Security.framework: Where is SecTrustSettingsSetTrustSettings method?

Hi all,


I added a certificate to iOS keychain, now I want to trust this certificate to make my https request works. I found that I need to use SecTrustSettingsSetTrustSettings method to make certificate trust.


I read the API reference here: https://developer.apple.com/reference/security/1667150-certificate_key_and_trust_servic?language=objc

and see that this method exist, but do not know why it not found in my Security.framework?


I'm using iPhoneOS10.1.sdk, Objective C language.


Also my Security.framework lacks all methods of Managing Trust Settings...


So now how I must do to able to use these methods to trust my certificate? How my Security.framework have full of method like API reference?


Please help me!!


Thank you very much,

Hiep

Accepted Reply

I'm using certificate to create HTTPS request, using cross-platform CURL library, client self-signed certificate. As I researched, I think somehow this certificate must be trusted to make my https works. Is it right?

That depends on how the library you’re using is structured. Most networking libraries do default (RFC 2818) server trust evaluation and then provide some way to customise that trust evaluation. For example, for NSURLSession you can customise the default server trust evaluation via authentication challenge delegate callbacks, as discussed in Technote 2232 HTTPS Server Trust Evaluation.

You should look at the documentation for the library you’re using.

Notwithstanding the above, I generally recommend that you avoid using self-signed certificates. In most cases there are better ways. See the discussion of points A, B and C in the this post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

I added a certificate to iOS keychain, now I want to trust this certificate to make my https request works. I found that I need to use

SecTrustSettingsSetTrustSettings
method to make certificate trust.

You are, alas, in the weeds here. The Security framework is implemented differently on iOS and macOS, and the documentation you’ve referenced is referring to the macOS implementation. On iOS there is a keychain and a separate trust store, and there’s no API to modify, or even directly access, the trust store.

How you proceed here really depends on why you need a trust a custom root certificate. Is this for networking code (HTTPS, or the lower-level TLS)? Or are you doing some more complex with the Security framework itself?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Eskimo. OMG I though that is iOS's documentation.


Answer your question:


1. How you proceed here really depends on why you need a trust a custom root certificate. Is this for networking code (HTTPS, or the lower-level TLS)?


=> Yes! I'm using certificate to create HTTPS request, using cross-platform CURL library, client self-signed certificate. As I researched, I think somehow this certificate must be trusted to make my https works. Is it right? Or can you please give me your advice?


Thanks again for your helping.

Hiep

I'm using certificate to create HTTPS request, using cross-platform CURL library, client self-signed certificate. As I researched, I think somehow this certificate must be trusted to make my https works. Is it right?

That depends on how the library you’re using is structured. Most networking libraries do default (RFC 2818) server trust evaluation and then provide some way to customise that trust evaluation. For example, for NSURLSession you can customise the default server trust evaluation via authentication challenge delegate callbacks, as discussed in Technote 2232 HTTPS Server Trust Evaluation.

You should look at the documentation for the library you’re using.

Notwithstanding the above, I generally recommend that you avoid using self-signed certificates. In most cases there are better ways. See the discussion of points A, B and C in the this post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you very much Eskimo. I solved my problem.