Closed aj-dt closed 1 year ago
Thx for adding the support back! Much needed here :)
@nabla-c0d3 removed the bool return value from evaluateCertificateChainTrust()
following your suggestion. It turned out to be redundant with the error parameter, so now there is less opportunity to cofuse that return value as a signal that the cert is trusted and one must examine the trust result to know the details.
restore runtime support for iOS 12, tvOS 12, watchOS 4 and macOS 10.13.
Adds OS-sensitive versions for copying keys (
copyKey()
) and evaluating server trust (evaluateCertificateChainTrust()
).copyKey()
callsSecTrustCopyKey()
on iOS 14+ andSecTrustCopyPublicKey()
on earlier OSs.evaluateCertificateChainTrust()
callsSecTrustEvaluateWithError()
on iOS 12+ andSecTrustEvaluate()
on earlier OSs.Note that macOS, tvOS, watchOS have slightly different version thresholds.
One subtlety in the implementation lies in
evaluateCertificateChainTrust()
which effectively "returns" three values: the bool return value and the referenced parameters TrustResult and the NSError. SinceSecTrustEvaluateWithError()
andSecTrustEvaluate()
return slightly different sets of these three values for the various possible scenarios, interpretation of these results is delicate and requires if conditions evaluating combinations of these values. I consider this complexity acceptable given that consumers of TrustKit are shielded from it. For validation of the current code we rely on the unit tests (which all pass).Note that with these changes support for running on iOS 12 and iOS 13 is restored, however building with old versions of Xcode may fail. In particular, the use of
@available(iOS 14.0)
likely introduces a requirement to build with Xcode >= 12 (the earliest Xcode to ship with iOS 14, see here)