Can I validate an HTTPS server using Code Signing Requirement Language?

I'm wondering if there's any way I could basically take a SecTrust object and evaluate it in terms of a SecRequirement instance?


I understand that the Code Signing Requirement Language goes a bit beyond just X.509 certificate stuff, and is primarily intended for, well, code signing. That said, its certificate related features seem completely applicable in other contexts.


I'm in a situation where I'm checking certificates in a TLS context, rather than any code object. E.g. given a URLAuthenticationChallenge I'd like to assert that its `.protectionSpace.serverTrust` meets a requirements string such as "anchor = H\"b72bb0424ed86ff665b4776c006ac57014d3b6a5\"".


The requirements language is easy to read and to tweak in the future, especially compared to using the SecCert APIs directly. Poking into the code for e.g. SecStaticCode::validateRequirement makes me pessimistic, but I wanted to double-check: does Apple provide any API I could use to evaluate a SecTrust object in terms of a SecRequirement?

Accepted Reply

does Apple provide any API I could use to evaluate a

SecTrust
object in terms of a
SecRequirement
?

No. There’s no way to evaluate requires outside of a code signing context.

The requirements language is easy to read and to tweak in the future, especially compared to using the

SecCert
APIs directly.

That’s a nice idea. You could certainly file an enhancement request for this facility, although be aware it would require Apple to also make a bunch of code signing stuff public API on iOS (it’s currently on iOS, but private).

If you do file an ER, please post your bug number, just for the record.

In your shoes I’d probably create a tiny DSL to express my requirements and build an engine that interprets that DSL against a specific trust object. For example:

struct Requirements {
    var steps: [Step]

    enum Step {
        case anchor(hash: Data)
        … and so on …
    }
}

Building something as complex as the requirements language would be tricky, but you could start simple and expand the DSL as you need more flexibility.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

does Apple provide any API I could use to evaluate a

SecTrust
object in terms of a
SecRequirement
?

No. There’s no way to evaluate requires outside of a code signing context.

The requirements language is easy to read and to tweak in the future, especially compared to using the

SecCert
APIs directly.

That’s a nice idea. You could certainly file an enhancement request for this facility, although be aware it would require Apple to also make a bunch of code signing stuff public API on iOS (it’s currently on iOS, but private).

If you do file an ER, please post your bug number, just for the record.

In your shoes I’d probably create a tiny DSL to express my requirements and build an engine that interprets that DSL against a specific trust object. For example:

struct Requirements {
    var steps: [Step]

    enum Step {
        case anchor(hash: Data)
        … and so on …
    }
}

Building something as complex as the requirements language would be tricky, but you could start simple and expand the DSL as you need more flexibility.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"