swift: create URLCredential() with newly generated certificate/private key

Question

Arny1973 OP

Created Jul ’23

Replies 1

Boosts 0

Participants 2

Hello!

I am a newby into Apple ecosystem/swift development so forgive me if it is a trivial question. But I cannot find a good tutorial/article on this topic.

I am trying to implement a mutual TLS for my iOS application. To generate key/certificate I use https://github.com/apple/swift-* libraries.

Next moving to mTLS logic. I use URLSessionDelegate for this purpose as it seems it is the only way to implement mTLS. The NSURLAuthenticationMethodServerTrust part seems fine. Now I am trying to implement the client side of the authentication.

let identity = ???
let urlCredential = URLCredential(
                        identity: identity,
                        certificates: nil,
                        persistence: .none)
completionHandler(.useCredential, urlCredential)

And here is my question. What is the correct/idiomatic way to create SecIdentityRef object out of a private key/certificate? Certificate can be serialized into DER form if needed.

I googled for a whole day and did not find a clear information on how to create the identity I need.

If anyone has some information on this topic, could you please help me?

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’23

Next moving to mTLS logic. I use URLSessionDelegate for this purpose as it seems it is the only way to implement mTLS.

Correct.

What is the correct/idiomatic way to create SecIdentity object out of a private key/certificate?

On iOS [1] there are two standard ways to do that:

Import PKCS#12
Something CSR-ish

In the PKCS#12 case:

Get a PKCS#12 blob, and its password, from somewhere.
Import it using SecPKCS12Import.
Optionally, save it to the keychain using SecItemAdd.

To build something CSR-ish:

Generate a private key using SecKeyCreateRandomKey, setting it up so that the private key is stored in the keychain. Optionally, you might configure this so that the key is protected by the Secure Enclave.
Get the public key from that using SecKeyCopyExternalRepresentation.
Pass that to your PKI infrastructure.
It issues you a certificate, giving you back the certificate’s bytes.
Create a certificate object from that using SecCertificateCreateWithData.
Add that to the keychain using SecItemAdd.
Call SecItemCopyMatching to get the newly formed digital identity.

All of this requires that you work with the SecItem API, which is… well… how to say this kindly… not the easier thing to grok when you’re just starting out. I have two posts that can help with that:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] macOS has extra options here.

0