Starscream: Client-side certificate autenthication

Created on 21 Oct 2016  Â·  11Comments  Â·  Source: daltoniam/Starscream

Hi,
I could not find mention of the support Client-side certificate autenthication.
Does it exist in the Starscream?

Most helpful comment

Hi Guys,
+1
I also need this feature in my code...

All 11 comments

Not sure what you mean by client-side certificate auth? Are you talking about SSL Pinning? That is currently supported:

https://github.com/daltoniam/Starscream#ssl-pinning

Client-side certificate autenthication:
Short description: https://gist.github.com/mtigas/952344
Long description: http://www.ibm.com/developerworks/lotus/library/ls-SSL_client_authentication/

For CF networking need add kCFStreamSSLCertificates properties for SSL options.

Interesting. That is something we would have to look at adding to Starscream then. PRs are welcomed.

I have plans to have this functionality. Now there are other priorities, but, I hope, to implement it in the next few months.

Hi Guys,
+1
I also need this feature in my code...

Hi Guys, Someone has any idea how to modify sslContextIn and sslContextOut in WebSocket in order to support client certificate-based access? I really need this.

Hi,

First - sorry for my english.
I added support for client certificates to the previous version of Starscream:
open class WebSocket : NSObject, StreamDelegate {
...
public var clientCertificateData: NSData?
....
private func initStreamsWithData(_ data: Data, _ port: Int) {
....
if let cc = clientCertificateData, let cca = buildClientCertificateArray(PKCS12Data: cc) {
settings[kCFStreamSSLCertificates] = cca
}
....
func buildClientCertificateArray(PKCS12Data: NSData) -> NSArray? {
var optItems : CFArray?
let key : NSString = kSecImportExportPassphrase as NSString
let options : NSDictionary = [key : ""]
var status = SecPKCS12Import(PKCS12Data, options, &optItems)
if status != errSecSuccess {
print("Failed import client certificate")
return nil
}
// Unwrap optional CFArrayRef of items from the certificate
guard let items = optItems else {
return nil
}
// Cast CFArrayRef to Swift Array
let itemsArray = items as [AnyObject]
// Cast CFDictionaryRef as Swift Dictionary
guard let clientIdentityAndTrust = itemsArray.first as? [String : AnyObject] else {
return nil
}
// Get our SecIdentityRef from the PKCS #12 blob
let clientIdentity = clientIdentityAndTrust[kSecImportItemIdentity as String] as! SecIdentity

    var clientCertificate: SecCertificate?
    status = SecIdentityCopyCertificate(clientIdentity, &clientCertificate)
    if status != errSecSuccess {
        print("Failed to retrieve the certificate associated with the requested identity.")
        return nil
    }
    let cca = NSArray(objects: clientIdentity, clientCertificate!)
    return cca
}

...
}

In the client code, adding a client certificate is as follows:

    self.mWebsocket = WebSocket(url: url, writeQueueQOS: .userInteractive, protocols: nil)
    if let s  = self.mWebsocket {
        if let accessToken = self.delegate?.mAccessToken,
            let tokenType = self.delegate?.mAccessTokenType {
            s.headers["Authorization"] = "\(tokenType) \(accessToken)"
        }
        if url.scheme == "wss" {
            s.disableSSLCertValidation = true
            if let cerPath = Bundle.main.path(forResource: "CA", ofType: "cer") {
                let localCertificateData = NSData(contentsOfFile:cerPath)!
                //            let caCert = SecCertificateCreateWithData(kCFAllocatorDefault, localCertificateData)

                s.security = SSLSecurity(certs: [SSLCert(data: localCertificateData as Data)], usePublicKeys: false)
            }

            //---
            let path: String = Bundle.main.path(forResource: "client_nopass1", ofType: "p12")!
            let PKCS12Data = NSData(contentsOfFile:path)!

            s.clientCertificateData = PKCS12Data
        }

Attached modified files.

On 13 Jan 2018, at 04:10, jarrillaga notifications@github.com wrote:

Hi Guys, Someone has any idea how to modify sslContextIn and sslContextOut in WebSocket in order to support client certificate-based access? I really need this.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/daltoniam/Starscream/issues/271#issuecomment-357397083, or mute the thread https://github.com/notifications/unsubscribe-auth/ARZsAekF_PZgOFRB5MzqgMSc_IP6G5m_ks5tKAKQgaJpZM4KdTpG.


Maxim
[email protected]

Hi @mea405 ! I really appreciate your help.
I tried your code and it´s not working for me. Is it really necessary that you set the SSLSecurity in order to make work the client-side authentication certificate ?

I´m still having the error 9825, any idea ?

errSSLPeerBadCert = -9825, /* misc. bad certificate */

https://opensource.apple.com/source/libsecurity_ssl/libsecurity_ssl-40581/lib/SecureTransport.h https://opensource.apple.com/source/libsecurity_ssl/libsecurity_ssl-40581/lib/SecureTransport.h
https://gist.github.com/zwang/d9f360422333bd42df956dc5e8d1c1be https://gist.github.com/zwang/d9f360422333bd42df956dc5e8d1c1be

This code worked for us under the following conditions:
(1) its self-signed CA
(2) server and client certificates issued by him
(3) server and client certificates are checked using a certificate CA

In the near future (probably in a month) I planned to transfer this functionality to a new version of your library.

On 17 Jan 2018, at 21:42, jarrillaga notifications@github.com wrote:

9825


Maxim
[email protected]

@mea405 Thanks very much for you help and support. I think that I´m loading the client certificate OK because I don´t have any more the 9825 error. Now I´m facing a timeout: did disconnect with error (Optional(Error Domain=WebSocket Code=4 "write wait timed out" UserInfo={NSLocalizedDescription=write wait timed out}))

Any idea?

481 added client side authentication!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

francos picture francos  Â·  3Comments

lveselovsky picture lveselovsky  Â·  3Comments

AdamMak picture AdamMak  Â·  3Comments

xjimi picture xjimi  Â·  4Comments

marknorgren picture marknorgren  Â·  5Comments