iOS - How to sign SOAP message with x509 certificate

I'm working on iPhone client using SOAP message with x509 certificate. And I don't know how to sign a message using x509 certificate (client.cert).

There is thread talk about using openssl but I don't know how to use openssl so I'm looking at Apple documentation: http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CertKeyTrustProgGuide/iPhone_Tasks/iPhone_Tasks.html In above documentation, there is sample code to obtain a policy reference object and evaluating trust:

    NSString *thePath = [[NSBundle mainBundle]

                      pathForResource:@"Romeo Montegue" ofType:@"cer"];

NSData *certData = [[NSData alloc]

                     initWithContentsOfFile:thePath];

CFDataRef myCertData = (CFDataRef)certData;                 // 1



SecCertificateRef myCert;

myCert = SecCertificateCreateWithData(NULL, myCertData);    // 2



SecPolicyRef myPolicy = SecPolicyCreateBasicX509();         // 3



SecCertificateRef certArray[1] = { myCert };

CFArrayRef myCerts = CFArrayCreate(

                                   NULL, (void *)certArray,

                                   1, NULL);

SecTrustRef myTrust;

OSStatus status = SecTrustCreateWithCertificates(

                                                myCerts,

                                                myPolicy,

                                                &myTrust);  // 4



SecTrustResultType trustResult;

if (status == noErr) {

    status = SecTrustEvaluate(myTrust, &trustResult);       // 5

}
                                                    // 6

if (trustResult == kSecTrustRe开发者_StackOverflow社区sultRecoverableTrustFailure) {

    ...;

}


if (myPolicy)

    CFRelease(myPolicy);                                    

But there is no sample to use the policy object to sign a message. Do you have any clue? Please help me if you have any idea or experience on this. I really appreciate your help.

Thanks in advance.

I crawled through the Security Framework API on the site you posted and there is nothing I can find that will give you an API call that will let you sign a SOAP message. The Security Framework documented here:

http://developer.apple.com/library/mac/#documentation/Security/Reference/SecurityFrameworkReference/_index.html#//apple_ref/doc/uid/TP40004330

Will let you verify certificates, and load certificates and key pairs. It will let you set up some SSL stuff, and to various sorts of authorization.

But it barely even nods at doing digital signatures and gets no where near SOAP signatures - which are their own special breed of signatures that have to be formatted properly to be acceptable to the service that you are sending to.

There's quite a few APIs that will let you sign SOAP messages: - open SSL - Bouncy Castle - various Java EE solutions - Axis2, JAX-WS - almost certainly something in .NET

I would have thought that there would be something for an iPhone app, but I'm digging up nothing, and found at least one site that says that nothing exists, and a few others making serious digs at iPhone's ability to handle SOAP in general. If XML parsing in this environment is tricky, then creating a SOAP signature will be something you have to do more or less by scratch.

If you desperately want to do this in an Apple-specific context, I would recommend:

1. make sure you have a certificate AND key pair on hand - "client.cer" suggests that you have only the X509 Certificate, you will need something like a PKCS12 (often called *.p12, *.pfx, *.pem or *.der where * is the filename w/out the suffix). You need the private key to sign things, so the certificate alone won't be good enough.
2. Get a library that will let you get low level. There are three main parts to doing a signature:
   • combine the source data to create a hash
   • do the cryptography to encrypt the hash with your private key
   • put the source data, the encrypted hash (ie, the signature) and the information needed to verify the signature together in the proper format.

For a SOAP Signature, the standard for the proper format is defined by the XMLDSIG standard maintained by W3C. There are a ton of ways to hash the data - so the best route is usually to look up the needs of the service you are trying to use. Most web services define a policy that will tell you what the acceptable ways of building a SOAP signature are. There's even a standard for defining this policy (WS-Policy by OASIS), but that's not a universally implemented solution.

There are suggestions that the AppleCSP module will do the crypto (and possibly even the underlying hashing) that you need, but it looks like you will end up taking the raw output and reformatting it into the SOAP signature standard, because I'm getting a strong indication that there may be very little prebuilt APIs in this area.