> On Jun 22, 2015, at 6:43 AM, Alex Zavatone <[email protected]> wrote:
>
> We're all familiar with using a SSL cert to get a client to trust a server,
> but we're looking at is getting a server to trust that a trusted client is
> allowed to access it.
Yup, that’s SSL (or TLS) client certificate authentication. It’s supported,
just not commonly used.
What type of network connection do you use? At the HTTP level, your
NSURL{Connection/Session} delegate will get an auth challenge and the
protection space’s type will be NSURLAuthenticationMethodClientCertificate. At
the {NS/CF}Stream level, you need to configure the stream’s TLS settings to
specify the client cert to use.
> I was thinking of embedding an SSL cert within the iOS app and validating
> against that, but I'm sort of lost on a way to start.
This is where things get tricky. You don’t just need a certificate, you also
need the private key — since you’re authenticating, you need a secret that you
can prove you have. The combination of the two is called an “identity” by the
Security framework, and it’s this identity that you specify when you make a
client-authenticated SSL connection.
There are two basic paths:
(a) On first launch your app creates a key-pair, puts the public key in a
certificate request, and sends that to the server, which signs the cert and
sends it back to you. Of course the server has to authenticate your request
somehow. Then on subsequent connections the app sends that client cert, and the
server checks that its CA signed it.
(b) On first launch your app creates a key-pair, makes a self-signed cert with
it, and sends that cert to the server (through some authenticated channel.) The
server keeps a copy of that cert. Then on subsequent connections the server
verifies that your cert is the same one that it’s got on file.
—Jens
_______________________________________________
Cocoa-dev mailing list ([email protected])
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to [email protected]
