Hi,
I am developing an app that requires manually checking if a certificate has been revoked via a CRL (certificate revocation list).
However, I'm running into an issue where my revocation check fails due to my root certificate "not meeting pinning requirements". After some searching I found this article: https://support.apple.com/en-us/HT210176
That article indicates that iOS requires certificates to have certain key sizes, etc. which my root certificate seemingly does not.
Is there any way to get around that when you are performing a trust evaluation manually? (i.e. via SecTrustEvaluateWithError). Note that the certificates I am working with are NOT used for TLS connections, which is why I was hoping there was a workaround for this.
For reference, I am using code similar to the following:
// Create policies
let basicPolicy = SecPolicyCreateBasicX509()
let crlPolicy = SecPolicyCreateRevocation(kSecRevocationOCSPMethod | kSecRevocationCRLMethod | kSecRevocationRequirePositiveResponse)
// Create trust
var trust: SecTrust?
SecTrustCreateWithCertificates(cert, [basicPolicy, crlPolicy] as CFArray, &trust)
SecTrustSetAnchorCertificates(trust, [rootCert] as CFArray)
SecTrustSetNetworkFetchAllowed(trust, true)
// Evaluate trust
var error: CFError?
guard SecTrustEvaluateWithError(trust, &error) else {
// Handle error
}
In the above code cert is the certificate I'm checking and rootCert is the root certificate that contains the CRL distribution points.
The error I am getting is:
Error Domain=NSOSStatusErrorDomain Code=-67635 ""<redacted>","<redacted>" certificates do not meet pinning requirements"
Thanks!
