Certificate Chain not passed with Certificate

[gregtse2]

Good Day! So we've implemented Purebred for iOS, and your samples all worked wonderful - we actually used Xamarin, so it took a bit of modification - but it seems when we create a certificate from the bytedata, while there is a private key and public key, there is not a root or intermediate certificate. So when we go to authenticate against an API, it fails as the certificate does not validate. Is it possible to get the Root and Intermediate Certificates from Purebred?

Thanks!

[carl-wallace]

Certainly not the root. That must be supplied via a trusted means (typically an MDM). The app will make a best effort to include the intermediate in the PKCS12 by chasing the AIA in the certificate, but if that fails, the PKCS12 will not include it.

The roots and intermediates for the test environment and production are currently hosted at e42.us/pl.

On Feb 21, 2019, at 11:14 PM, gregtse2 notifications@github.com wrote:

Good Day! So we've implemented Purebred for iOS, and your samples all worked wonderful - we actually used Xamarin, so it took a bit of modification - but it seems when we create a certificate from the bytedata, while there is a private key and public key, there is not a root or intermediate certificate. So when we go to authenticate against an API, it fails as the certificate does not validate. Is it possible to get the Root and Intermediate Certificates from Purebred?

Thanks!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[gregtse2]

Thanks for the link! That's very helpful for our testing :)

To ask perhaps a dumb question, as we have purebred installed in a production setting, the root and intermediary certificates are installed on the device profile, but since all apps are sandboxed, when we use purebred to import any certificate, it lacks the root and intermediary necessary for the certification chain for mutual auth. How can our app, or any ios app, fetch the needed root and intermediary since ios doesn't provide such a function?

Thanks so much for your super fast reply and help!

Ref: https://stackoverflow.com/questions/42432473/programmatically-read-root-ca-certificates-in-ios

On Fri, Feb 22, 2019, 5:26 AM Carl Wallace notifications@github.com wrote:

Certainly not the root. That must be supplied via a trusted means (typically an MDM). The app will make a best effort to include the intermediate in the PKCS12 by chasing the AIA in the certificate, but if that fails, the PKCS12 will not include it.

The roots and intermediates for the test environment and production are currently hosted at e42.us/pl.

On Feb 21, 2019, at 11:14 PM, gregtse2 notifications@github.com wrote:

Good Day! So we've implemented Purebred for iOS, and your samples all worked wonderful - we actually used Xamarin, so it took a bit of modification - but it seems when we create a certificate from the bytedata, while there is a private key and public key, there is not a root or intermediate certificate. So when we go to authenticate against an API, it fails as the certificate does not validate. Is it possible to get the Root and Intermediate Certificates from Purebred?

Thanks!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-466349860, or mute the thread https://github.com/notifications/unsubscribe-auth/ApkGckPsamE3IlC4Bocav3aS-SWfHZmXks5vP8XEgaJpZM4bI1PE .

[carl-wallace]

The intermediates can be obtained by chasing the URL in the AIA extension. Trust anchor distribution is fairly ad hoc across most platforms, with things like Group Policy, MDMs, browsers, InstallRoot, etc. used to distribute them. Within the DoD context, InstallRoot is probably the best bet for obtaining trust anchors and intermediate CA certificates in one shot. You can find that utility here: https://iase.disa.mil/pki-pke/pages/tools.aspx.

Generally, we aim for the Purebred app to stay out of handling of anything except SCEP payloads and P12s with recovered keys. The split is more pronounced on other platforms. I will take a note to consider adding a UTI for trust anchors and a UTI for intermediate CAs to a future release (recognizing that this doesn't do anything for you near term) to address the gap you have identified.

From: gregtse2 notifications@github.com Reply-To: Purebred/SampleKeyProvider <reply+000f3de5dfb51d2dbd777b3dce83a24c00ad4b526431899c92cf0000000118879abb9 2a169ce18a17a66@reply.github.com> Date: Friday, February 22, 2019 at 6:10 AM To: Purebred/SampleKeyProvider SampleKeyProvider@noreply.github.com Cc: Carl Wallace carl@redhoundsoftware.com, Comment comment@noreply.github.com Subject: Re: [Purebred/SampleKeyProvider] Certificate Chain not passed with Certificate (#1)

Thanks for the link! That's very helpful for our testing :)

To ask perhaps a dumb question, as we have purebred installed in a production setting, the root and intermediary certificates are installed on the device profile, but since all apps are sandboxed, when we use purebred to import any certificate, it lacks the root and intermediary necessary for the certification chain for mutual auth. How can our app, or any ios app, fetch the needed root and intermediary since ios doesn't provide such a function?

Thanks so much for your super fast reply and help!

Ref: https://stackoverflow.com/questions/42432473/programmatically-read-root-ca-cer tificates-in-ios

On Fri, Feb 22, 2019, 5:26 AM Carl Wallace notifications@github.com wrote:

Certainly not the root. That must be supplied via a trusted means (typically an MDM). The app will make a best effort to include the intermediate in the PKCS12 by chasing the AIA in the certificate, but if that fails, the PKCS12 will not include it.

The roots and intermediates for the test environment and production are currently hosted at e42.us/pl.

On Feb 21, 2019, at 11:14 PM, gregtse2 notifications@github.com wrote:

Good Day! So we've implemented Purebred for iOS, and your samples all worked wonderful - we actually used Xamarin, so it took a bit of modification - but it seems when we create a certificate from the bytedata, while there is a private key and public key, there is not a root or intermediate certificate. So when we go to authenticate against an API, it fails as the certificate does not validate. Is it possible to get the Root and Intermediate Certificates from Purebred?

Thanks!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub

https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-46634986> 0>,

or mute the thread

https://github.com/notifications/unsubscribe-auth/ApkGckPsamE3IlC4Bocav3aS-S WfHZmXks5vP8XEgaJpZM4bI1PE .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-466361883

, or mute the thread https://github.com/notifications/unsubscribe-auth/AA895VEoZkgK-3qSW9Ol_19RcDt 0hVROks5vP9A7gaJpZM4bI1PE . {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb" ,"name":"GitHub"},"entity":{"external_key":"github/Purebred/SampleKeyProvider" ,"title":"Purebred/SampleKeyProvider","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/mes sage_cards/header.png","avatar_image_url":"https://github.githubassets.com/ima ges/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/Purebred/SampleKeyProvider"}},"updates":{"sn ippets":[{"icon":"PERSON","message":"@gregtse2 in #1: Thanks for the link! That's very helpful for our testing :)\n\nTo ask perhaps a dumb question, as we have purebred installed in a\nproduction setting, the root and intermediary certificates are installed on\nthe device profile, but since all apps are sandboxed, when we use purebred\nto import any certificate, it lacks the root and intermediary necessary for\nthe certification chain for mutual auth. How can our app, or any ios app,\nfetch the needed root and intermediary since ios doesn't provide such a\nfunction?\n\nThanks so much for your super fast reply and help!\n\nRef:\nhttps://stackoverflow.com/questions/42432473/programmatically-r ead-root-ca-certificates-in-ios\n\nOn Fri, Feb 22, 2019, 5:26 AM Carl Wallace \u003cnotifications@github.com\u003e wrote:\n\n\u003e Certainly not the root. That must be supplied via a trusted means\n\u003e (typically an MDM). The app will make a best effort to include the\n\u003e intermediate in the PKCS12 by chasing the AIA in the certificate, but if\n\u003e that fails, the PKCS12 will not include it.\n\u003e\n\u003e The roots and intermediates for the test environment and production are\n\u003e currently hosted at e42.us/pl.\n\u003e\n\u003e \u003e On Feb 21, 2019, at 11:14 PM, gregtse2 \u003cnotifications@github.com\u003e wrote:\n\u003e \u003e\n\u003e \u003e Good Day!\n\u003e \u003e So we've implemented Purebred for iOS, and your samples all worked\n\u003e wonderful - we actually used Xamarin, so it took a bit of modification -\n\u003e but it seems when we create a certificate from the bytedata, while there is\n\u003e a private key and public key, there is not a root or intermediate\n\u003e certificate. So when we go to authenticate against an API, it fails as the\n\u003e certificate does not validate. Is it possible to get the Root and\n\u003e Intermediate Certificates from Purebred?\n\u003e \u003e\n\u003e \u003e Thanks!\n\u003e \u003e\n\u003e \u003e —\n\u003e \u003e You are receiving this because you are subscribed to this thread.\n\u003e \u003e Reply to this email directly, view it on GitHub, or mute the thread.\n\u003e\n\u003e —\n\u003e You are receiving this because you authored the thread.\n\u003e Reply to this email directly, view it on GitHub\n\u003e \u003chttps://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-4663 49860\u003e,\n\u003e or mute the thread\n\u003e \u003chttps://github.com/notifications/unsubscribe-auth/ApkGckPsamE3IlC4Bocav3 aS-SWfHZmXks5vP8XEgaJpZM4bI1PE\u003e\n\u003e .\n\u003e\n"}],"action":{"name":"View Issue","url":"https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomm ent-466361883"}}}[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-466361883 ", "url": "https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-466361883 ", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

[Rmpanga]

Hello,

We are seeing a similar issue on the Sample Key Provider app. We have a p12 file that contains intermediary certificates. The root CA is on the server. We do not use SampleKeyProvider (we use iCloud) our app receives all the intermediary certificates and we can authenticate with our server.

However if we try using SampleKeyProvider we do not receive the intermediary certificates that were associated with the p12 file.

My question is are intermediary certificates supported by Purebread?

[carl-wallace]

Purebred makes a best effort to include P12s it prepares for key sharing by using URIs included in an AIA extension in the user’s certificate. Generally, Purebred is installed by an MDM and the MDM handles distributing intermediate CA certificates to the device.

On May 1, 2019, at 5:28 PM, Richard Mpanga notifications@github.com wrote:

Hello,

We are seeing a similar issue on the Sample Key Provider app. We have a p12 file that contains intermediary certificates. The root CA is on the server. We do not use SampleKeyProvider (we use iCloud) our app receives all the intermediary certificates and we can authenticate with our server.

However if we try using SampleKeyProvider we do not receive the intermediary certificates that were associated with the p12 file.

My question is are intermediary certificates supported by Purebread?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[Rmpanga]

Okay, we received some test certificates from our federal partners. In the user certificate I confirmed that there is a AIA extension which contains a URI that points to another certificate. I downloaded this certificate manually and it also has another AIA extension that points to another valid certificate.

Is SampleKeyProvider supposed to download these certificates in the URI? Lastly, in this situation will purebread provide our app all the certificates if the URI location is valid?

Thanks

[carl-wallace]

Sample key provider does not chase AIAs. Purebred will if it can (some organizations aggressively block such things). It's as likely as not that the AIA in the certificate you get back is for a trust anchor. You should not download trust anchors from an AIA but should get them via a trustworthy source out-of-band. In this context, the typical means of getting a trust anchor is from the MDM.

From: Richard Mpanga notifications@github.com Reply-To: Purebred/SampleKeyProvider reply@reply.github.com Date: Thursday, May 2, 2019 at 9:44 AM To: Purebred/SampleKeyProvider SampleKeyProvider@noreply.github.com Cc: Carl Wallace carl@redhoundsoftware.com, Comment comment@noreply.github.com Subject: Re: [Purebred/SampleKeyProvider] Certificate Chain not passed with Certificate (#1)

Okay, we received some test certificates from our federal partners. In the user certificate I confirmed that there is a AIA extension which contains a URI that points to another certificate. I downloaded this certificate manually and it also has another AIA extension that points to another valid certificate.

Is SampleKeyProvider supposed to download these certificates in the URI? Lastly, in this situation will purebread provide our app all the certificates if the URI location is valid?

Thanks

— You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-488678779

, or mute the thread https://github.com/notifications/unsubscribe-auth/AAHT3ZLSC5SVTD2A5AMAWS3PTLV 23ANCNFSM4GZDKPCA . {"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb" ,"name":"GitHub"},"entity":{"external_key":"github/Purebred/SampleKeyProvider" ,"title":"Purebred/SampleKeyProvider","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/mes sage_cards/header.png","avatar_image_url":"https://github.githubassets.com/ima ges/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/Purebred/SampleKeyProvider"}},"updates":{"sn ippets":[{"icon":"PERSON","message":"@Rmpanga in #1: Okay, we received some test certificates from our federal partners. In the user certificate I confirmed that there is a AIA extension which contains a URI that points to another certificate. I downloaded this certificate manually and it also has another AIA extension that points to another valid certificate. \r\n\r\nIs SampleKeyProvider supposed to download these certificates in the URI? \r\nLastly, in this situation will purebread provide our app all the certificates if the URI location is valid?\r\n\r\nThanks\r\n"}],"action":{"name":"View Issue","url":"https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomm ent-488678779"}}}[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-488678779 ", "url": "https://github.com/Purebred/SampleKeyProvider/issues/1#issuecomment-488678779 ", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

[Rmpanga]

Okay. Thank you for your help