SecPKCS12Import parameter value?

We have an SSO certificate pushed by the MDM installed on our iOS device. We are required to use that certificate to implement SSO by passing it to our authentication service. Based on this note from Apple:

https://developer.apple.com/library/ios/qa/qa1745/_index.html

It says we must import the certificate from system keychain into the app keychain using 

SecPKCS12Import
. The first parameter to this function is 
pkcs12_data
. I have read the documentation and looked through forums but cannot comprehend how to get the data for the SSO certificate that I am trying to import. Can someone please help out on how to retrieve the data value that can be passed to 
SecPKCS12Import
?
Up vote post of Hetal Down vote post of Hetal
2.5k views
Posted by
Hetal
Reply
Add a Comment

Accepted Reply

Based on [QA1745] It says we must import the certificate from system keychain into the app keychain using 

SecPKCS12Import
.

You seem to have misinterpreted QA1745. What it says is that:

  • Digital identities installed via user-level mechanisms (Safari, MDM, and so on) go into an Apple keychain access group.

  • Third-party apps can’t access digital identities in the Apple keychain access group.

  • If your app needs access to such a digital identity, you will have to find your own way to provide it to your app. 

    SecPKCS12Import
    is part of that mechanism, but it does not let you import an identity from the Apple keychain access group (per the previous point).

The best way to resolve this issue in an enterprise environment is to support Kerberos Single Sign-On (SSO). That can be configured for your app via MDM and the security happens automatically, without you having to write any code.

If necessary you can combine Kerberos SSO with your existing infrastructure but putting the digital identity PKCS#12 behind Kerberos SSO authentication. Your app can then get the PKCS#12, authenticated via Kerberos SSO, import it, and then use it for other connections.

There’s a long-standing enhancement request (r. 8777306) on file for a better solution to this problem but, alas, there’s been no action on that front. It wouldn’t hurt for you to file your own enhancement request for this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Based on [QA1745] It says we must import the certificate from system keychain into the app keychain using 

SecPKCS12Import
.

You seem to have misinterpreted QA1745. What it says is that:

  • Digital identities installed via user-level mechanisms (Safari, MDM, and so on) go into an Apple keychain access group.

  • Third-party apps can’t access digital identities in the Apple keychain access group.

  • If your app needs access to such a digital identity, you will have to find your own way to provide it to your app. 

    SecPKCS12Import
    is part of that mechanism, but it does not let you import an identity from the Apple keychain access group (per the previous point).

The best way to resolve this issue in an enterprise environment is to support Kerberos Single Sign-On (SSO). That can be configured for your app via MDM and the security happens automatically, without you having to write any code.

If necessary you can combine Kerberos SSO with your existing infrastructure but putting the digital identity PKCS#12 behind Kerberos SSO authentication. Your app can then get the PKCS#12, authenticated via Kerberos SSO, import it, and then use it for other connections.

There’s a long-standing enhancement request (r. 8777306) on file for a better solution to this problem but, alas, there’s been no action on that front. It wouldn’t hurt for you to file your own enhancement request for this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks for clarifying. I will check with the MDM team about Kerberos SSO.

Posted by
Hetal
Up vote reply of Hetal Down vote reply of Hetal
Add a Comment

Hi Eskimo,


We are using MDM to push digital identity (p12 certificate) with the application. As per your reply we are able to read the certificate using SecPKCS12Import. Please let me know, Where (Exact location) the certificate is being stored in the device? What URL i need to give to import the

certificate.


Thanks in advance.

Posted by
cinjojose
Up vote reply of cinjojose Down vote reply of cinjojose
Add a Comment

Digital identities that you push to the device via MDM are placed in an Apple keychain access group and thus are only available to Apple apps (like Mail and Safari). There’s no direct way for your app to access them. I think it would be nice if MDM had a way to push credentials to a specific app. If you agree, you should file an enhancement request along those lines. In the meantime, you can read my previous post for ideas on indirect ways around this limitation.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Eskimo,


Thanks a lot for the details.


I have one query. As per your reply, theird party apps are not having access to Apple keychain. But some of the applications like "Pulse Secure" does this. Any special permission is required to do it?

Posted by
cinjojose
Up vote reply of cinjojose Down vote reply of cinjojose
Add a Comment

But some of the applications like "Pulse Secure" does this.

While I can’t comment on apps from other developers, I can explain the general story here:

  • Legacy VPN plug-ins — Historically iOS supported a semi-private VPN plug-in architecture where specific third-party VPN plug-ins were signed by Apple in a way that allowed them to access keys in the Apple keychain access group. This architecture has since been deprecated in favour of the Network Extension VPN provider architecture we introduced in iOS 9. Existing VPN plug-ins continue to run, but no new ones can be created.

  • Network Extension VPN providers — Network Extension VPN providers can access credentials that are installed via the same configuration profile that configured the VPN. You can read more about this in FAQ#9 of my Network Extension Framework Entitlements.

IMPORTANT I didn’t mention this last point earlier because access to the 

com.apple.managed.vpn.shared
keychain access group will only be granted to VPN developers. It is not an approved solution to your problem.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks Eskimo for your detail reply.

Posted by
cinjojose
Up vote reply of cinjojose Down vote reply of cinjojose
Add a Comment