keychain query does not match against certificate's Subject Alternative Name ( 2.5.29.17 )

we have valid, not expired, trusted wildcard certificate in keychain with both Subject Alternative Names ( 2.5.29.17 ): DNS Name *.example.com DNS Name example.com

our query does not match against example.com, it matches only against *.example.com.

let exactHostname = "example.com"
let keychainQuery = [
  kSecClass    : kSecClassCertificate,
  //kSecAttrLabel: exactHostname,//keychain label name, should not be used to query hostname
  //kSecAttrSubject: exactHostname, //also does not work
  kSecMatchSubjectWholeString: exactHostname,
  kSecMatchValidOnDate: kCFNull!,//date, kCFNull - current date
  kSecReturnRef: true] as NSDictionary

var item    : CFTypeRef?
var identity: SecIdentity?

let status = SecItemCopyMatching(keychainQuery as CFDictionary, &item)
XCTAssert(status == errSecSuccess, "Failed to get certificate: \(status)")

how to query against Subject Alternative Name DNS name ?

Up vote post of ElenaS Down vote post of ElenaS
368 views
Posted by
ElenaS
Reply
Add a Comment

Accepted Reply

should've used kSecAttrServer Sorry, I was wrong with conclusion, @Eskimo, @meaton please help

Posted by
ElenaS
Up vote reply of ElenaS Down vote reply of ElenaS
Post marked as solved
Add a Comment

Replies

should've used kSecAttrServer Sorry, I was wrong with conclusion, @Eskimo, @meaton please help

Posted by
ElenaS
Up vote reply of ElenaS Down vote reply of ElenaS
Post marked as solved
Add a Comment

how to query against Subject Alternative Name DNS name ?

There isn’t a key for that. You’ll have to get all the certificates and do your own matching.

And, annoyingly, there isn’t an API get the contents of the Subject Alternative Name from a certificate. If you really need to do this, you’d have to parse the certificate’s data yourself.

Can you explain more about how you got yourself into this situation? What you’re looking to do is kinda strange, so I’d like to get some of the backstory to see if there isn’t an easier approach.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment