Accessing Apple Root Certificate on iOS
I found the following code: https://github.com/roddi/ValidateStoreReceipt/blob/master/validatereceipt.m which downloads the root certificate ("Apple Root CA") on macOS
and I am trying to get it to work with iOS as well.
Our code is written in C ++ and uses OpenSSL to validate the remote peer when using SSL sockets.
On other platforms, we download the root certificate and add it to the context using X509_STORE_add_cert .
Then we use SSL_get_peer_certificate and check the hostname. These are NOT self-signed certificates, so we want to use the device root certificate.
My question is how to get the root certificate on iOS devices?
EDIT:
I tried the following request but I keep getting -25300 (errSecItemNotFound).
NSDictionary* query=[NSDictionary dictionaryWithObjectsAndKeys:
(__bridge id)kSecClassCertificate,kSecClass,
kCFBooleanTrue,kSecReturnRef,
kSecMatchLimitAll,kSecMatchLimit,
kCFBooleanTrue,kSecMatchTrustedOnly,
nil];
SecItemCopyMatching((__bridge CFDictionaryRef)query,&ref);
source to share
You will need something along these lines:
- Find certificates using
SecItemCopyMatching()
withkSecMatchTrustedOnly
installed onkCFBooleanTrue
. Remember that there will be many certificates , not just one. - Then export them to DER format with
SecCertificateCopyData()
. - Import them into OpenSSL
- Profit
Alternatively, you can go the other way:
- Converting a certificate to DER with OpenSSL
- Build
SecCertificateRef
withSecCertificateCreateWithData()
- Build
SecPolicyRef
withSecPolicyCreateSSL()
- Build
SecTrustRef
withSecTrustCreateWithCertificates()
- Rate with
SecTrustEvaluate()
- Profit
Or, of course, you can also manage your SSL connection with NSURLConnection
or with CFNetwork
(available directly in C ++) and the system will do everything for you automatically. Whenever possible, I recommend against using OpenSSL for iOS, because it creates a lot of complexity. But the above should help you get the bridge down if you need to.
source to share
There are several ways to distribute certificates. Using email - send the certificate as an attachment by clicking on it, the installation process will begin. Or using a browser - go to Safari to the page where your certificate is located, download and install it. You can also use configuration profiles to simplify deployment.
For more on this in iPad in Business , scroll down to the section Distributing and Installing Certificates
.
EDIT : looking for a certificate
To find a keychain item, you can use SecItemCopyMatching by providing kSecClassCertificate
and kSecAttrLabel
. Checkout Search for a certificate in the keychain in Certificate, Key and Trusted Services Tasks for iOS
source to share
If the keychain solution doesn't work, another solution is to download the "Apple Inc. Root Certificate" from Apple at https://www.apple.com/certificateauthority/ and save it locally in your application. This approach is suggested in this objc.io check check article and validation check solutions such as RMStore at https://github.com/robotmedia/RMStore .
source to share