In our macOS daemon process, we are trying to validate a leaf certificate by anchoring intermediate CA cert and evaluating it using SecTrustEvaluateWithError. The leaf certificate contains couple of non-critical MS extensions (1.3.6.1.4.1.311.21.10 and 1.3.6.1.4.1.311.21.7). The macOS API fails to parse these extensions and does not evaluate the cert chain. Below is the error returned:
{
NSLocalizedDescription = "\U201abc\U201d certificate is not standards compliant";
NSUnderlyingError = "Error Domain=NSOSStatusErrorDomain Code=-67618 \"Certificate 0 \U201abc\U201d has errors: Unable to parse known extension;\" UserInfo={NSLocalizedDescription=Certificate 0 \U201abc\U201d has errors: Unable to parse known extension;}";
}
As per RFC2459, a non-critical extension can be ignored by the system:
A certificate using system MUST reject the certificate if it encounters a critical extension it does not recognize; however, a non-critical extension may be ignored if it is not recognized.
So, why does macOS not ignore these non-critical extension and returns a failure? OS version is 14.4.1.
[For those reading along at home, dispacthMain isn’t able to share the certs publicly, and so they sent me a copy via an alternative channel.]
I’m not 100% sure of this conclusion, but I think the actual issue is this:
type: default
time: 2024-07-17 15:40:18.701654 +0100
process: trustd
subsystem: com.apple.securityd
category: SecWarning
message: Invalid SubjectAltName Extension
Consider this dump of the leaf:
% dumpasn1 -p -a /Users/quinn/Test/leaf.cer
SEQUENCE {
SEQUENCE {
[0] {…}
INTEGER …
SEQUENCE {…}
SEQUENCE {…}
SEQUENCE {
UTCTime 01/04/2024 16:54:46 GMT
UTCTime 01/04/2025 16:54:46 GMT
}
SEQUENCE {…}
SEQUENCE {…}
[3] {
SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER subjectAltName (2 5 29 17)
OCTET STRING, encapsulates {
SEQUENCE {}
}
}
SEQUENCE {…}
SEQUENCE {…}
SEQUENCE {…}
SEQUENCE {…}
SEQUENCE {…}
SEQUENCE {…}
SEQUENCE {…}
SEQUENCE {…}
SEQUENCE {…}
}
}
}
SEQUENCE {…}
BIT STRING
…
}
Note how the subjectAltName
extension is empty. RFC 5280 is pretty darned clear on that point:
If the
subjectAltName
extension is present, the sequence MUST contain at least one entry.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"