Implementation of X509 certificate APIs on iOS

[filipnavara]

Issues #47533 and #47910 track APIs that are missing from Apple Crypto interop on iOS. When I started removing the managed part of the Interop APIs from iOS build of System.Security.Cryptography.X509Certificates I realised I'd basically end up with a useless assembly that throws PlatformNotSupportedException for everything. The underlying reason is that iOS doesn't have the macOS keychain API and even the most basic X509 manipulation relies on a working export which is implemented through this API and hence not available. To make it at least marginally working the following things probably need to be done:

• Export certificates through SecCertificateCopyData API and expose it as AppleCryptoNative_X509GetRawData
• Import certificates through SecCertificateCreateWithData/SecPKCS12Import API instead of temporary keychains

This should probably be analysed by someone who is more familiar with the API surface on the Apple side. It also looks like enumerating any certificate store, including the trusted root certificates, seems impossible on iOS.

[ghost]

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Issues #47533 and #47910 track APIs that are missing from Apple Crypto interop on iOS. When I started removing the managed part of the Interop APIs from iOS build of System.Security.Cryptography.X509Certificates I realised I'd basically end up with a useless assembly that throws PlatformNotSupportedException for everything. The underlying reason is that iOS doesn't have the macOS keychain API and even the most basic X509 manipulation relies on a working export which is implemented through this API and hence not available. To make it at least marginally working the following things probably need to be done:

• Export certificates through SecCertificateCopyData API and expose it as AppleCryptoNative_X509GetRawData
• Import certificates through SecCertificateCreateWithData API instead of temporary keychains

This should probably be analysed by someone who is more familiar with the API surface on the Apple side. It also looks like enumerating any certificate store, including the trusted root certificates, seems impossible on iOS.

Author:	filipnavara
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[bartonjs]

Import certificates through SecCertificateCreateWithData/SecPKCS12Import API instead of temporary keychains

If I recall correctly, all the stuff about temporary keychains is because "copy to keychain" (for X509Store.Add) on a keychainless certificate actually modifies the live object, which made some later operations get weird (which almost certainly means tests failed).

So this may mean that things just have to work differently between iOS and macOS. If SecPKCS12Import doesn't automatically add things to the default keychain and its SecIdentityRef values work fine across the test suite, then great. (Seems like PKCS7 collection importing is still missing, though).

[filipnavara]

So this may mean that things just have to work differently between iOS and macOS

Very likely yes. Certainly the iOS code has to use different APIs to work at all so that's a time investment that has to be made regardless of the situation on macOS. We can try to see how the iOS-compatible code would behave on macOS later and evaluate whether there's any way to enable more sharing. On macOS there's an additional SecIdentityCreateWithCertificate API that would likely cover few more use cases that currently use the temporary keychains.

Seems like PKCS7 collection importing is still missing, though

Yep, it is. I am currently looking to establish at least parity with what Xamarin/Mono used to provide which, quite honestly, was not much.

[filipnavara]

After #51926 is merged the functional changes for S.S.C.Algorithms are basically done. There's still some work with marking few APIs with unsupported attributes, etc. I started looking into S.S.C.X509Certificates again and I am leaning towards a completely separate PAL implementation on the managed side:

• The certificate import can be done through SecCertificateCreateWithData/SecPKCS12Import
• Copying certificates with private key can be done by re-exporting small PKCS12 blob and importing it through SecPKCS12Import. Unfortunately the SecIdentityCreate API is private.
• There is a single keychain which can be used with SecItemAdd/SecItemUpdate/SecItemDelete/SecItemCopyMatching. In theory named keychains can be emulated with labels but I don't think it's worth it. It needs some additional entitlement which is currently not enabled for the Xunit tests.
• Root certificates cannot be enumerated at all. Apple publishes the list of the root certificates so if desired it would be possible to make it an option to embed that in the application.

[filipnavara]

First attempts seem promising. My first draft with lot of stubbed places passed around 65% of the unit tests. I will look more into it over the next couple of days.

[filipnavara]

Seems like PKCS7 collection importing is still missing, though

On macOS PKCS7 APIs actually exist - CMSDecoderCreate, CMSDecoderCopySignerCert - and can be used for the import if desired. On iOS they are not supported unfortunately.