Accessing Apple Root Certificate on iOS

I found the following code: https://github.com/roddi/ValidateStoreReceipt/blob/master/validatereceipt.m which downloads the root certificate ("Apple Root CA") on macOS

and I am trying to get it to work with iOS as well.

Our code is written in C ++ and uses OpenSSL to validate the remote peer when using SSL sockets.

On other platforms, we download the root certificate and add it to the context using X509_STORE_add_cert .

Then we use SSL_get_peer_certificate and check the hostname. These are NOT self-signed certificates, so we want to use the device root certificate.

My question is how to get the root certificate on iOS devices?

EDIT:

I tried the following request but I keep getting -25300 (errSecItemNotFound).

NSDictionary* query=[NSDictionary dictionaryWithObjectsAndKeys:
                     (__bridge id)kSecClassCertificate,kSecClass,
                     kCFBooleanTrue,kSecReturnRef,
                     kSecMatchLimitAll,kSecMatchLimit,
                     kCFBooleanTrue,kSecMatchTrustedOnly,
                     nil];
SecItemCopyMatching((__bridge CFDictionaryRef)query,&ref);

      

+3


source to share


3 answers


You will need something along these lines:

  • Find certificates using SecItemCopyMatching()

    with kSecMatchTrustedOnly

    installed on kCFBooleanTrue

    . Remember that there will be many certificates , not just one.
  • Then export them to DER format with SecCertificateCopyData()

    .
  • Import them into OpenSSL
  • Profit

Alternatively, you can go the other way:



  • Converting a certificate to DER with OpenSSL
  • Build SecCertificateRef

    withSecCertificateCreateWithData()

  • Build SecPolicyRef

    withSecPolicyCreateSSL()

  • Build SecTrustRef

    withSecTrustCreateWithCertificates()

  • Rate with SecTrustEvaluate()

  • Profit

Or, of course, you can also manage your SSL connection with NSURLConnection

or with CFNetwork

(available directly in C ++) and the system will do everything for you automatically. Whenever possible, I recommend against using OpenSSL for iOS, because it creates a lot of complexity. But the above should help you get the bridge down if you need to.

+3


source


There are several ways to distribute certificates. Using email - send the certificate as an attachment by clicking on it, the installation process will begin. Or using a browser - go to Safari to the page where your certificate is located, download and install it. You can also use configuration profiles to simplify deployment.

For more on this in iPad in Business , scroll down to the section Distributing and Installing Certificates

.



EDIT : looking for a certificate

To find a keychain item, you can use SecItemCopyMatching by providing kSecClassCertificate

and kSecAttrLabel

. Checkout Search for a certificate in the keychain in Certificate, Key and Trusted Services Tasks for iOS

+1


source


If the keychain solution doesn't work, another solution is to download the "Apple Inc. Root Certificate" from Apple at https://www.apple.com/certificateauthority/ and save it locally in your application. This approach is suggested in this objc.io check check article and validation check solutions such as RMStore at https://github.com/robotmedia/RMStore .

0


source







All Articles