SecCertificateCreateWithData returns Null in iOS10, when it returned a valid SecCertificateRef in iOS9 and below.
| Originator: | adealmeida.ehealth | ||
| Number: | rdar://28618141 | Date Originated: | 2016-10-04 |
| Status: | Open | Resolved: | 2016-10-27 |
| Product: | iOS SDK | Product Version: | iOS SDK 10.0 |
| Classification: | Critical | Reproducible: | 100% |
We use the method "SecCertificateCreateWithData" from the Security Framework to create a certificate object from a DER representation of the certificate when signing it.
This method used to return a valid SecCertificateRef in iOS9 but now returns Null. I checked to see if the DER representation of the certificate passed into "SecCertificateCreateWithData" is a valid DER using OpenSSL as described below:
http://stackoverflow.com/questions/13975520/how-can-i-validate-that-a-certificate-really-is-in-der-format
The certificate data passed in seems to be valid. So, something changed in the Security Framework in iOS10. Either "SecCertificateCreateWithData" is broken in iOS10 or the method has become more strict. I am not sure which one it is.
The DER representation of the certificate doesn't use a trusted certificate authority (it is self signed). The keys used to sign the certificate use RSA encryption. I am not sure if any of those things are causing the issue?
Here is the output from running "openssl" to validate the DER (removing some parts)
~/Desktop:$ openssl x509 -text -inform DER -in MyDER25.txt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
<REMOVED>
Signature Algorithm: rsaEncryption
Issuer: CN=ClientApp-<REMOVED>
Validity
Not Before: Oct 3 22:59:57 2016 GMT
Not After : Oct 3 22:59:53 2056 GMT
Subject: CN=ClientApp-<REMOVED>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
<REMOVED>
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
<REMOVED>
-----BEGIN CERTIFICATE-----
<REMOVED>
-----END CERTIFICATE-----
Steps to Reproduce:
Make the following call passing in an "NSData *data" object representing a valid DER.
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)data);
Expected Results:
A valid SecCertificateRef should be returned by SecCertificateCreateWithData (as is done on iOS9) when the DER representation is passed in.
Actual Results:
A null pointer is returned instead in iOS10 when SecCertificateCreateWithData is called.
Version:
iOS10.0.1 (14A403)
Configuration:
iPhone 6s 16 gbytes using wifi.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Apple responded with this comment.
Apple Developer Relations October 27 2016, 5:18 PM Thanks for your update.
If you see this issue again on a new release, please file a new bug report with fresh diagnostics.
If you have further questions, please update your report again at:
http://bugreport.apple.com
I verified that what they said is correct.
This issue has been verified as resolved and can be closed. When I set the signature algorithms to be the same, everything works as expected. Thanks.
Apple responed with this comment.
Apple Developer Relations October 13 2016, 1:22 PM This issue behaves as intended based on the following:
Based on the openssl text provided by the originator, the certificate has mismatched signature algorithms in the TBS portion of the cert: “Signature Algorithm: rsaEncryption” and in the signature algorithm field outside the TBS: “Signature Algorithm: sha1WithRSAEncryption”
We now enforce that those algorithms match per RFC 5280 Section 4.1.1.2: “ This field MUST contain the same algorithm identifier as the signature field in the sequence tbsCertificate (Section 4.1.2.3).”
Please update your bug report to let us know if this is still an issue for you.