WKWebView Challenges while authenticating PIV Certificates

It would be best to reach to Cordova about support of WKWebView in Cordova.

IMPORTANT I definitely can’t help you with the Cordova side of this, but I wanna make sure that what you’re asking for is possible at all.

I’d likely to clarify what you mean by “PIV certificates”. Usually the term PIV refers to Personal Identity Verification, a type of smart card. If that’s the case here then this doesn’t make sense:

Also, these PIV certificates which are stored in the form of .p12 in Apple's keychain group needs to be imported using function: SecPKCS12Import.

Apple platforms expose PIV credentials to apps via the keychain API (SecItem) but that’s not in the form of a .p12 that you import into the keychain using SecPKCS12Import. A .p12 usually holds a digital identity — that is, certificate and the private key associated with the public key in that certificate — and that’s antithetical to PIV, which the private key must never leave the smart card.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi.

Thanks for your prompt reply.

I am also not concerned about Cordova. I have this new implementation that I need to work on regarding PIV related authentication in WKWebView. Please let me explain the scenario below.

A PIV (Personal Identity Verification) card converts to a digital certificate by essentially extracting the cryptographic key pair stored on the card and embedding it into a digital certificate file, which can then be used for authentication and digital signing purposes. I am intending to use it in my iOS app which uses WKWebView and has Okta SSO for SAML Authentication. I am aware that this PIV digital certificate will be stored in iOS device through MDM.

There are few questions that I have related to this implementation:

1. As you mentioned that these certificates does not get stored in the form of .p12, then please let me know how and which format do they get stored.

2. How can I use these digital certificates in my app when the SSO asks for authentication through PIV.

For POC purposes, I have added "didReceiveAuthenticationChallenge" to extract the certificate, but SecPKCS12Import method needs .p12 data and password which is not possible to pass as a parameter.

Please suggest if this implementation is feasible or not as I am stuck and might need to switch to ASWebAuthenticationSession as I found in one of the forums it's suggested that we need to use Kerberos SSO for this to work. https://forums.developer.apple.com/forums/thread/49956?answerId=147943022#147943022

Please guide me if this type of authentication can be achieved with WKWebView with MDM. Also, I am new to this type of authentication and my knowledge is limited to the forums and articles that I am going through.

Thanks,

Neha Sinha

I have one more query.

Who communicates with the device to fetch the Derived Credentials: MDM or the app(I need to write some code).

Once the authentication challenge is called, does MDM(Intune/Blackberry) have role in fetching this credential as the Certificate Issuers work in collaboration with MDM Vendors. Following is the excerpt that I have found in Entrust documentation:

"Entrust has technology partnerships with key MDM vendors including Microsoft, IBM, MobileIron, and VMware. These integrations allow the MDM vendor applications to use the derived PIV credential for strong PIV-certificate-based user and device authentication prior to accessing resources."

Any help would be much appreciated.

Thanks, Neha Sinha

So a .p12 file usually contains a digital identity, that is, a certificate and the private key that matches the public key in that certificate. I’d be very surprised if your PIV hardware let you export the private key to a .p12. That’d be most weird. So I’m not entirely sure how PVI fits into this.

Regardless, you wrote:

I am aware that this PIV digital certificate will be stored in iOS device through

Via a com.apple.security.pkcs12 payload?

If so, your app can’t access that directly. We talk about that limitation in QA1745 Making Certificates and Keys Available To Your App.

OTOH, if your system uses PIV the way it’s meant to be used — where the private key resides on PIV hardware that’s in the user’s possession — thenh that’s something you can access from your app. I talk about the general process for this in here.

IMPORTANT If you want to use the digital identity to handle server trust authentication challenges (NSURLAuthenticationMethodClientCertificate) in a web view, you can stop after the first step, calling SecItemCopyMatching to get the digital identity (kSecClassIdentity). Use that digital identity to create a credential with which to resolve the challenge.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"