Need to pass the entire certificate chain in SecTrustRef structure for SecTrustEvaluate to return a success.
| Originator: | uday.kiran.citrix | ||
| Number: | rdar://30867168 | Date Originated: | 06-Mar-2017 06:04 PM |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | |
| Classification: | Security | Reproducible: | Always |
Area: Security Framework Summary: We are using SecTrustEvaluate to check the validity of a certificate. We want to do this as we want to check if the certificate can be trusted. We are not planning to do any CRL checks etc, just the trust. The issue we have is that we need to pass the entire certificate chain and not just the leaf certificate if we want to get a return value of kSecTrustResultUnspecified or kSecTrustResultProceed. This issue is 100% reproducible for any of the certificates created from non public certificate authority. If we don't pass the entire cert chain in the SecTrustRef structure then we get a kSecTrustResultRecoverableTrustFailure error from the SecTrustEvaluate call. Steps to Reproduce: We are using SecTrustEvaluate to check the validity of a certificate. We want to do this as we want to check if the certificate can be trusted. We are not planning to do any CRL checks etc, just the trust. Precondition:- Leaf certificate should have one intermediate CA which is issued by a CA. Steps:- First install the intermediate CA public cert and root CA public certificate via MDM push. Them get the leaf certificate issued from intermediate CA and populate SecTrustRef object using that. Call SecTrustEvaluate with the SecTrustRef object obtained in above step. Expected Results: SecTrustEvaluate call returns either a kSecTrustResultUnspecified or kSecTrustResultProceed and the secTrustRef to contain the chain built with leaf cert->IntermediateCA->RootCA Actual Results: SecTrustEvaluate call returns kSecTrustResultRecoverableTrustFailure and the secTrustRef doesn't contain the certificate chain. Version: 9.3.5 and above Notes: note:- the actual result is same as expected result if I build the SecTrustRef object with the leaf certificate and the certificate chain. From Apple documentation for secTrustEvaluate method about the input SecTrustRef structure, ". A trust management object includes the certificate to be verified plus the policy or policies to be used in evaluating trust. It can optionally also include other certificates to be used in verifying the first certificate." I never mentions that its mandatory to pass the intermediate and root certificates for the trust to be established. This issue is 100% reproducible for any of the certificates created from non public certificate authority. Configuration: iPhone or iPad
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!