No API to detect private trust anchors when implementing SSL pinning
| Originator: | nabla.c0d3 | ||
| Number: | rdar://22206007 | Date Originated: | 09-Aug-2015 11:38 PM |
| Status: | Open | Resolved: | |
| Product: | Product Version: | ||
| Classification: | Reproducible: |
Summary: When implementing SSL pinning, it is useful to not enforce pinning when a private trust anchor, which was manually added to the OS' trust store, is detected in the server's certificate chain. This is needed for allowing SSL connections through corporate proxies or firewalls and it is how Chrome operates in that scenario; stopping attackers with the ability to modify the OS (by adding certificates to the OS trust store, hooking SSL APIs, etc.) is not part of SSL pinning's threat model. Steps to Reproduce: Try to detect if the certificate chain returned by a server was signed by private trust anchor (which was manually added to the iOS trust store) or by a system trust anchor (shipped with iOS). Expected Results: It would be nice to have an API to differentiate OS trust anchors from private trust anchors. On OS X, the list of private trust anchors can be retrieved using `SecTrustSettingsCopyCertificates()` with the `kSecTrustSettingsDomainUser` and `kSecTrustSettingsDomainAdmin` domain settings. This logic is implemented in a tool I worked on: https://github.com/datatheorem/TrustKit/blob/master/TrustKit/Pinning/ssl_pin_verifier.m#L146 Actual Results: No way to differentiate private trust anchors from system trust anchors. Version: iOS 8 Notes: Configuration: N/A Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!