kSecTrustResultProceed misbehave

Privacy & Security General
frank217 OP
Created Feb ’24
Replies 2
Boosts 0
Views 328
Participants 2

"kSecTrustResultProceed indicates that the user has explicitly trusted a certificate." Problem: kSecTrustResultProceed returned from 'SecTrustEvaluate' for some users(733/million), while their cert chain contains non explicitly trusted certs:

cert chain:

  • ***.***.com
  • Go Daddy Secure Certificate Authority - G2
  • Go Daddy Root Certificate Authority - G2

(Go Daddy is trusted on iOS, not explicitly trusted)

I cannot reproduce this on my phone, but it does exist, for some users, including iOS 17. Any thoughts?


    SecTrustResultType res = kSecTrustResultInvalid;
    SecTrustEvaluate(secTrust, &res);
    if (res == kSecTrustResultUnspecified) {
        return YES;
    }
    if (res == kSecTrustResultProceed) {
        // some check... found this question
        return YES;
    }
    if (res != kSecTrustResultRecoverableTrustFailure) {
        return NO;
    }
    // some recover...
    
    return recovered;
Replies  2
Boosts  0
Views  328
Participants  2
frank217 OP
Feb ’24

One possible reason: device installed the Go Daddy certificate manually, but why do users do that?

0
DTS Engineer OP
Apple
Feb ’24

One possible reason: device installed the Go Daddy certificate manually

That’s certainly a theory worth exploring.

You could test this theory in your office to see whether it produces the results you’re seeing. QA1948 HTTPS and Test Servers explains how to install and trust a custom CA’s root certificate, and I think those steps will work for an actual CA as well.

but why do users do that?

You’d have to ask one of the affected users.

I can think of various theories:

  • Their device might be jailbroken subject to unauthorised modifications, at which point all best are off.

  • They might be in a managed environment, and the device manager has decided to push a configuration profile with that CA [1].

  • They might have hit a problem and decided to follow some advice they found on the Internet.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Possibly because it’s needed on some other device and they have enterprise-wide policy about such things.

0
kSecTrustResultProceed misbehave
First post date Last post date
 
 
Q