Is there a way to get the built-in list of anchor certificates from the OS?

I am looking for a way to get the immutable list of anchor certificates from the OS. The aim would be to pass this list to SecTrustSetAnchorCertificates() in order to fail validation in case of man-in-the-middle attacks via a trusted certificate added to the keychain. This would hit a middle ground between doing nothing and doing full certificate pinning. Is there a way to achieve this?

What platform?

And just curious, who are you trying to protect against: a bad actor who quietly compromises a victim’s device to install their own root cert? Or a tech-savvy device owner who wants to use something like mitmproxy to inspect your app’s traffic? If the latter, then why?

iOS and macOS. Trying to block real attacks/snooping, not the device owner inspecting traffic.

If nobody has an answer about an API for this, you can at least get the certs during development from here: Available trusted root certificates for Apple operating systems. Then you could bake their fingerprints into your app. Unfortunately those pages don’t provide an easily digestible format such as CSV.

I am looking for a way to get the immutable list of anchor certificates from the OS.

There is no API to enumerate the built-in iOS trust store.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Would there be a way to tell whether an instance of SecCertificateRef is trusted as part of the immutable store vs. the system/user keychain?

Would there be a way to tell whether an instance of SecCertificateRef is trusted as part of the immutable store vs. the system/user keychain?

No.

You should feel free to file an enhancement request describing your requirements. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

And maybe include the suggestion that the data behind Available trusted root certificates for Apple operating systems be made available in machine-readable form, if my suggestion about that proves useful.

@eskimo here it is: FB12059413

Is there a way to get the built-in list of anchor certificates from the OS?
 
 
Q