24

I'm writing a phonegap plugin that installs both CA root certificate and user certificate in the app keychain.

Here is the code used to install the certificate:

NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:certpath];
CFDataRef inPKCS12Data = (CFDataRef)PKCS12Data;
CFStringRef password = (CFStringRef)certPassword;
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus securityError = SecPKCS12Import(inPKCS12Data, optionsDictionary, &items);
if (securityError == 0) {
    NSLog(@" *** Certificate install Success ***");
} else {
    NSLog(@" *** Certificate install Failure ***");
}

The code above works fine (securityError equals 0). However, I'm obtaining those errors:

unknown apsd[59] <Warning>: <APSCourier: 0xee1ba80>: Stream error occurred for <APSTCPStream: 0x126940>: TLS Error Code=-9844 "peer dropped connection before responding"
unknown securityd[638] <Error>: CFReadStream domain: 12 error: 8

That indicates that the device does not accept the installed certificate, so i'm wondering that the certificate is not validated against the CA Root certificate installed on the device.

Do I have to install the CA Root certificate for the app ?

Any ideas ?

P.S: I'm new to Objective-C and XCode environment.

EDIT:

The code below is used to store CA root certificat in keychain:

NSString *rootCertPath = [[NSBundle mainBundle] pathForResource:@"rootca" ofType:@"cer"];
NSData *rootCertData = [NSData dataWithContentsOfFile:rootCertPath];

OSStatus err = noErr;
SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef) rootCertData);

CFTypeRef result;

NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:
(id)kSecClassCertificate, kSecClass,
rootCert, kSecValueRef,
nil];

err = SecItemAdd((CFDictionaryRef)dict, &result);

if( err == noErr) {
    NSLog(@"Install root certificate success");
} else if( err == errSecDuplicateItem ) {
    NSLog(@"duplicate root certificate entry");
} else {
    NSLog(@"install root certificate failure");
}

EDIT:

It seems that the certificate is not sent to server. I think that I have to send manually the certificate each time an https request is made... I'm looking for a way to catch every https call in phonegap.

Cœur
  • 37,241
  • 25
  • 195
  • 267
ridan
  • 858
  • 3
  • 11
  • 24
  • Have a look [here][1], it's an older SO answer on the same topic. [1]: http://stackoverflow.com/questions/5323686/ios-pre-install-ssl-certificate-in-keychain-programmatically – Frank Oct 09 '12 at 11:29
  • I've tried the same snippet with my cer file, it does not work... – ridan Oct 09 '12 at 11:44
  • 2
    Generally speaking, there are security questions to be asked if an app can modify the list of trusted CA certificates used globally by the device, especially without explicit user intervention. – Bruno Oct 09 '12 at 11:48
  • 1
    Bruno:It will add the certificate to the keychain sandbox of your application i.e. no other application will trust your cert. – Frank Oct 09 '12 at 11:55
  • @Frank, ah fair enough, sorry, I'm not too familiar with iOS development. – Bruno Oct 09 '12 at 11:56
  • Trie to install the full chain of certificates from CA to server, just a guess but the best i can do with the info i have. – Frank Oct 09 '12 at 11:57
  • The root certificate seems to be installed using SecItemAdd method. Now I'm trying to install the user certificate using the same method and by passing the certificate password. – ridan Oct 09 '12 at 12:03
  • 1
    http://blog.asolutions.com/2011/02/using-tls-with-self-signed-certificates-or-custom-root-certificates-in-ios/ – iPatel Feb 26 '14 at 06:38

3 Answers3

6

It's no enough to import the certificate into the keychain. The new root certificate has also be trusted by the user or system.

Assuming you still have the SecCertificateRef in the variable certificate, use the following code to raise the trust level:

NSDictionary *newTrustSettings = @{(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultTrustRoot]};
status = SecTrustSettingsSetTrustSettings(certificate, kSecTrustSettingsDomainUser, (__bridge CFTypeRef)(newTrustSettings));
if (status != errSecSuccess) {
    NSLog(@"Could not change the trust setting for a certificate. Error: %d", status);
    exit(0);
}

Changing the trust level will ask the user in a popup window if he accepts the change.

Flovdis
  • 2,945
  • 26
  • 49
  • 1
    undeclared identifier kSecTrustSettingsResult and I already imported the Security class?! What am I doing wrong? –  Jul 30 '15 at 15:15
  • 2
    This appears to rely on the [open source security library](http://opensource.apple.com//source/libsecurity_keychain/libsecurity_keychain-55050.2/) provided by Apple, and specifically the defines given in [SecTrustSettings.h](http://opensource.apple.com//source/libsecurity_keychain/libsecurity_keychain-55050.2/lib/SecTrustSettings.h). More in the above answer than meets the eye! – Kevin Owens May 18 '16 at 21:38
  • 4
    Any hope I can achieve the same trust setting **without** importing this huge (and old) library, written mostly in C++? At least a pointer to the underlying `Security.framework` functions (likely) wrapped underneath? – Nicolas Miari Aug 30 '16 at 08:01
  • 1
    How do you even add the libsecurity_keychain library to your project? I can't get it to build. Anyone able to get this to work? – Austin Apr 17 '17 at 19:34
1

Swift 4.0

let rootCertPath = Bundle.main.path(forResource: "XXXXX", ofType: "der")
    let rootCertData = NSData(contentsOfFile: rootCertPath!)
    var err: OSStatus = noErr
    let rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, rootCertData!)

    //var result: CFTypeRef1
    let dict = NSDictionary.init(objects: [kSecClassCertificate, rootCert!], forKeys: [kSecClass as! NSCopying, kSecValueRef as! NSCopying])

    err = SecItemAdd(dict, nil)

    if(err == noErr) {
        NSLog("Install root certificate success");
    } else if( err == errSecDuplicateItem ) {
        NSLog("duplicate root certificate entry");
    } else {
        NSLog("install root certificate failure");
    }
Yogendra Singh
  • 2,063
  • 25
  • 20
0

Which I was looking for, setting "Always Trust" for System keychain certificate,

// Trust always, as root certificated.
    NSDictionary *newTrustSettings = @{(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultTrustRoot]};
    status = SecTrustSettingsSetTrustSettings(myCertificate, kSecTrustSettingsDomainAdmin, (__bridge CFTypeRef)(newTrustSettings));
karim
  • 15,408
  • 7
  • 58
  • 96