5

I need to open a CFStream socket connection to a server that has an untrusted CA root. I have the certificate of the server, and I can create a SecCertificateRef structure from it. The problem is how to set up the properties of the stream.

I think I should set the kCFStreamPropertySSLSettings property to a CFDictionary that in turn contains a kCFStreamSSLCertificates key. This key should hold a "a CFArray of SecCertificateRefs except for the first element in the array, which is a SecIdentityRef" according to the docs. Now I can create the SecCertificateRef from the server's certificate that I'll ship with the app, but how to get the SecIdentityRef? I guess it should be the client identity but I absolutely don't want client side authentication for now. And I can't find a way how to feed CFStream only with the server certificate.

Note, I don't want to add the untrusted certificate to the keychain, neither disable kCFStreamSSLValidatesCertificateChain in the settings. I need to accept the server authentication only if it is based on my own server certificate data loaded from the disk, and only on this CFStream.

MrTJ
  • 12,960
  • 4
  • 38
  • 62

2 Answers2

3

Basically you have to:

  1. disable default trust evaluation using kCFStreamSSLValidatesCertificateChain
  2. get the trust object (kCFStreamPropertySSLPeerTrust) once connected to the stream (but before sending any data, i.e, on kCFStreamEventCanAcceptBytes or kCFStreamEventHasBytesAvailable events)
  3. set your self-signed root certicate as a trusted anchor for that trust object
  4. optionally, you may add custom SSL policies to the trust object (e.g, hostname doesn't match certificate CN), but if you do that it's important that you do it before setting the trusted anchor or you may get kSecTrustResultRecoverableTrustFailure result
  5. evaluate the trust object (SecTrustEvaluate) and check result is either kSecTrustResultProceed or kSecTrustResultUnspecified
AAA
  • 136
  • 2
3

I do not have the direct answer to your question, but perhaps few guidelines:

  1. Why do you need to use the CFStream API and not the more intuitive NSURLConnection ?
    From what I could find in the documentation, it seams like not everything that is available for Mac OS X, regarding CFStream API, is available for iOS. So think about it, and see if you can switch to NSURLConnection :-)

  2. For NSURLConnection, you can use the NSURLConnectionDelegate methods to get the SSL challenge and validate the certificate on your own. You can check the wsdl2objc project, where I have implemented these features:

  3. Now about your questions :-)
    I don't see how you can set a custom (untrusted) CA in kCFStreamPropertySSLSettings. I'm not sure if it can be done by using kCFStreamSSLCertificates since it is meant to be used for setting client-side certificates (thus the requirement of having the SecIdentityRef on index 0, which basically provides the private key).

  4. When you say you don't want to add the certificate to the keychain, do you mean manually or programmatically ? I guess you don't like the users of your app to have to do it manually, but you can use the Security API to import the certificate programatically. In this case your certificate will be imported in a sandboxed keychain which is only available for your application. (again, not sure if this will work but worths the try)

In my applications I use NSURLConnectionDelegate to manually validate untrusted certificates.

Regards,
Pece

pmilosev
  • 932
  • 8
  • 20
  • Hi, I experimented also with NSURLConnection implementing the authentication challenge methods of its delegate and in fact I could achieve everything what I wanted as described in the question. The problem is as far as I understand that NSURLRequest supports only http, https, file and ftp protocol (as of this: https://developer.apple.com/library/mac/#documentation/Cocoa/Conceptual/URLLoadingSystem/Concepts/URLOverview.html) but I need to interact with other type of system (SIP/TLS). Do you know whether NSURLConnection can be used also for low-level socket communication? – MrTJ Mar 19 '12 at 09:06
  • What about adding the untrusted CA to my own application's keychain sandbox: yes, I tried this also meanwhile since I asked the question, but I repeatedly received a errSSLXCertChainInvalid (-9807@kCFStreamErrorDomainSSL) error while connecting. Do you have some idea about the possible cause? – MrTJ Mar 19 '12 at 09:10
  • Ahh, now I see :-). No, NSURLConnection will not work with SIP. But if I were you, I would definitely try to find some library for this. A quick search revealed this C lib: http://www.pjsip.org/, which is said to support SIP/TLS. Additionally you might want to take a look at the opensource projects proposed here: http://stackoverflow.com/questions/1493050/open-source-voip-sip-objective-c-code. – pmilosev Mar 22 '12 at 09:01
  • Thanks for your suggestion. I actually use pjsip for the SIP functionality :) and it works very well (it uses its own TLS implementation with OpenSSL) but this component that I am currently working on would be only a small connection tester that evaluates the tls connection between the server and the client. I wanted to implement it with minimal overhead, without pulling up whole pjsip, in order to exclude as many possible source of error. – MrTJ Mar 22 '12 at 09:21
  • I +1ed your answer so you'll receive the half of the bounty for your efforts :) Unfortunately it is not the definite answer so if you have some further thoughts they are welcome. – MrTJ Mar 22 '12 at 17:27
  • hehe, thanks mate ... I am usually willing to help regardless of the award, especially if the question is a challenging one ;) I would be happy to see your reply here once you resolve your issues. – pmilosev Mar 23 '12 at 15:42