With iOS 13.6 beta 3 and iOS 14.0 beta 2 we have observed a change in behavior for SecTrustEvaluate(_:_:)/SecTrustEvaluateWithError(_:_:) when evaluating trust chains with custom CAs. Previously when evaluating certificates issued from our own CA, we would expect a result of kSecTrustResultUnspecified as the CA wasn't explicitly trusted by the user. We now see that kSecTrustRecoverableTrustFailure is returned and if we inspect the error from SecTrustEvaluateWithError(_:_:) we see can see that the error is errSecNoBasicConstraintsCA.
Upon closer investigation of our CA cert we see that the "Basic Constraints" extension has been set twice:
This is clearly an issue with our certificate, however it has been working for the past 2+ years. As the CA cert is bundled with our apps, this will require all apps to be updated and re-released. Critically, because the trust evaluation has changed apps treat it as a security error and immediately exit.
Is this behavior change intended and permanent?
Upon closer investigation of our CA cert we see that the "Basic Constraints" extension has been set twice:
Code Block X509v3 Basic Constraints: critical CA:TRUE X509v3 Basic Constraints: CA:FALSE
This is clearly an issue with our certificate, however it has been working for the past 2+ years. As the CA cert is bundled with our apps, this will require all apps to be updated and re-released. Critically, because the trust evaluation has changed apps treat it as a security error and immediately exit.
Is this behavior change intended and permanent?