• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
SecTrustEvaluate() failing with kSecTrustResultRecoverableTrustFailure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SecTrustEvaluate() failing with kSecTrustResultRecoverableTrustFailure

  • Subject: SecTrustEvaluate() failing with kSecTrustResultRecoverableTrustFailure
  • From: Rick Mann <email@hidden>
  • Date: Wed, 15 May 2013 21:13:38 -0700
I'm trying to validate our self-signed certificate in NSURLConnectionDelegate's -connection:willSendRequestForAuthenticationChallenge: using itself as the root cert. I'm not 100% sure I'm doing it right, but looking at the ridiculously, excessively complicated example code, I've come up with this:

mRootCert holds a certificate I created with:

	mRootCert = SecCertificateCreateWithData(kCFAllocatorDefault, CFBridgingRetain(inRootCert));

- (void)
connection: (NSURLConnection*) inConnection
    willSendRequestForAuthenticationChallenge: (NSURLAuthenticationChallenge*) inChallenge
{
    NSLog(@"Connection challenged");
    NSURLProtectionSpace* protectionSpace = inChallenge.protectionSpace;
    SecTrustRef trust = protectionSpace.serverTrust;

    NSArray* certs = @[ CFBridgingRelease(mRootCert) ];
    OSStatus err = SecTrustSetAnchorCertificates(trust, CFBridgingRetain(certs));
    if (err == noErr)
    {
        SecTrustResultType trustResult;
        err = SecTrustEvaluate(trust, &trustResult);
        bool trusted = err == noErr;
        trusted = trusted && (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified);
        if (trusted)
        {
            NSURLCredential* credential = [NSURLCredential credentialForTrust: trust];
            [inChallenge.sender useCredential: credential forAuthenticationChallenge: inChallenge];
            return;
        }
    }

    //  An error occurred, or we don't trust the cert, so disallow it…

    [inChallenge.sender cancelAuthenticationChallenge: inChallenge];
}

Unfortunately, the result of evaluating the trust is: kSecTrustResultRecoverableTrustFailure, which the headers describe as:

> kSecTrustResultRecoverableTrustFailure Indicates a trust
>     framework failure; retry after fixing inputs. This value may be returned
>     by the SecTrustEvaluate function but not stored as part of the user
>     trust settings.

Which really doesn't tell me anything.

A couple of notes:

	- The cert is self-signed, and is its own root.
	- The hostname/address of the server to which I'm connecting is never fixed, and I'm not trying to validate against that. I only want to validate that the server's cert is the cert I expect.

Anyone have any idea?

Thanks!

--
Rick




_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: SecTrustEvaluate() failing with kSecTrustResultRecoverableTrustFailure
      • From: Jens Alfke <email@hidden>
  • Prev by Date: Re: NSPersistentDocument Migration with Sandbox
  • Next by Date: Re: UIView drawRect will update whole bounds
  • Previous by thread: Re: Getting a splash screen to show
  • Next by thread: Re: SecTrustEvaluate() failing with kSecTrustResultRecoverableTrustFailure
  • Index(es):
    • Date
    • Thread