swift-paperless icon indicating copy to clipboard operation
swift-paperless copied to clipboard

Published 20 hours ago verified publisher icon paulgessinger

Allow using installed client certificate

Open zindable opened this issue 10 months ago • 9 comments

In my configuration, I distinguish between external traffic originating from the internet and internal traffic within the local network. While internal traffic enjoys direct access to my services, external requests undergo additional authentication via mutual TLS (mTLS), terminated on my proxy.

I stumbled upon a demo showcasing how mTLS can be implemented in Swift. However, as I'm not proficient in Swift development, I'm uncertain about its feasibility.

Would it be possible for the app to show a list of installed profiles/certificates and utilize them in cases where the server mandates client authentication at the TLS layer?

zindable avatar Apr 01 '24 12:04 zindable

I've received a few requests for this. I'm not an expert at all on the topic, so I'll have to research this first. It does seem useful though, so I'll look into it.

The app uses URLSession for everything so as per your link it should be possible to implement.

paulgessinger avatar Apr 01 '24 13:04 paulgessinger

Hi,

Would it be possible for the app to show a list of installed profiles/certificates and utilize them in cases where the server mandates client authentication at the TLS layer?

@zindable As Apple limits the access to the OS Keychain that is not possible, but each app (or keychain group) can import them into their own keychain.

I´m currently trying to implement this feature here: Fork (WiP)

Nils-witt avatar Jun 25 '24 08:06 Nils-witt

@Nils-witt awesome! Looking forward to a PR on this!

paulgessinger avatar Jun 26 '24 15:06 paulgessinger

@zindable I pushed @Nils-witt's changes to TestFlight now. Could you give this a try?

paulgessinger avatar Jul 14 '24 08:07 paulgessinger

I tried to add a certificate, but got certificateLoadError. I used the same p12 file with https://github.com/immich-app/immich and it worked. The log did not contain anything certificate related :/

Finkregh avatar Aug 23 '24 14:08 Finkregh

@Finkregh I've found in my testing that it dependents on details of the certificate.

I haven't tried this in Immich, but this app is using the iOS API for this pretty much directly, so if it doesn't work it's highly likely it's because of Apple's framework. If you created the .p12 with openssl3, I believe you need to pass -legacy to make it work.

I found this out through trial and error trying to import a client cert first straight into macOS keychain and then into the app (the crypto framework is the same).

Can you give that a shot?

paulgessinger avatar Aug 24 '24 07:08 paulgessinger

It works, nice!

In the Ui it's not clear how I can remove servers, Btw :)

Finkregh avatar Aug 25 '24 08:08 Finkregh

@Finkregh I added a logout button right in the settings screen now.

paulgessinger avatar Sep 11 '24 14:09 paulgessinger

A first version will be in v1.5.0 but I'll follow this up with a UI overhaul to make this a bit more streamlined, paired with some documentation on how to set this up properly in an install.

paulgessinger avatar Sep 12 '24 10:09 paulgessinger

I'm having issues with this as well. I've seen from the logs that the certificate has been loaded properly, but I'm unable to get the login working anyway.

I have tried to debug everything, cert is valid and loaded correctly, yet logs don't help to understand if the certificate has been sent or not.

Any guesses?

LucaTheHacker avatar Oct 15 '24 17:10 LucaTheHacker