Regression: SecTrustEvaluate no longer lets callers disable AIA fetching
| Originator: | ryan.sleevi | ||
| Number: | rdar://9974588 | Date Originated: | 18-Aug-2011 01:20 AM |
| Status: | Open | Resolved: | |
| Product: | Mac OS X | Product Version: | 10.6.8 |
| Classification: | Other Bug | Reproducible: | Always |
18-Aug-2011 01:20 AM Ryan Sleevi: Summary: In all prior versions of OS X prior to 10.6.8/10.7.0, the default behaviour of SecTrustEvaluate() was that it would NOT attempt to retrieve issuer certificates from the network, using the caIssuers field of the authorityInfoAccess extension. This was true regardless of the trust policy supplied to SecTrustEvaluate. However, in 10.6.8/10.7.0, this has changed, in that if an SSL policy is located, SecTrustEvaluate() forces network fetches to be enabled. This regression means there is no API-supported way to disable revocation checking. Steps to Reproduce: 1) Create a policy with CSSMOID_APPLE_TP_SSL/SecPolicyCreateSSL. 2) Pass the new SecPolicyRef into SecTrustCreateWithCertificates, specifying a certificate with an AIA extension. For example, the certificate for https://encrypted.google.com 3) Call SecTrustSetParameters, making sure to explicitly NOT specify CSSM_TP_ACTION_FETCH_CERT_FROM_NET in the CSSM_APPLE_TP_ACTION_DATA.ActionFlags 4) Call SecTrustEvaluate() Expected Results: There should be no attempt to retrieve http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crt, which is the caIssuer found in the authorityInfoAccess. Because the "Google Internet Authority" intermediate certificate is not included in the Keychain/system roots, the certificate should fail to validate. Actual Results: The certificate validates fine, as the intermediate is fetched via AIA, and it chains to a trusted root, the "Equifax Secure Certificate Authority". Regression: This regressed in 10.6.8/10.7.0. Within the source, this is lines 229-232 of http://www.opensource.apple.com/source/libsecurity_keychain/libsecurity_keychain-55017/lib/Trust.cpp , which were added between 10.6.7 and 10.6.8. The source specifically refers to rdar://7422356 Notes: As an application developer, there are times when I actively and explicitly want to disable AIA chasing, as either a privacy risk or as a matter of performance. This has been possible since OS X 10.2, and regressed without much explanation or an alternative (such as CSSM_TP_ACTION_DISABLE_FETCH_FROM_NET, if FETCH_FROM_NET was to become the new default).
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!