SecTrustEvaluate doesn't check revocation status with SecPolicyCreateRevocation policy
| Originator: | hannes.oud.dev | ||
| Number: | rdar://18052070 | Date Originated: | 18-Aug-2014 09:17 PM |
| Status: | CLOSED | Resolved: | FIXED in iOS 9? |
| Product: | iOS SDK | Product Version: | 7.1.2 |
| Classification: | Security | Reproducible: | Always |
Summary: There is no way to reliably check revocation status of SSL certificates with the Security Framework. on iOS all flags except kSecRevocationOCSPMethod, kSecRevocationCRLMethod, and ..AnyMethod are ignored This might be a duplicate of rdar://12925208 Steps to Reproduce: As I encountered it at first: 1. Let an app connect to an https site with a valid certificate issued by verisign via NSURLConnection 2. Let the leaf certificate be revoked I attached a demo project, including screenshots of the tests that failed for several days after revokation on a device. Expected Results: Security Framework on iOS should not verify the certificate. Actual Results: The app now might not notice the revokation for several days. A specific trust evaluation with SecPolicyCreateRevocation and kSecRevocationRequirePositiveResponse fails to detect the revocation, when getting passed the certificate chain. Version: iOS 7.1.2 Notes: the behaviour is a little different when not passing the certificate chain, but only the leaf cert into the trust evaluation, as my tests have documented. Configuration: iPhone5, iOS Simulator, Any Platform Attachments: 'SecurityExperiments.zip' was successfully uploaded.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!