简体繁体 English

在iOS上使用智能卡进行TLS身份验证

[英]TLS authentication using smart card on iOS

原文 2015-04-15 15:09:48 9 1 ios/ authentication/ ssl/ smartcard

I need to implement TLS authentication using a smart card with installed certificate and its assosiated public-private key pair on it. 我需要使用带有已安装证书及其相关公私钥对的智能卡来实现TLS身份验证。 I managed to get the TLS client authentication working by using a .p12 file imported to the applications bundle (client authentication based on this: iOS app SSL .p12 Authentication - bad certificate error (-9825) ), but my problem is that private key can never leave a smart card and therefore I can't do the client authentication using the API. 我设法通过使用导入到应用程序捆绑包中的.p12文件使TLS客户端身份验证正常工作（基于此客户端身份验证： iOS应用SSL .p12身份验证-错误的证书错误（-9825）），但是我的问题是私钥永远不会离开智能卡，因此我无法使用API进行客户端身份验证。 There are smart card operations available that can be used for signing and decrypting with a private key on the card to proove the app has got access to the private key. 有可用的智能卡操作，可用于使用卡上的私钥进行签名和解密，以证明应用程序可以访问私钥。

The question I need to know the answer for is, if there is a way of establishing TLS connection on iOS using either objective-c, C or C++ where a reference to a private key itself is not needed, but the connection can be established by signing a piece of given data with the private key and returning the signed piece of data when needed? 我需要知道答案的问题是，是否有一种方法可以在iOS上使用Objective-C，C或C ++建立TLS连接，而无需引用私钥本身，但是可以通过以下方式建立连接：用私钥对给定的数据签名，并在需要时返回签名的数据？ Can you please provide me with some ideas or examples of how could this be done. 能否请您提供一些想法或示例，以说明如何实现此目的。 Thank you. 谢谢。

1 个解决方案

If you are using Apple's APIs, I do not think you can perform client-authenticated TLS without handling the private key to the APIs. 如果您使用的是Apple的API，我认为您不执行API的私钥就无法执行客户端身份验证的TLS。

Optionally, you can use OpenSSL to handle the TLS connection and call a PKSC#11 Engine to talk to the smart card for signing. （可选）您可以使用OpenSSL处理TLS连接，并调用PKSC＃11 引擎与智能卡对话以进行签名。 I am also seeking for implementations, but this sounds a promising approach. 我也在寻求实现，但这听起来是一种有前途的方法。