First let's clarify the terminology in the Cocoa world:

  • A SecPolicyRef is a policy that defines the rules when validating a certificate chain: the things to check for in the certificates within the chain (signature, expiration date, etc.), which determine whether the certificate chain is valid/trusted or not.
  • A SecTrustRef object is the combination of a certificate chain (basically an array of SecCertificateRef) and a SecPolicyRef. This object represents all the things needed to validate a certificate chain (the certificates + the policy).

Validating a server's certificate chain involves two steps:

  1. The certificate path needs to be validated (the signatures, the expiration date, etc.) to ensure that the server certificate was issued by a trusted CA.
  2. The name for which the server certificate was issued (Common Name or Subject Alternative Name) needs to match the name of the server the App is trying to connect to.

These steps are expressed by a SecPolicyRef:

  • SecPolicyCreateBasicX509() returns a policy that has all the things to check for 1; this is there for historical reasons but it should never be used.
  • SecPolicyCreateSSL() returns a policy that has all the rules for both 1 and 2; this is the one you must use.

You then use SecTrustEvaluate() to validate the server's SecTrustRef. The result will tell you if the server's certificate chain is trusted based on the SecPolicyRef that was passed.

Lastly, SSL pinning means adding a third step to this whole process:

  1. The certificate chain must contain a specific key or certificate. This ensures that only the certificate you know you deployed on your servers will be accepted by the App, instead of any certificate issued by any CA for your domain.

I would advise against writing your own implementation of SSL validation (with or without pinning) as, you can tell, the APIs are extremely complex and there is a big potential for huge mistakes that would make your extremely App insecure.

I have worked on a library to make it easy to do SSL pinning; it's available at https://github.com/datatheorem/TrustKit and takes care of all the heavy lifting.

Answer from Nabla on Stack Overflow
🌐
Stack Overflow
stackoverflow.com › questions › 42111010 › difference-between-ssl-pinning-and-certificate-validating
ios - Difference between SSL pinning and certificate validating - Stack Overflow

First let's clarify the terminology in the Cocoa world:

  • A SecPolicyRef is a policy that defines the rules when validating a certificate chain: the things to check for in the certificates within the chain (signature, expiration date, etc.), which determine whether the certificate chain is valid/trusted or not.
  • A SecTrustRef object is the combination of a certificate chain (basically an array of SecCertificateRef) and a SecPolicyRef. This object represents all the things needed to validate a certificate chain (the certificates + the policy).

Validating a server's certificate chain involves two steps:

  1. The certificate path needs to be validated (the signatures, the expiration date, etc.) to ensure that the server certificate was issued by a trusted CA.
  2. The name for which the server certificate was issued (Common Name or Subject Alternative Name) needs to match the name of the server the App is trying to connect to.

These steps are expressed by a SecPolicyRef:

  • SecPolicyCreateBasicX509() returns a policy that has all the things to check for 1; this is there for historical reasons but it should never be used.
  • SecPolicyCreateSSL() returns a policy that has all the rules for both 1 and 2; this is the one you must use.

You then use SecTrustEvaluate() to validate the server's SecTrustRef. The result will tell you if the server's certificate chain is trusted based on the SecPolicyRef that was passed.

Lastly, SSL pinning means adding a third step to this whole process:

  1. The certificate chain must contain a specific key or certificate. This ensures that only the certificate you know you deployed on your servers will be accepted by the App, instead of any certificate issued by any CA for your domain.

I would advise against writing your own implementation of SSL validation (with or without pinning) as, you can tell, the APIs are extremely complex and there is a big potential for huge mistakes that would make your extremely App insecure.

I have worked on a library to make it easy to do SSL pinning; it's available at https://github.com/datatheorem/TrustKit and takes care of all the heavy lifting.

Answer from Nabla on stackoverflow.com
🌐
Stack Overflow
stackoverflow.com › questions › 4561199 › ios-how-to-sign-soap-message-with-x509-certificate
iphone - iOS - How to sign SOAP message with x509 certificate - Stack Overflow

I crawled through the Security Framework API on the site you posted and there is nothing I can find that will give you an API call that will let you sign a SOAP message. The Security Framework documented here:

http://developer.apple.com/library/mac/#documentation/Security/Reference/SecurityFrameworkReference/_index.html#//apple_ref/doc/uid/TP40004330

Will let you verify certificates, and load certificates and key pairs. It will let you set up some SSL stuff, and to various sorts of authorization.

But it barely even nods at doing digital signatures and gets no where near SOAP signatures - which are their own special breed of signatures that have to be formatted properly to be acceptable to the service that you are sending to.

There's quite a few APIs that will let you sign SOAP messages: - open SSL - Bouncy Castle - various Java EE solutions - Axis2, JAX-WS - almost certainly something in .NET

I would have thought that there would be something for an iPhone app, but I'm digging up nothing, and found at least one site that says that nothing exists, and a few others making serious digs at iPhone's ability to handle SOAP in general. If XML parsing in this environment is tricky, then creating a SOAP signature will be something you have to do more or less by scratch.

If you desperately want to do this in an Apple-specific context, I would recommend:

  1. make sure you have a certificate AND key pair on hand - "client.cer" suggests that you have only the X509 Certificate, you will need something like a PKCS12 (often called *.p12, *.pfx, *.pem or *.der where * is the filename w/out the suffix). You need the private key to sign things, so the certificate alone won't be good enough.
  2. Get a library that will let you get low level. There are three main parts to doing a signature:
    • combine the source data to create a hash
    • do the cryptography to encrypt the hash with your private key
    • put the source data, the encrypted hash (ie, the signature) and the information needed to verify the signature together in the proper format.

For a SOAP Signature, the standard for the proper format is defined by the XMLDSIG standard maintained by W3C. There are a ton of ways to hash the data - so the best route is usually to look up the needs of the service you are trying to use. Most web services define a policy that will tell you what the acceptable ways of building a SOAP signature are. There's even a standard for defining this policy (WS-Policy by OASIS), but that's not a universally implemented solution.

There are suggestions that the AppleCSP module will do the crypto (and possibly even the underlying hashing) that you need, but it looks like you will end up taking the raw output and reformatting it into the SOAP signature standard, because I'm getting a strong indication that there may be very little prebuilt APIs in this area.

Answer from bethlakshmi on stackoverflow.com
🌐
Stack Overflow
stackoverflow.com › questions › 31925518 › cannot-invoke-secpolicycreatessl-with-an-argument-list-of-type-bool-string
swift2 - Cannot invoke 'SecPolicyCreateSSL' with an argument list of type '(Bool, String?)' - Stack Overflow
HTTPSecurity.swift:124:22: Cannot invoke 'SecPolicyCreateSSL' with an argument list of type '(Bool, String?)' I'm getting the above error when trying to build a project containing this code: public
🌐
Stack Overflow
stackoverflow.com › questions › 30807055 › seckeyrawverify-verifies-on-mac-but-fails-with-9809-on-ios
macos - SecKeyRawVerify verifies on mac but fails with -9809 on iOS - Stack Overflow
I need to digitally sign on mac some data and then verify it on iOS. So I generated RSA keypair and certificate for public key in DER format with open ssl (tried generation with SecKeyGeneratePair ...
🌐
Stack Overflow
stackoverflow.com › questions › 66365528 › how-to-verify-x-509-certificate-was-signed-by-another-certificate
ios - How to verify X.509 certificate was signed by another certificate? - Stack Overflow
The story: I call a request where I am getting a JWS token which I parse with the JOSESwift library. In the response I have a x5u parameter, which is a URL pointing to a certificate, which was used...
🌐
Stack Overflow
stackoverflow.com › questions › 31971278 › sectrustpolicy-fail-with-self-signed-cert
ssl - SecTrustPolicy fail with self-signed cert - Stack Overflow
func testHTTPBasicAuthenticati... NSData? var error: NSError? setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust) let policies = [SecPolicyCreateBasicX509()] SecTrustSetPolicies(serverTrust, policies) // When Alamofire.request(.GET, URLString) .authenticate(user: ...
🌐
Stack Overflow
stackoverflow.com › questions › 40588629 › rsa-encryption-using-seckeyencrypt-getting-error-at-server-side-while-decryption
objective c - RSA encryption using SecKeyEncrypt getting Error at server side while Decryption after Upgrading iOS 9.3 to iOS 10.0.1 - Stack Overflow
I am using RSA Encryption using SecKeyEncrypt I am able to encrypt my data but encrypted data not able to parse from server side. It is working fine with iOS 9.3 OS devices. After updating from iOS...