Obtaining SCTs from TLS/OCSP with URLSession

App & System Services General
jaytambolic1 OP
Created Jun ’22
Replies 1
Boosts 0
Views 825
Participants 2

Apple's Certificate Transparency policy says that Signed Certificate Timestamps (SCTs) are accepted from TLS extension or OCSP Stapling in addition to the SCTs embedded in the certificate. If we're implementing our own Certificate Transparency enforcement in code written using URLSession, is there a way to obtain SCTs that were presented via TLS extension or OCSP Stapling?

I'm able to get the SCTs from the certificate by calling SecCertificateCopyValues with "1.3.6.1.4.1.11129.2.4.2" inside the urlSession(_:didReceive:completionHandler:) delegate function. I see that there are functions for adding TLS/OCSP SCTs to the ServerTrust, but I don't see any functions for getting them out, and I don't know if URLSession would be including those SCTs in the ServerTrust automatically anyway.

Is there any way to get these other SCTs using URLSession? Or would I have to drop down to Network Framework to do that?

Thanks for any help.

Replies  1
Boosts  0
Views  825
Participants  2
DTS Engineer OP
Apple
Jun ’22

Is there any way to get these other SCTs using URLSession?

No. The place to expect this is in the SecTrust object and, as you’ve noted, it has setters but not getters.

If you’d like to see such support added in the future, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
Obtaining SCTs from TLS/OCSP with URLSession
First post date Last post date
 
 
Q