How to use X509 client Certificate in IOS?

Question

I have code for Merchantlink Payment Gateway in Asp.net. Now same thing i want to achieve in IOS .

In this Asp.net Code they using some kind of X509 Certificate and installing it first on localuser machine then passing this certificate in HttpWebRequest Method. The following is the snippet of code used in Asp.net. NOTE: cert Object is Object of X509Certificate2.

webRequest = (HttpWebRequest)WebRequest.Create("Some URI");
webRequest.ProtocolVersion = HttpVersion.Version10;
webRequest.Method = "POST";
webRequest.UserAgent = "AGENT NAME";
webRequest.ContentType = "text/xml";
webRequest.ContentLength = requestBytes.Length;
webRequest.KeepAlive = false;
webRequest.ClientCertificates.Add(cert);

and then

System.Net.ServicePointManager.ServerCertificateValidationCallback =
    delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    { return true; };

    using (Stream requestStream = webRequest.GetRequestStream())
    {
        requestStream.Write(requestBytes, 0, requestBytes.Length);
        using (HttpWebResponse webResponse = (HttpWebResponse)webRequest.GetResponse())
        {
            Stream dataStream = webResponse.GetResponseStream();
            StreamReader reader = new StreamReader(dataStream);
            string responseFromServer = reader.ReadToEnd();
            txtResponse.Text = responseFromServer;
        }
    }

I don't know how can I achieve this in Objective C for IOS can anyone please Let me Guide For this that how can we add Client Certificate with NSURLRequest and how to load the certificate in IOS and send with NSUrlRequest.

score 0 · Answer 1 · edited May 23 '17 at 10:33

... following is the snippet of code used in Asp.net

The code you provided indicates you are NOT performing ANY server verification. You're accepting everything, even forged certificates from a bad guy (and the attacker thanks you):

System.Net.ServicePointManager.ServerCertificateValidationCallback =
    delegate(Object sender2, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    { return true; };

I don't know how can I achieve this in Objective C for IOS ...

You need to use NSURLConnectionDelegate and provide an implementation for -connection:didReceiveAuthenticationChallenge:.

OWASP has some sample code to perform public key pinning. The OWASP code is kind of opposite of your code. The OWASP code ensures you are always talking to the expected host (rather than any host that answers with a certificate like your code). See Certificate and Public Key Pinning.

At minimum, the OWASP code will show you some of the moving parts in certificate verification.

Here's some C# code that loads a single CA and then verifies the chain with the single CA: How to verify chain in RemoteCertificateValidationCallback?. Its probably how you should be doing your ServerCertificateValidationCallback in ASP.net. It does not require you to install CAs in any of the stores. And it avoids the CA Zoo (hundreds of CAs, with anyone allowed to certify the server).

You will need to get the CA for Merchantlink to use it. Anyone who tries to claim they are Merchantlink or Merchanlink's CA will cause a failure. That's a good thing because its going to be a bad guy.

To discover the CA and use it for verification:

$ openssl s_client -connect www.merchantlink.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. -
    For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
...

From above, you need to use Verisign's Class 3 CA. So go to Use of Root Certificates, and download the Root 3, VeriSign Class 3 Primary CA - G5.

With the proper root, you will not get the verification error from OpenSSL (notice the use of -CAfile PCA-3G5.pem):

$ openssl s_client -connect www.merchantlink.com:443 -CAfile PCA-3G5.pem 
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2578637, C = US, postalCode = 10017, ST = New York, L = New York, street = 270 Park Avenue, O = "Chase Paymentech Solutions, LLC.", OU = Enterprise Web Architecture, CN = www.merchantlink.com
verify return:1
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2578637/C=US/postalCode=10017/ST=New York/L=New York/street=270 Park Avenue/O=Chase Paymentech Solutions, LLC./OU=Enterprise Web Architecture/CN=www.merchantlink.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
...
Start Time: 1397396657
Timeout   : 300 (sec)
Verify return code: 0 (ok)
...

How to use X509 client Certificate in IOS?

1 Answers1