Enable UIWebKit (WKWebKit) instances to read certificates from keychain
| Originator: | thomas.c.sanidas | ||
| Number: | rdar://17203206 | Date Originated: | 06-Jun-2014 |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | 7.1.1 |
| Classification: | Reproducible: |
Summary: Would like for UIWebKit/WKWebKit instances to read the device's keychain items for trust and identity certificates and present these for client-identity SSL connections. Requesting same/similar functionality as standalone Safari in this regards. This would enable us to take advantage of our keychain-access-groups entitlement and certificate provisioning so that UIWebKit instances could auto log-in users using an identity certificate. Many of our websites have this capability, but we have to write lots of code to enable this from our custom apps, and makes it difficult to enable our SSO for third party apps. Steps to Reproduce: Create app with UIWebView. Store identity certificate in the app's keychain. Point to a site that would present a client-certificate SSL challenge Expected Results: Same behavior as with Safari and system-level keychain certificates: UIWebView should present the certificate to complete the SSL challenge with client-side cert-based authentication if the identity cert matches; if multiples match, provide a chooser for the user to pick the cert, then continue. Actual Results: UIWebView does not present the identity certificate to the server. Site will fall back to second level of authentication, if enabled on that server. Version: iOS 7.1.1 Notes: Discussed with security team folks at WWDC, who suggested I submit this bug report. One of our motivations is to enable us to have third parties provide apps to us that we can re-sign and re-distribute via MDM, and have those apps perform cert-based authentication. These apps and others already use a UIWebView for authentication, before continuing in a more native style app. This is due to current authentication methods' depending on redirects, SAML FORM posts, etc that are browser friendly, but not really headless NSURLConnection-friendly. The goal is to have these apps sign on using certificate-based auth instead of prompting for the user. This can be achieved if these embedded web views start to process keychain items more like Safari does.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!