Finding a certificate on iOS

Note this question is was asked in 2001. Things have changed.

I have an iOS device that needs to access a Junos VPN. The opaque instructions from the Junos admin say that I have to retrieve a certificate that has been provisioned to the device using the Apple IPCU. I know that the cert is on the device (I can see it in Settings) and I can access the VPN though Mail, Safari and the Junos App.

  • Authentication using ios keychain - touch id (is this possible)
  • Changing manually $(AppIdentifierPrefix) property?
  • Save and Load from KeyChain | Swift
  • iOS codesigning specs
  • Store an encryption key in Keychain while application installation process
  • iOS: Pre install SSL certificate in keychain - programmatically
  • The Apple docs state that each app has its own keychain and yet all three of these apps can see the cert. The fact that Jusos can access a cert provisioned by IPCU implies that any app can access this certificate. However when I try to locate it:

        CFTypeRef   certificateRef = NULL;                                                  // will hold a ref to the cert we're trying to retrieve
    const char *certLabelString = "myCertificateName";                                      // c string of the certificate we're searching for.
    CFStringRef certLabel = CFStringCreateWithCString( NULL, certLabelString, kCFStringEncodingUTF8); // the search we need - a string match for a UTF8 String.
    
    const void *keys[] =   { kSecClass, kSecAttrLabel, kSecReturnRef };
    const void *values[] = { kSecClassCertificate, certLabel, kCFBooleanTrue };
    CFDictionaryRef dict = CFDictionaryCreate(NULL, keys, values, 3, NULL, NULL);       // set up a search to retrieve this certificate.
    OSStatus status = SecItemCopyMatching(dict, &certificateRef);                               // Search the keychain, returning in dict
    
    if(status != errSecSuccess)
        NSLog(@"keychain find returned %ld", status);
    
    if(dict)
        CFRelease(dict);
    

    It fails. My questions:

    • Is this code correct? Actually I know
      it isn’t because
      SecItemCopyMatching returns
      errSecItemNotFound

    • What value should I use for
      certLabelString – I am assuming the
      human readable name shown in
      Settings.

    In Settings, the cert looks like this (sadly obfuscated to death) the search text I specify is exactly the text shown in settings.

    alt text

    Cross posted to Apple developer forums

    2 Solutions Collect From Internet About “Finding a certificate on iOS”

    So the answer (on the Apple forums) is that mail.app and Safari.app share the Apple keychain identifier and this is the only keychain that you can push certificates to using the Apple MDM tool. Anyone else who comes up against this should file a defect in order to encourage Apple to do the right thing.

    Since middle of 2015, there is now the Safari Services framework (next to WKWebView and UIWebView, we now have a SFSafariViewController). SFSafariViewController has the ability to access the apple keychain and therefore can use all identities 🙂 Very nice.

    https://developer.apple.com/videos/play/wwdc2015/504/

    https://developer.apple.com/library/ios/documentation/SafariServices/Reference/SafariServicesFramework_Ref/index.html#//apple_ref/doc/uid/TP40016218