the same application using the same SSL Certificate, but my question is different.
Suppose that the developer of a single iOS application would like to allow multiple providers to send Push Notifications to his application, but wants to control which providers have the authority to send APNs to his App (and to be able to revoke that privilege from any one of them).
If all the providers have the same certificate, in order to block one of them from sending APNs, he has to block them all (by revoking the Push SSL Certificate, and getting a new one).
Is it possible to get from Apple multiple Push SSL Certificates for the same Application?
That would make it possible to assign a unique certificate for each provider, which would allow to block a single provider without blocking the rest.
On the Apple Provisioning Portal there doesn't seem to be a possibility to create more than one Push SSL Certificate for the same Application and the same environment (Development/Production), but I wanted to be sure whether it can't be done.
Since no one answered my question, I'll answer it myself.
The answer to that question used to be no but it seems that Apple made some changes in the provisioning portal (which is now called Certificates, Identifiers & Profiles), and now it's possible to define multiple certificates for the same application and the same environment.
Actually you can create only 2 apple push certificates for one App ID and no more.
Apple developer center does not allow me to create more then two and same experience has my friend.
I don´t see how your task can be solved now. In my opinion Apple does not want to support such products. Maybe you can do more with Enterprise Developer account but I don´t have one. So maybe anyone else can tell us if it allows to create more push certificates for on iOS application.
NOTE: This question is NOT related to the keys and certificates used for iOS development/provisioning.
I would like to use TLS client certificates for authentication of iOS devices running my app. In order to achieve this securely, it would be ideal if the device generated its private key itself and requested a certificate from our in-house CA.
I can't find an API in the docs for doing this, but I can see that iOS supports TLS client certificate authentication, so it seems logical that it would be possible. Can anyone point me in the right direction?
Actually there is objective-c wrapper of Open SSL available. Which can be some help to you. https://github.com/aidansteele/SSCrypto.
You can also use mycrypto( https://bitbucket.org/snej/mycrypto/wiki/Home ) a high level objective-c wrapper for many cryptographic tasks.
The creation of a CSR will prompt
Keychain Access to simultaneously
generate a public and private key
pair. Your private key is stored on
your Mac in th....
So every iOS app can have two environments set up for push notifications, development and production.
What is the harm in reusing the same CSR (and thus the same private key?) for both dev and prod environments? Is this even possible?
In a similar effect what would be the harm of using the same CSR across the different apps.
Basically I want to manage a single private key when I install the required elements on the server that will handle push notifications on my end.
Thanks
I use the same private/public key for all my certificates. The only time I ever end up having different private/public keys is when a client wants me to manage their whole Apple account and certificate generation.