TechQA.

SocketRocket and iOS certificate pinning

3.2k views Asked by At

I'm currently using SocketRocket as the WebSocket implementation for my iOS applications and would like to pin my server's CA as a trusted certificate with the SR_SSLPinnedCertificates property. I'm looking for a good example of loading one or more certificates to pass into SocketRocket. I've got the following code to work but I'm not sure it's correct or if there is a more straight-forward approach.

CFArrayRef keyref = NULL;
NSString *path = [[NSBundle mainBundle] pathForResource:@"certificate" ofType:@"p12"];
NSData *data = [[NSData alloc] initWithContentsOfFile:path];
OSStatus status = SecPKCS12Import((__bridge CFDataRef)data, (__bridge CFDictionaryRef)[NSDictionary dictionaryWithObject:@"eftl_key_pass" forKey:(__bridge id)kSecImportExportPassphrase], &keyref);
if (status == noErr) {
    CFDictionaryRef identityDict = CFArrayGetValueAtIndex(keyref, 0);
    SecIdentityRef identityRef = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
    SecCertificateRef certRef = NULL;
    SecIdentityCopyCertificate(identityRef, &certRef);
}
ios truststore socketrocket
Original Q&A
2

There are 2 answers

4
arik On

Certificate pinning with SocketRocket is done thus:

First, we need to initialize SocketRocket from an NSURLRequest, rather than from an NSURL.

NSURL *url = [[NSURL alloc] initWithString:@"wss://path-to-socket:1234"];
NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:url];

Then, let's set up the certificate. It's crucial that your certificate be in the binary DER format, rather than the base64-encoded PEM. The certificate file should be in your main bundle.

NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"myOwnCertificate" ofType:@"cer"];
NSData *certData = [[NSData alloc] initWithContentsOfFile:cerPath];
CFDataRef certDataRef = (__bridge CFDataRef)certData;
SecCertificateRef certRef = SecCertificateCreateWithData(NULL, certDataRef);
id certificate = (__bridge id)certRef;

We then set the request's pinned certificates to an array containing just the one we set up previously.

[request setSR_SSLPinnedCertificates:@[certificate]];

And now we can finalize the socket.

SRWebSocket *socket = [[SRWebSocket alloc] initWithURLRequest:request];       
[socket open];
0
weltan On

For the code in Swift:

if let pinnedCertificatePath = NSBundle.mainBundle().pathForResource("subdomain.yourwebsite.com", ofType: "der"),
let pinnedCertificateData = NSData(contentsOfFile: pinnedCertificatePath),
let cert = SecCertificateCreateWithData(nil, pinnedCertificateData) {
    request.SR_SSLPinnedCertificates = [cert]

    // make the websocket call!
    let ws = SRWebSocket(URLRequest: request)
    // configure the websocket
    ws.open()
} else {
    NSLog("Failed to open websocket, could not find pinned certificate!")
}

Related Questions in IOS

Related Questions in TRUSTSTORE

Related Questions in SOCKETROCKET

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions