What can I use to parse a digital certificate on iOS? - iphone

The security API's on iOS only seem to cover extracting certain parts of the certificate.
Has anyone used openSSL or asn1c to allow the retrieval of Extensions, Policies etc from the certificate bytes?

Yes, you can use openSSL to parse a certificate, but it is not a easy job, since the lack of openSSL iOS docs.
First, you need the openSSL lib for iOS, and use openSSL to generate x509 cert. Then use the method in the openSSL to try to parse it.
Here is an example of how to extract UPN from a certificate extension (I answered myself). It works fine by now. Other element is similar to fetch.

Related

Verify signed DLL is signed by my certificate

We have a .pfx and use the windows signtool to sign a DLL with it. I want to programmatically verify that the DLL is signed with our certificate when I load it. I use WinVerifyTrust, but that just verifies that is signed by a trusted publisher (I think). To verify that it is signed with our certificate, I think I should use CryptVerifyCertificateSignature. How do I create the "BLOB" of "CERT_SIGNED_CONTENT_INFO" from my DLL to pass to this function?
Or... is there a better or easier way to verify that the DLL is signed with our cert?
Have a look at this answer: C# implementation to get SignedCms from signed file
If you would provide some more details - for instance programming language - the community would be able to help you further and answer more accurate :-)

How can I access the trusted certificates in the operating system trust store from the browser/javascript? [duplicate]

We are using Applet previously to get Key Store Certificates installed in client's machine. Now as chrome stops NPAPI, Applet is not working now, so finding some solution using Javascript / jQuery.
I am trying to get the total Certificate List for installs in KeyStore, but I can't find any solutions. Does any one know how to get the full Certificate List using JavaScript or jQuery?
You cannot do that with JavaScript running in the client.
See the following entry of the WebCrypto mailing list:
On Wed, Jun 24, 2015 at 1:50 PM, Jeffrey Walton
wrote:
I see the WebCrypto API will allow discovery of keys
(http://www.w3.org/TR/WebCryptoAPI/):
In addition to operations such as signature generation
and verification, hashing and verification, and encryption
and decryption, the API provides interfaces for key
generation, key derivation, key import and export, and
key discovery.
Certificates have public keys, and they are not as sensitive as private
keys.
Will the WebCrypto API allow discovery/enumeration of certificates?
Examples of what I would like to discover or enumerate (in addition to
the private keys):
Trusted roots
Client certs
Trusted Roots are in the platform's trust store. Client certs may be
in the trust store.
Thanks in advance,
Jeff
There are no plans from Chrome to implement such, on the hopefully obvious and significant privacy grounds.
Client certs contain PII. Trusted certs contain PII and
fingerprinting.
In modern, sandboxed operating systems, such as iOS and Android,
applications cannot enumerate either, as those platform providers
reached the same conclusion.
So no. Never.1
1 For some really long value of never
Get clone of below link https://github.com/scketches/ffPrintCert
install the jpm
npm install jpm --global
Create build for mozilla
jpm xpi
Upload extension in mozilla locally and check
Fire below url in mozilla
about:debugging
Load .xpi file from locally and check.

PKI and code signing

I have some difficulties to understand the difference between code signing and PKI.
Is it possible to use a PKI (with a hierarchy of CA) to issue certificate used to sign code source, and then use the revocation to invalid some software (for instance an old version that should not be used) ? Or are X.509 certificate incompatible with code signing and i'm missing something ?
Thanks your very much.
The PKI is an infrastructure that allows you to issue certificates with which you sign your binaries (among other things). You don't sign the source code.
You can create a separate certificate for every software release you have, however, I didn't see anybody use it this way and for that purpose.
Usually you enroll a few certificates and use them to sign all releases until they expire.
Even if a certificate does expire, it won't prevent from the customer keep using your software.

SSL certificate for HTTPs, activex signing and most mobile phone SDKs

this is mostly a deployement than a programming question.
If I were to buy an SSL certificate from a CA, would I be able to use it to sign other applications (such as symbian, android, iphone ones)?
You need to get two different certificates. One to secure a server (https) and one to sign code. You can compare code signing certificates here
Server certificates (those that you'd use to enable HTTPS on a web server) are rarely enabled for code signing. I haven't looked at every CA in the world, and there probably are exceptions, but the more "legit" a CA is, the less likely they are to issue one certificate for both applications. In the end, I wouldn't expect to use the same certificate for both.
There is a better chance that a single code-signing certificate is accepted by most platforms. The developer documentation of each platform should list what CA certificates are built-in as trusted roots. In addition, most platforms will allow a user to view and modify the list.
You need to buy a certificate that is specifically authorized for code singing. In other words, the certificate must have the Extended Key Usage (EKU) for Code signing. Object ID (OID) for code signing can be found here
Most commercial CA's should be able to tell you which of their certificates have this.

OpenSSL on iPhone

I need to figure out how to get two OpenSSL functions for iPhone. I'm trying to keep it so I don't need another dylib, because I don't want Apple to reject my application for something so silly.
Anyways, I have an app that access an API, not one of my APIs, so I can't really change it, and also, I don't want anyone to know my public key, or use this specific 'private' api, so I can't just make a PHP script server side, which, would be easier, except that it just won't work out.
I need to be able to use something that will seal a request in OpenSSL, and also encode a public key in OpenSSL. I have the headers, and I can't seem to figure anything out.
Generally, the easiest approach to encryption and decryption on the iPhone is the Security.framework, instead of using OpenSSL directly.
See here:
http://developer.apple.com/iphone/library/DOCUMENTATION/Security/Conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html#//apple_ref/doc/uid/TP40001358-CH208-SW9
The example at the bottom (listings 2-8, 2-9 and 2-10) show RSA-1024 key pair creation plus encryption and decryption.
By using a different key, you can control the encryption/decryption method to match the requirements of your server.
You can also compile OpenSSL as a library for iOS. Here is an tutorial from me:
http://www.x2on.de/2010/07/13/tutorial-iphone-app-with-compiled-openssl-1-0-0a-library/
For me I found that implementing the OpenSSL pod from cocoapods was the easiest. No tutorial needed.
Info: http://cocoapods.org/?q=openssl
-> OpenSSL (1.0.1)
OpenSSL is an SSL/TLS and Crypto toolkit. Deprecated in Mac OS and gone in iOS, this spec gives your project non-deprecated OpenSSL support.
pod 'OpenSSL', '~> 1.0.1'
- Homepage: http://www.openssl.org/
- Source: https://github.com/endSly/OpenSSL-pod.git
- Versions: 1.0.1, 1.0.0 [master repo]