25640562: Security.framework: Provide API to determine the Apple-supplied set of default trust anchors

[openradar-mirror]

Description

Summary: On OS X, one can determine if a given Root Certificate is part of the Apple-supplied set by invoking SecTrustSettingsCopyCertificates with the kSecTrustSettingsDomainSystem. This can be distinguished from other forms of trust anchors (such as administratively configured or user-configured)

On iOS, no such API exists. As such, after certificate validation succeeds from SecTrustEvaluate, one cannot determine if the overall result was due to an MDM-supplied trust anchor or a trust anchor provided by Apple.

iOS users can set their own custom anchors ( SecTrustSetAnchorCertificates[Only] ) and then retrieve them (SecTrustCopyCustomAnchorCertificates), but that provides no means to see the Apple-supplied set (nor the set in securityd).

This is useful for applications which want to impose policies on publicly trusted CAs (where here, the definition is "in the default OS set from Apple"), without negatively impacting enterprise users. HPKP pinning is one example. Enforcing the Baseline Requirements via application policy is another.

Steps to Reproduce:

1. Attempt to obtain the list of Apple-provided roots (that is, the contents of the "Trust Store" listed in Settings -> General -> About) via programmatic means

Expected Results: Expected: The set of certificates is returned as a CFArrayRef

Actual Results: Actual: No such API exists.

Version: iOS 9.3.1 (13E238)

Notes:

Configuration: iPhone 6s

Product Version: 9.3.1 (13E238) Created: 2016-04-09T08:13:34.268100 Originated: 2016-04-09T00:00:00 Open Radar Link: http://www.openradar.me/25640562

[lietusme]

Is there any update on supporting this? Using CURL/OpenSSL also poses similar challenge - no way to feed iOS trusted root certificates to OpenSSL. Such API is provided by .NET or Android, so there should not be security issue to provide public set of certificates programatically.