Not support ECDSA cipher suite for aws-sdk-ios

[Cyan-pactera]

In principle,ECDSA cipher suite is supported in AWS IoT Elliptic Curve Cryptography and Forward Secrecy Support in AWS IoT Security and Identity for AWS IoT

TLS Cipher Suite Support

AWS IoT supports the following cipher suites:

ECDHE-ECDSA-AES128-GCM-SHA256 (recommended) ECDHE-RSA-AES128-GCM-SHA256 (recommended) ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA​

But in aws-sdk-ios, all certificates save as RSA type.It only support RSA.

[keyPairAttr setObject:(id)kSecAttrKeyTypeRSA forKey:(id)kSecAttrKeyType]; This operation execute in "AWSIoTKeychain.m"

While importing p12 that contains ecdsa key by importIdentityFromPKCS12Data:passPhrase:certificateId: method, it will return YES, but validity verification will always failed when we try to connect to server. By the way, verification is private method.

[mutablealligator]

Thank you @Cyan-pactera for reporting to us. Sorry for the inconvenience caused. As you pointed out, the SDK only supports RSA for key exchange though the IoT service supports ECDSA. We will take it as a feature request to support the different cipher suites that AWS IoT supports in the TLS connection.

[Manasi-Bhandare-Bose]

any timeline on this?

[scb01]

@Manasi-Bhandare-Bose

I don't have a specific timeline that I can share at this point. This is in our backlog and waiting for prioritization. I will post back on this thread or through a general forum announcement when I have an update.

[alperenguclu]

@cbommas @kvasukib Is there any update about this issue?