In our macOS daemon process, we are trying to validate a leaf certificate by anchoring intermediate CA cert and evaluating it using SecTrustEvaluateWithError. The leaf certificate contains couple of non-critical MS extensions (1.3.6.1.4.1.311.21.10 and 1.3.6.1.4.1.311.21.7). The macOS API fails to parse these extensions and does not evaluate the cert chain. Below is the error returned: { NSLocalizedDescription = "\U201abc\U201d certificate is not standards compliant"; NSUnderlyingError = "Error Domain=NSOSStatusErrorDomain Code=-67618 \"Certificate 0 \U201abc\U201d has errors: Unable to parse known extension;\" UserInfo={NSLocalizedDescription=Certificate 0 \U201abc\U201d has errors: Unable to parse known extension;}"; } As per RFC2459, a non-critical extension can be ignored by the system: A certificate using system MUST reject the certificate if it encounters a critical extension it does not recognize; however, a non-critical extension may be ignored if it is not recognized. So, why does macOS not ignore these non-critical extension and returns a failure? OS version is 14.4.1.

I have a project using SecKey. Everything was working fine. But my newest build in TestFlight has crashed iOS 17.4 above. Could you help me to fix this problem? Here is my bug.

HI! I am developing an application that should utilize ScriptingBridge.framework to interact with another process. Firstly, I created a separate test application for which I have added Apple Events entitlements via "Signing & Capabilities" section in Xcode and updated its Info.plist to have "Privacy - AppleEvents Sending Usage Description". While the test app works fine (I see an automation request popup and the process executes as expected) the main application where I want to integrate this functionality gets closed immediately after reaching the code interacting with Scripting Bridge. On its launch, I see the following error message from tccd in Console: Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<app bundleID>, ..., binary_path=<path to the app's binary>} I had no such issues with the test app. Moreover, I should mention that the bundle I want to have with such functionality is stored in another bundle, both main and inner bundles aren't sandboxed, and the target app has Application is agent (UIElement) key set in Info.plist. Can you suggest any ideas as to why processes behave so differently despite having pretty much the same build configurations?

this is an email I have sent to Apple with no luck: Dear Apple Developer Support Team, I am writing to seek urgent assistance with a persistent issue I have been encountering with Xcode. For several months now, every time I connect my iPhone to Xcode for development purposes, it automatically overwrites the user data of my apps with an old, seemingly random container. This issue is severely impacting my ability to continue development, as I cannot test new changes effectively. This occurs since a few months in every iOS and Xcode/macOS Version. I tried it with different Apps and Devices. Sometimes the entire Container (Documents) gets read only access so no new data can be created or changed by the user. I frequently used the replace container feature on Xcode so maybe this has something to do with it. This problem persists despite numerous attempts to resolve it on my end. I am at a critical point in my development timeline, and it is crucial for me to resolve this as soon as possible. Could you please advise on the next steps I should take to address this issue? If there are any logs or further information you require, I am more than willing to provide them. Thank you for your attention to this matter. I look forward to your prompt response and hope for a resolution soon. Best regards, Victor Lobe

Could you help me to understand this crash: Thread 22 Crashed: 0 libsystem_kernel.dylib 0x00000001e9ee2974 __pthread_kill + 8 (:-1) 1 libsystem_pthread.dylib 0x00000001fd9650ec pthread_kill + 268 (pthread.c:1717) 2 libsystem_c.dylib 0x00000001a9933c14 __abort + 136 (abort.c:159) 3 libsystem_c.dylib 0x00000001a9933b8c abort + 192 (abort.c:126) 4 libsystem_malloc.dylib 0x00000001b1b5ec68 malloc_vreport + 896 (malloc_printf.c:251) 5 libsystem_malloc.dylib 0x00000001b1b5ef10 malloc_zone_error + 104 (malloc_printf.c:319) 6 libsystem_malloc.dylib 0x00000001b1b54a44 nanov2_guard_corruption_detected + 44 (nanov2_malloc.c:2425) 7 libsystem_malloc.dylib 0x00000001b1b3b6f0 nanov2_allocate_from_block + 352 (nanov2_malloc.c:2543) 8 libsystem_malloc.dylib 0x00000001b1b3b418 nanov2_find_block_and_allocate + 1172 (nanov2_malloc.c:2797) 9 libsystem_malloc.dylib 0x00000001b1b3aeec nanov2_allocate_outlined + 252 (nanov2_malloc.c:2955) 10 CoreFoundation 0x00000001a1980ab8 _CFRuntimeCreateInstance + 448 (CFRuntime.c:791) 11 CoreFoundation 0x00000001a19e0b5c __CFDataInit + 172 (CFData.c:444) 12 Security 0x00000001aa14607c createNormalizedX501Name + 56 (SecCertificate.c:1277) 13 Security 0x00000001aa1458ec SecCertificateParse + 820 (SecCertificate.c:1658) 14 Security 0x00000001aa145594 SecCertificateCreateWithBytes + 124 (SecCertificate.c:1807) 15 libboringssl.dylib 0x00000001d2c9287c boringssl_helper_copy_certificates_from_CRYPTO_BUFFERs + 196 (boringssl_helper.m:148) 16 libboringssl.dylib 0x00000001d2c913ac boringssl_session_set_peer_verification_state_from_session + 160 (boringssl_session.m:446) 17 libboringssl.dylib 0x00000001d2ca09a4 boringssl_context_certificate_verify_callback + 528 (boringssl_context.m:1861) 18 libboringssl.dylib 0x00000001d2ca0618 bssl::ssl_verify_peer_cert(bssl::SSL_HANDSHAKE*) + 372 (handshake.cc:395) 19 libboringssl.dylib 0x00000001d2c8da68 bssl::ssl_client_handshake(bssl::SSL_HANDSHAKE*) + 3112 (handshake_client.cc:1956) 20 libboringssl.dylib 0x00000001d2c7f22c bssl::ssl_run_handshake(bssl::SSL_HANDSHAKE*, bool*) + 376 (handshake.cc:764) 21 libboringssl.dylib 0x00000001d2c8cd90 SSL_do_handshake + 80 (ssl_lib.cc:874) 22 libboringssl.dylib 0x00000001d2c8caec boringssl_session_handshake_continue + 108 (boringssl_session.m:262) 23 libboringssl.dylib 0x00000001d2c743e0 nw_protocol_boringssl_handshake_negotiate + 120 (protocol_boringssl.m:803) 24 libboringssl.dylib 0x00000001d2c715d4 nw_boringssl_read + 3144 (protocol_boringssl.m:700) 25 libboringssl.dylib 0x00000001d2c708e0 nw_protocol_boringssl_input_available + 348 (protocol_boringssl.m:1435) 26 libusrtcp.dylib 0x00000002155f6554 nw_protocol_tcp_wake_read + 396 (protocol_tcp.c:324) 27 libusrtcp.dylib 0x00000002155f504c nw_protocol_tcp_input_flush + 108 (protocol_tcp.c:2034) 28 Network 0x00000001a1ecc2b8 nw_channel_update_input_source(nw_channel*, nw_protocol*, bool) + 7872 (channel.cpp:1483) 29 Network 0x00000001a2824180 invocation function for block in nw_channel_create(nw_context*, unsigned char*, unsigned int, void*, unsigned int, bool, bool, bool*) + 72 (channel.cpp:2545) 30 libdispatch.dylib 0x00000001a987add4 _dispatch_client_callout + 20 (object.m:576) 31 libdispatch.dylib 0x00000001a987e2d8 _dispatch_continuation_pop + 600 (queue.c:321) 32 libdispatch.dylib 0x00000001a98921c8 _dispatch_source_latch_and_call + 420 (source.c:596) 33 libdispatch.dylib 0x00000001a9890d8c _dispatch_source_invoke + 832 (source.c:961) 34 libdispatch.dylib 0x00000001a9884284 _dispatch_workloop_invoke + 1756 (queue.c:4570) 35 libdispatch.dylib 0x00000001a988dcb4 _dispatch_root_queue_drain_deferred_wlh + 288 (queue.c:6998) 36 libdispatch.dylib 0x00000001a988d528 _dispatch_workloop_worker_thread + 404 (queue.c:6592) 37 libsystem_pthread.dylib 0x00000001fd960f20 _pthread_wqthread + 288 (pthread.c:2665) 38 libsystem_pthread.dylib 0x00000001fd960fc0 start_wqthread + 8 (:-1)

Our product includes a sudo plugin so we can apply user-defined policies to manage privileged access to command line programs. We’ve been getting reports where the plugin sometimes doesn't get invoked and the sudo command falls back to its default behavior. This seems to only be happening intermittently, but when the issue does occur, this message appears in the Console: Library Validation failed: Rejecting '/usr/local/libexec/sudo/<our_plugin>.so' (Team ID: <OURTEAMID>, platform: no) for process 'sudo(<pid>)’ (Team ID: N/A, platform: yes), reason: mapping process is a platform binary, but mapped file is not I recall a previous discussion of this message (that I can’t locate now), which explained that although the host process has library validation disabled, the code flow raises an error anyway, so that the host process can detect it and bypass the validation to load the plugin. It looks like that's what sudo is doing: it has the private entitlement com.apple.private.security.clear-library-validation and makes the appropriate system call when the plugin initially fails to load [1] — but apparently this isn't working reliably for our sudo plugin. We’ve observed that restarting the Mac generally resolves the issue, at least for a while. This resembles the “classic symptom of a code signing oddity” where the signature is cached and the Mach-O image is rewritten rather than replaced (as documented in Updating Mac Software). But our software uses an Installer package for updates as well as initial installation, and the Installer is documented as not having this issue, so I believe the problem lies somewhere else. I’m running out of ideas; are there any other avenues I should investigate? Thanks for any help. [1] This is described in an article called "About com.apple.private.security.clear-library-validation"; I can't link to it directly from the developer forums, but it can easily be found by searching for the title.

Hi, Is this possible? I would like to: Store a biometrically secured key in the Secure Enclave. Do multiple cryptographic operations using that key in a short period of time (say 5 seconds), not all at once. Only do one FaceID for that set. For the time I've only gotten either multiple flashing FaceId requests or the operations failing. Is it possible to set a time limit in which the first FaceID authentication is accepted? Should I do something else? Thanks!

Hello, It is possible to encrypt a mac's hard-drive with Filevault. All home user folders are encrypted with the same encryption key. (This is the same encryption key for the whole hard-drive). This encryption key is encrypted with user password. But i don't understand how it works when there are multiple user accounts. Maybe there is a table: The same encryption key is stored several times (one per user account) ? Is there a way for a user to read the filevault encryption key ? Thanks

when using Xcode15, we found that using Xcode 15 to access keychain may fail. Although using Xcode earlier than 15 may have same question, but the probability is higher on Xcode15. Anyone has the same question and how to fix it?

SecItemCopyMatching crash occurs while iOS creating RSA. Test device is iPhone6s plus. How can I solve this? The crash log is as follows: 0 libobjc.A.dylib 0x0000000198964cf4 objc_msgSend + 20 (:-1) 1 Security 0x0000000189989968 SecTokenItemCreateFromAttributes + 80 (SecItem.m:996) 2 Security 0x00000001898f6db0 SecItemResultCopyPrepared + 2876 (SecItem.m:1195) 3 Security 0x00000001898ea5fc SecItemResultProcess + 376 (SecItem.m:1252) 4 Security 0x00000001898e0168 __SecItemCopyMatching_block_invoke_2 + 324 (SecItem.m:1893) 5 Security 0x00000001898e0a70 __SecItemAuthDoQuery_block_invoke + 524 (SecItem.m:1591) 6 Security 0x00000001898df2c0 SecItemAuthDoQuery + 1204 (SecItem.m:1557) 7 Security 0x00000001898e0614 __SecItemCopyMatching_block_invoke + 104 (SecItem.m:1883) 8 Security 0x00000001898e665c SecOSStatusWith + 48 (SecItem.m:331) 9 Security 0x00000001898e0374 SecItemCopyMatching + 364 (SecItem.m:1882)

Hello, I am trying to enumerate all ways on macOS for launching an application when a user opens a session. Please note i am not looking for a way which requires root or sudo privileges. I have found this: ~/Library/LaunchAgents/ Login Items (in macOS System Settings) But are there others ? Thanks

In our implementation of Platform SSO, we would like to show custom UI in both the beginDeviceRegistration call as well as the beginUserRegistration call. It works fine in the beginDeviceRegistration call when we use presentRegistrationViewController. When we try to apply the same logic in beginUserRegistration, the ViewController's view.window object is nil and thus using it to house our custom UI doesn't work. I'm not sure if this is an implementation flaw on our part or if presentRegistrationViewController is only intended to be used in beginDeviceRegistration. The call is only mentioned in the context of registering devices, which makes us wonder if it is limited to that. Any help would be appreciated!

I created a custom PAM module following this and It works fine with etc/pam.d/sudo but doesn't work with etc/pam.d/authorization and etc/pam.d/login. sudo # sudo: auth account password session auth include sudo_local auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so authorization # authorization: auth account auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache auth optional pam_ntlm.so use_first_pass auth sufficient pam_smartcard.so use_first_pass account required pam_opendirectory.so Is it even allowed to add a custom PAM to \etc\pam.d\login or etc\pam.d\authorization ? Is it possible to create a mechanism with custom logic and replace it with<string>builtin:authenticate,privileged</string> in system.login.console authorization right ? Note: I have also tried moving the .so file to /usr/lib/pam but it failed even after disabling SIP.

Hello, It is possible to restrict Documents folder access with TCC. But when an applications shows a standard "file open" dialog, it is possible to access this directory to open a file. macOS allows file access in this case because it is an intentional action from user. So i suppose there is a kind of whitelist for all files path opened through "file open" dialog. I would like to know how i can access this whitelist and how i can remove entries. Thanks

I am trying to pass smart card PIN from a custom auth plugin with tag kAuthorizationEnvironmentPassword. I added pam_smartcard.so to login stack (\etc\pam.d\login) but the changes do not take place. # login: auth account password session auth sufficient pam_smartcard.so auth optional pam_krb5.so use_kcminit auth optional pam_ntlm.so try_first_pass auth optional pam_mount.so try_first_pass auth required pam_opendirectory.so try_first_pass account required pam_nologin.so account required pam_opendirectory.so password required pam_opendirectory.so session required pam_launchd.so session required pam_uwtmp.so session optional pam_mount.so What could possible be going wrong in this ? Also is there an API to trigger authorization_ctk from a custom auth plugin to work with smart card ?

I have a customer who wants to protect the REST API of their app with a private certificate. They would then distribute the client certificate to the authorized users. Their app would not work unless the client certificate is already installed on the user's phone before they run the app. I have never done this before. Is it possible to install a client certificate on an iPhone without running an app, for example if it were sent in an email message? And if it is possible, is App Review going to let such an app into the app store? Thanks, Frank

Hello Geeks, After testing our iOS app using MobSF, the report highlighted that the binary has Runpath Search Path (@rpath) set. In certain cases an attacker can abuse this feature to run arbitrary executable for code execution and privilege escalation.

 The Runpath Search Path directs the dynamic linker to search for dynamic libraries (dylibs) in a specified order of paths, similar to how Unix searches for binaries in $PATH. However, this setup introduces a vulnerability wherein an attacker could place a malicious dylib in one of the initial paths, thereby hijacking the legitimate library sought by the linker.

 Despite attempting to manually strip the binary following instructions from https://inesmartins.github.io/mobsf-ipa-binary-analysis-step-by-step/index.html, the same warnings persist in the report. We urgently seek assistance in resolving this issue and eagerly await your response.

This page indicates https://support.apple.com/en-in/guide/deployment/dep0a2cb7686/web that some usage of fdesetup command line tool is deprecated such as turning on FV using username/password. However, I don't see any proper information about which options from the fdesetup tool are deprecated and which are still valid? Any pointers for that? Thanks, N

I'm noticing a trend in 'foreign' home security products that they want to combination of QR code scanning, and home router connections for 'Easy Setups'. The iOS apps that have to be used with these products require the user to enter their home WiFi password directly into the app. Such apps also commonly request location data. If unencrypted router passwords, and the Location data of the router are being captured and sent back to the manufacturer, this would be very very bad. Of the few things I've put on the App Store, Apple went through my code with a fine tooth comb looking for things that went against their protocols and had to do multiple revisions to bring them in line. Although frustrating at the time, I was pleased to know this kind of screening happened. I've heard Apple won't allow apps to do key logging/capture. Fantastic. Is the the handling of our home network credentials also heavily scrutinised before thing are allowed on the Apple Store?

Hi, I'm trying to achieve the following OpenSSL workflow in Swift. I have this intermediate certificate from Let's encrypt and I want to extract the public key from it and then hash it with SHA-256 and finally encide it in base64. The OpenSSL commands that achieve this look like this: openssl x509 -in isrgrootx1.pem -pubkey -noout > publickey.pem openssl rsa -pubin -in publickey.pem -outform der | openssl dgst -sha256 -binary | openssl enc -base64 I've tried Security, CommonCrypto, CryptoKit frameworks with no success. I was able to get the public key out of the certificate but its PEM representation seems to slightly differ from what I get with OpenSSL. At the beginning of the public jet, the OpenSSL version has a string that is not present on what I get with Swift but the rest is the same. This is the Swift code to use: import Foundation import Security import CommonCrypto // Step 1: Extract public key from the certificate func extractPublicKey(from certificate: SecCertificate) -> SecKey? { // Extract public key from the certificate var publicKey: SecKey? if let publicKeyRef = SecCertificateCopyKey(certificate) { publicKey = publicKeyRef } return publicKey } // Step 2: Calculate SHA-256 hash of the public key func calculateSHA256(of data: Data) -> Data { var hash = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH)) data.withUnsafeBytes { _ = CC_SHA256($0.baseAddress, CC_LONG(data.count), &hash) } return Data(hash) } // Step 3: Encode data as base64 func base64EncodedString(from data: Data) -> String { return data.base64EncodedString() } // Step 4: Main function to perform all steps func processCertificate(certificate: SecCertificate) { // Step 1: Extract public key guard let publicKey = extractPublicKey(from: certificate) else { return } // Step 2: Export public key as data guard let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else { print("Failed to export public key data") return } // Step 3: Calculate SHA-256 hash of the public key let sha256Hash = calculateSHA256(of: publicKeyData) // Step 4: Encode SHA-256 hash as base64 let base64EncodedHash = base64EncodedString(from: sha256Hash) print("SHA-256 hash of public key (base64 encoded): \(base64EncodedHash)") } This is the Public Key I get with OpenSSL: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAregkc/QUN/ObnitXKByHvty33ziQjG485legePd1wqL+9Wpu9gBPKNveaIZsRJO2sWP9FBJrvx/S6jGbIX7RMzy6SPXded+zuP8S8SGaS8GKhnFpSmZmbI9+PHC/rSkiBvPkwOaAruJLj7eZfpQDn9NHl3yZSCNT6DiuTwpvgy7RSVeMgHS22i/QOI17A3AhG3XyMDz6j67d2mOr6xZPwo4RS37PC+j/tXcu9LJ7SuBMEiUMcI0DKaDhUyTsE9nuGb8Qs0qMP4mjYVHerIcHlPRjcewu4m9bmIHhiVw0eWx27zuQYnnm26SaLybF0BDhDt7ZEI4W+7f3qPfH5QIHmI82CJXn4jeWDTZ1nvsOcrEdm7wD+UkF2IHdBbQq1kHprAF2lQoP2N/VvRIfNS8oF2zSmMGoCWR3bkc3us6sWV5onX9y1onFBkEpPlk+3Sb1JMkRp1qjTEAfRqGZtac6UW6GO559cqcSBXhZ7T5ReBULA4+N0C8Fsj57ShxLcwUS/Mbq4FATfEOTdLPKdOeOHwEI0DDUW3E2tAe6wTAwXEi3gjuYpn1giqKjKYLMur2DBBuigwNBodYF8RvCtvCofIY7RqhIKojcdpp2vx9qpT0Zj+s482TeyCsNCij/99viFULUItAnXeF5/hjncIitTubZizrG3SdRbv+8ZPUzQ08CAwEAAQ== -----END PUBLIC KEY----- and this is what I get with Swift: -----BEGIN PUBLIC KEY----- MIICCgKCAgEAregkc/QUN/ObnitXKByHvty33ziQjG485legePd1wqL+9Wpu9gBPKNveaIZsRJO2sWP9FBJrvx/S6jGbIX7RMzy6SPXded+zuP8S8SGaS8GKhnFpSmZmbI9+PHC/rSkiBvPkwOaAruJLj7eZfpQDn9NHl3yZSCNT6DiuTwpvgy7RSVeMgHS22i/QOI17A3AhG3XyMDz6j67d2mOr6xZPwo4RS37PC+j/tXcu9LJ7SuBMEiUMcI0DKaDhUyTsE9nuGb8Qs0qMP4mjYVHerIcHlPRjcewu4m9bmIHhiVw0eWx27zuQYnnm26SaLybF0BDhDt7ZEI4W+7f3qPfH5QIHmI82CJXn4jeWDTZ1nvsOcrEdm7wD+UkF2IHdBbQq1kHprAF2lQoP2N/VvRIfNS8oF2zSmMGoCWR3bkc3us6sWV5onX9y1onFBkEpPlk+3Sb1JMkRp1qjTEAfRqGZtac6UW6GO559cqcSBXhZ7T5ReBULA4+N0C8Fsj57ShxLcwUS/Mbq4FATfEOTdLPKdOeOHwEI0DDUW3E2tAe6wTAwXEi3gjuYpn1giqKjKYLMur2DBBuigwNBodYF8RvCtvCofIY7RqhIKojcdpp2vx9qpT0Zj+s482TeyCsNCij/99viFULUItAnXeF5/hjncIitTubZizrG3SdRbv+8ZPUzQ08CAwEAAQ== -----END PUBLIC KEY----- Interestingly, if I use the Swift version of the Public Key I get and then run the second command I still get the correct final result. Unfortunately in Swift I don't get the correct final result. I suspect it must be something about headers since I was able to get the correct output on OpenSSL with the public key I got using the Swift. Any ideas?