Get Certificates list from iOS device

Asked 8/2, 2013 at 16:24 Answered 12/2, 2013 at 23:45

I want to get the list of certificates installed on iPhone or iPad. So I can use that to pick one and use for ssl verification at server. However I m not able to get this list. I have seen in this following link that it is not possible in iOS to get certificates as one can access only their own keychain. iOS get Configuration Profiles that are installed

However I doubt :).

From the below link Get Certificates in Keychain I m using the code to get certificates. However I m getting nil data.

NSDictionary *query = [NSDictionary dictionaryWithObjectsAndKeys:
                           (__bridge id)(kSecClassCertificate), kSecClass,
                           [NSNull null], kSecMatchSearchList,
                           kCFBooleanTrue, kSecReturnRef,
                           kSecMatchLimitAll, kSecMatchLimit,
                           nil];
    CFDataRef *items = nil;
    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, ((CFTypeRef *)&items));

I m giving [NSNull null] for search list with assumption that if keychain ref is NULL then device takes the default keychain.

My questions are 1) Is it possible to get list of installed certificates from iPhone. 2) If so how? What is wrong in the above code?

Norite answered 8/2, 2013 at 16:24 Comment(4)

It sounds like you are trying to implement client ssl authentication, where the private key is in the client, and that is the certificate you are looking for on the client. Is that correct? – Haematogenesis 12/2, 2013 at 19:58

No. I don't have any private key in the client. Client will have certificates installed on their devices. My application does not know anything about those certificates. Idea is to present the list of all available certificates installed on the iOS device to user. Give them choice to pick one. And then app will remember that certificate and use it from later on. But as mentioned I m not able to get the list of all the certificates installed on the device. – Norite 13/2, 2013 at 15:11

Right. So you have the client credentials installed via a configuration profile. Either way, for what you want to do you are looking for an identity with a certificate chain, not a certificate (i.e. search for kSecClassIdentity). It still may not be available to your application depending on how the configuration profile was set up. – Haematogenesis 14/2, 2013 at 6:30

kSecClassIdentity is also returning nil data. Are there any specific requirements that should be met for the installed certificates? – Norite 14/2, 2013 at 22:28

My questions are 1) Is it possible to get list of installed certificates from iPhone.

Definitely.

2) If so how? What is wrong in the above code?

The code is fine, as far as I'm concerned (if not, the only problem I can think of is setting that NSNull - try omitting it). What you are missing is signing your binary with the appropriate entitlements, namely:

<key>keychain-access-groups</key>
<array>
    <string>*</string>
</array>

You can find an example Entitlements property list here - by the way, check out this entire project, it's interesting.

Endosmosis answered 12/2, 2013 at 15:43 Comment(5)

Thanks for the answer. I tried changing the entitlements. When I set * for 'keychain-access-groups' key I got the following error. 'The executable was signed with invalid entitlements. The entitlements specified in your application’s Code Signing Entitlements file do not match those specified in your provisioning profile.' I checked my provisioning profile. It has a wildcard appID. If I set 'keychain-access-groups' to $(AppIdentifierPrefix)* then I m getting OSStatus error as '"The operation couldn’t be completed.' Does anything else has to be changed in the provisioning profile? – Norite 13/2, 2013 at 17:6

The example mentioned it assumes the target device has already been jailbroken. So assigning * to 'keychain-access-groups'-will it work on normal devices that are not jail broken? – Norite 13/2, 2013 at 17:16

@PearlWhite I suppose so - but why don't you try it? – Endosmosis 13/2, 2013 at 17:26

As mentioned I tried it. When I set * to 'keychain-access-groups', I got the following error. 'The executable was signed with invalid entitlements. The entitlements specified in your application’s Code Signing Entitlements file do not match those specified in your provisioning profile.' I checked my provisioning profile. It has a wildcard appID. So what else has to be done for signing entitlements to match with provisioning profile? – Norite 13/2, 2013 at 17:33

@PearlWhite Unfortunately I don't know. I've never dealt with provisioning profiles. – Endosmosis 13/2, 2013 at 17:34

See the Apple example code for "GenericKeychain" - accessible from the 'SecItemCopyMatching' documentation. The 'Finding a Certificate in the Keychain' documentation includes detailed code to finda named certificate - which will get you one based on a kSecAttrLabel key/value pair.

Corum answered 12/2, 2013 at 23:45 Comment(2)

I want to get all the certificates available on iOS device. User will choose whatever certificate they want to choose for the connection to establish. So I don't know the name of the certificate ahead. – Norite 13/2, 2013 at 15:7

Right but the example code will work (and is slightly different from your code) and thus is a good starting point. Add some additional options to the NSDictionary to get the full list of certificates. – Corum 17/2, 2013 at 5:58

Recommended topics

Hot tags