Regression: SecTrustEvaluate no longer lets callers disable AIA fetching

Number:rdar://9974588 Date Originated:18-Aug-2011 01:20 AM
Status:Open Resolved:
Product:Mac OS X Product Version:10.6.8
Classification:Other Bug Reproducible:Always
18-Aug-2011 01:20 AM Ryan Sleevi:
In all prior versions of OS X prior to 10.6.8/10.7.0, the default behaviour of SecTrustEvaluate() was that it would NOT attempt to retrieve issuer certificates from the network, using the caIssuers field of the authorityInfoAccess extension. This was true regardless of the trust policy supplied to SecTrustEvaluate.

However, in 10.6.8/10.7.0, this has changed, in that if an SSL policy is located, SecTrustEvaluate() forces network fetches to be enabled. This regression means there is no API-supported way to disable revocation checking.

Steps to Reproduce:
1) Create a policy with CSSMOID_APPLE_TP_SSL/SecPolicyCreateSSL.
2) Pass the new SecPolicyRef into SecTrustCreateWithCertificates, specifying a certificate with an AIA extension. For example, the certificate for
3) Call SecTrustSetParameters, making sure to explicitly NOT specify CSSM_TP_ACTION_FETCH_CERT_FROM_NET in the CSSM_APPLE_TP_ACTION_DATA.ActionFlags
4) Call SecTrustEvaluate()

Expected Results:
There should be no attempt to retrieve, which is the caIssuer found in the authorityInfoAccess. Because the "Google Internet Authority" intermediate certificate is not included in the Keychain/system roots, the certificate should fail to validate.

Actual Results:
The certificate validates fine, as the intermediate is fetched via AIA, and it chains to a trusted root, the "Equifax Secure Certificate Authority".

This regressed in 10.6.8/10.7.0. Within the source, this is lines 229-232 of , which were added between 10.6.7 and 10.6.8.

The source specifically refers to rdar://7422356

As an application developer, there are times when I actively and explicitly want to disable AIA chasing, as either a privacy risk or as a matter of performance. This has been possible since OS X 10.2, and regressed without much explanation or an alternative (such as CSSM_TP_ACTION_DISABLE_FETCH_FROM_NET, if FETCH_FROM_NET was to become the new default).


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!