Using Certificates from Afaria for Authentication

One of the features of Afaria is the ability to provide a device with a signed certificate that could be used as an authentication credential for Sybase Unwired Platform. This note explains how to take a certificate provided by Afaria and convert it into a form suitable for use with Sybase Unwired Platform.

Prerequisites:

The iOS application has been built using the Sybase Unwired Platform generated code and framework headers and libraries.
The iOS application includes the required Afaria headers SeedDataAPI.h and SeedingAPISynchronous.h.
The iOS application has been registered with the Afaria server as an application policy and made available to the iOS client device.

In Sybase Unwired Platform, a certificate can be used for authentication by creating a LoginCertificate object (the SUPLoginCertificate class), and setting that as the certificate property in the client's synchronization profile. The login certificate has two properties that are used in authentication; the subjectCN (the common name of the certificate) and the signedCertificate (the certificate data itself).

After calling the Afaria APIs to get initial settings and configuration data, an application using Afaria may obtain a signed certificate using one of these APIs:

+ (NSInteger)retrieveCertificateWithPrivateKey:(SecKeyRef)privateKey andPublicKey:(SecKeyRef)publicKey andCommonName:(NSString *)commonName andChallenge:(NSString *)challengeCode forUrlScheme:(NSString *)urlScheme inCertificate:(SecCertificateRef *)certificate;


+ (NSInteger)retrieveCertificateWithUrl:(NSURL *)url andPrivateKey:(SecKeyRef)privateKey andPublicKey:(SecKeyRef)publicKey andCommonName:(NSString *)commonName andChallenge:(NSString *)challengeCode inCertificate:(SecCertificateRef *)certificate;

After this, the application will have a SecCertificateRef with the certificate, and a SecKeyRef with the private key. The certificate data in the SecCertificateRef cannot be used as is in the signedCertificate property of an SUPLoginCertificate. The signedCertificate property value is expected to contain the certificate and a digest of the certificate in ASN.1 format. To create the signedCertificate property value:

This sample code shows how to get the Afaria certificate, create an SUPLoginCertificate object, and attach it to a Sybase Unwired Platform synchronization profile.

// At this point, an Afaria user should have a signed certificate and a private key available after importing
// their certificate using either of the Afaria APIs
 /*
         
+ (NSInteger)retrieveCertificateWithPrivateKey:(SecKeyRef)privateKey andPublicKey:(SecKeyRef)publicKey andCommonName:(NSString *)commonName andChallenge:(NSString *)challengeCode forUrlScheme:(NSString *)urlScheme inCertificate:(SecCertificateRef *)certificate;
         
+ (NSInteger)retrieveCertificateWithUrl:(NSURL *)url andPrivateKey:(SecKeyRef)privateKey andPublicKey:(SecKeyRef)publicKey andCommonName:(NSString *)commonName andChallenge:(NSString *)challengeCode inCertificate:(SecCertificateRef *)certificate;
         
SecCertificateRef certificate;
SecKeyRef privatekey;
         
*/
        
SUPLoginCertificate *loginCertificate = [SUPLoginCertificate getInstance];

loginCertificate.subjectCN = (NSString*)SecCertificateCopySubjectSummary(certificate);

loginCertificate.signedCertificate = [CertBlobUtility makeCertBlob:certificate andPrivateKey:privatekey];
           
NSLog(@"Certificate created. Subject = %@",loginCertificate.subjectCN);

NSLog(@"MD5 digest = %@",[CertBlobUtility md5sum:loginCertificate.signedCertificate]);

NSLog(@"SHA1 digest = %@",[CertBlobUtility sha1:loginCertificate.signedCertificate]);

        
// Attach certificate to sync profile
        
SUPConnectionProfile *syncProfile = [SAPSSOCertTestSAPSSOCertTestDB getSynchronizationProfile];
syncProfile.certificate = loginCertificate;
[loginCertificate release];