CODEWITHSUNDEEP
iosx509pkicacommoncrypto
joakimb
joakimb

Reputation: 563

How to evaluate trust of x509 certificate on iOS

I am currently developing an iOS app with end to end encryption. In order to let the users authenticate each other, every user generates a x509 Certificate Signing Request (CSR) and sends the CSR to our CA-server for signing.

A user can trust another user by verifying that the other users certificate is signed by the CA.

My question is:

On the iPhone, I currently have the CA-cert and the user-cert that needs to be verified. How do I verify that the user-cert is actually signed by the CA?

My best try is the code that follows, but it does not specify what to evaluate the clientCert against, which confuses me.

-(BOOL) evaluateTrust:(SecCertificateRef) clientCert{

    SecPolicyRef myPolicy = SecPolicyCreateBasicX509();

    SecCertificateRef certArray[1] = { clientCert };
    CFArrayRef myCerts = CFArrayCreate(
                                   NULL, (void *)certArray,
                                   1, NULL);


    SecTrustRef myTrust;
    OSStatus status = SecTrustCreateWithCertificates(
                                                 myCerts,
                                                 myPolicy,
                                                 &myTrust);


    SecTrustResultType trustResult;
    if (status == noErr) {
        status = SecTrustEvaluate(myTrust, &trustResult);
    }

    NSLog(@"trustresult %d", trustResult);

    return trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified;
}

Upvotes: 2

Views: 2007

Answers (1)

user3814403
user3814403

Reputation: 11

Your code evaluates your clientCert against anchor (trusted root) certificates present in the keychain. If you want to evaluate it against your caCert you need to register your caCert as an anchor certificate with SecTrustSetAnchorCertificates.

Alternatively you can add your caCert to certArray:

SecCertificateRef certArray[2] = { clientCert, caCert };
CFArrayRef myCerts = CFArrayCreate(
                               NULL, (void *)certArray,
                               2, NULL);


SecTrustRef myTrust;
OSStatus status = SecTrustCreateWithCertificates(
                                             myCerts,
                                             myPolicy,
                                             &myTrust);

Check out: https://developer.apple.com/library/ios/documentation/security/conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html#//apple_ref/doc/uid/TP40001358-CH208-SW13

It says: 4. ... If you have intermediate certificates or an anchor certificate for the certificate chain, you can include those in the certificate array passed to the SecTrustCreateWithCertificates function. Doing so speeds up the trust evaluation.

Upvotes: 1

Related Questions