Getting specific error when validating certificate, SecTrustEvaluateWithError

Hi, I'm trying to validate certificate that I know has two problems:

  • Too long expiration date
  • Hostname mismatch

I'm ok with those problems so when they occurs I want to accept this certificate as valid.

When using:

success = SecTrustEvaluateWithError(trust, &error)
let dictionary = SecTrustCopyResult(trust)

this dictionary contains validation failure reasons under key "TrustResultDetails"

- key : SSLHostname
- value : 0

- key : ValidityPeriodMaximums
- value : 0

but none of those keys are documented and not really sutable for production code?

My question is how to know validation failure reasons or how to change validation method to pass validation when those problems occurs?

Thanks :)

Up vote post of MuniekMg Down vote post of MuniekMg
713 views
Posted by
MuniekMg
Reply
Add a Comment

Accepted Reply

It is coming from IoT device

Ah, I thought that might be the case.

Given that, I’m going to start you out with my TLS For Accessory Developers post. If that doesn’t resolve your issue, post back with a summary of where you got to.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Is this certificate coming from a server on the wider Internet? Or from a local service, like an accessory?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

It is coming from IoT device

  • wrong hostname because we are connecting via IP address, this is not really a problem because we have SAN name
  • long expiration date is our real problem here, we do not want to generate new certificates every 825 days
Posted by
MuniekMg
Up vote reply of MuniekMg Down vote reply of MuniekMg
Add a Comment

It is coming from IoT device

Ah, I thought that might be the case.

Given that, I’m going to start you out with my TLS For Accessory Developers post. If that doesn’t resolve your issue, post back with a summary of where you got to.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thank you :) It works. I didn't know SecPolicyCreateBasicX509 is like "just check the minimum"

Posted by
MuniekMg
Up vote reply of MuniekMg Down vote reply of MuniekMg
Add a Comment