iOS 14: SecTrustEvaluateWithError Validate Non-Standard Critical Extensions

Is there something similar on iOS?

No.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Any alternatives, then?

Ah, um, don’t mark extensions as critical if they’re not. The relevant standards are super clear about this. Perhaps you should have a chat with the folks who are issuing these certificates?

You could also file an enhancement request requesting that the trust object (SecTrust) provide a way to customise the handling of specific extensions but that is, at best, a medium-term solution to this problem.

If you do file a bug, please post the number here, just for the record.

Beyond that, things get distinctly un-fun. You could write your own trust evaluation engine but that’s not something I’d want to tackle.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Does this mean I can't check for these particular KU values during evaluation … ?

The comment in <Security/SecPolicy.h> is pretty clear about our policy (hey hey) here:

Note: these constants are not available on iOS. Your code should
avoid direct reliance on these values for making policy decisions
and use higher level policies where possible.

I see this a lot on iOS, where the Security framework has seemingly-artificial limits that try to keep you on an approved path. If such limits are causing you grief, I encourage you to file an enhancement request describing your requirements (that is, what you need to achieve, why you can’t achieve it using our APIs, and the hoops you have to jump through because of that).

And, as before, please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"