Does SecTrustEvaluateWithError validates External Reference Identifiers?

Question

Created Mar ’25

Replies 3

Boosts 0

Participants 2

Trying to validate external reference identifiers with SecTrustEvaluateWithError Method by setting reference Ids to SecPolicyCreateSSL() & SecPolicyCreateWithProperties()

But two concerns are -

Validates for correct reference IDs but gives error for combination of wrong & correct reference Ids
398 days validity works mandatorily before reference Ids check.

Is there any other to validate external reference Ids?, which give flexibility

To pass multiple combinations of reference IDs string (wrong, correct, IP, DNS)
To validate reference ID without days validity of 398.

Please suggest. Any help here is highly appreciated.

Answered by DTS Engineer in 828861022

Can you confirm what validation does SecPolicyCreateX509 policy actually verifies?

I don’t think that’s formally documented, but of the things you listed:

Chain validation — Yes.
Expiration — Yes. By default the trust object uses the current time, but you can override that with SecTrustSetVerifyDate.
Signature — Yes.
“ec parameter” — I don’t know what that means. In the context of PKI EC usually refers to elliptic curve, but I’m not sure what sort of validation that would need beyond the signature check covered by the previous point.
Revocation — Maybe. The default policy is an implementation detail. If you want to force specific revocation checks, add in the revocation policy (SecPolicyCreateRevocation).

From Reference ID means validating Server Identity.

Thanks for clarifying.

With that understanding, let’s return ot your original questions.

To pass multiple combinations of reference IDs string (wrong, correct, IP, DNS)

I don’t understand what you’re asking here. Server name checking is done by the TLS policy (SecPolicyCreateSSL). You pass in a DNS name, or the string representation of an IP address, and it checks to see if that’s listed in Subject Alternative Name extension. What else are you looking for?

To validate reference ID without days validity of 398.

I discuss those limits in this post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’25

I’m not sure I understand what you mean by “reference IDs” here. Can you elaborate on what you’re actually trying to verify?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

ShrutiGoyal7032 OP

Mar ’25

From Reference ID means validating Server Identity. For example if SAN DNS name is "example.com" or IP is "aaa.bbb.ccc.ddd" then we can pass external string "example.com" or "aaa.bbb.ccc.ddd" to Policy.

This validation is needed for server Identity check. Let me know if any other clarification is needed.

Also Can you confirm what validation does SecPolicyCreateX509() policy actually verifies? (Chain validation, expiration, signature, ec parameter, revocation) ?

i can not find any specific documentation for this.

0

Answer 3

DTS Engineer OP

Apple

Mar ’25

Recommended

Can you confirm what validation does SecPolicyCreateX509 policy actually verifies?

I don’t think that’s formally documented, but of the things you listed:

Chain validation — Yes.
Expiration — Yes. By default the trust object uses the current time, but you can override that with SecTrustSetVerifyDate.
Signature — Yes.
“ec parameter” — I don’t know what that means. In the context of PKI EC usually refers to elliptic curve, but I’m not sure what sort of validation that would need beyond the signature check covered by the previous point.
Revocation — Maybe. The default policy is an implementation detail. If you want to force specific revocation checks, add in the revocation policy (SecPolicyCreateRevocation).

From Reference ID means validating Server Identity.

Thanks for clarifying.

With that understanding, let’s return ot your original questions.

To pass multiple combinations of reference IDs string (wrong, correct, IP, DNS)

I don’t understand what you’re asking here. Server name checking is done by the TLS policy (SecPolicyCreateSSL). You pass in a DNS name, or the string representation of an IP address, and it checks to see if that’s listed in Subject Alternative Name extension. What else are you looking for?

To validate reference ID without days validity of 398.

I discuss those limits in this post.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0