Certificate Trust Failing in Latest OS Releases

Question

Created 1w

Replies 3

Boosts 0

Participants 2

Trying to apply 'always trust' to certificate added to keychain using both SecItemAdd() and SecPKCS12Import() with SecTrustSettingsSetTrustSettings().
I created a launchdaemon for this purpose.

AuthorizationDB is modified so that any process running in root can apply trust to certificate.

let option = SecTrustSettingsResult.trustRoot.rawValue
// SecTrustSettingsResult.trustAsRoot.rawValue for non-root certificates
let status = SecTrustSettingsSetTrustSettings(secCertificate, SecTrustSettingsDomain.admin, [kSecTrustSettingsResult: NSNumber(value: option.rawValue)] as CFTypeRef).

Above code is used to trust certificates and it was working on os upto 14.7.4.

In 14.7.5 SecTrustSettingsSetTrustSettings() returns errAuthorizationInteractionNotAllowed.
In 15.5 modifying authorization db with AuthorizationRightSet() itself is returning errAuthorizationDenied.Tried manually editing authorization db via terminal and same error occurred.

Did apple update anything on Security framework?
Any other way to trust certificates?

Answered by DTS Engineer in 842762022

See this thread.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

1w

Recommended

See this thread.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

hurdygurdyman OP

1w

As per mentioned thread, is it possible to trust certificates and identities that comes along with p12 certificates through MDM?

0

Answer 3

DTS Engineer OP

Apple

6d

is it possible to trust certificates and identities that comes along with p12 certificates through MDM?

I’m not sure what you’re asking here. A digital identity consists of a private key and a certificate containing the matching public key. In general your device doesn’t need to trust that certificate. Rather, you use the private key to create a signature [1] and pass that data and the certificate to some remote entity. That entity does its own trust evaluation on the certificate. So, you care about whether it’s trusted on the remote entity, not whether it’s trusted locally.

In terms of MDM, there are three certificate-related payloads:

com.apple.security.root
com.apple.security.pkcs12
com.apple.security.pkcs1

The first inserts the root into the system trust store, so that the system trusts any certificates issued by that root. The other two install credentials into the keychain. In the PKCS#12 case it generally doesn’t matter whether the certificate is trusted, as I explained above. And the PKCS#1 case is generally used to provide the system with intermediate certificates.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Or encrypt some data.

0