Hello,
is it possible to evaluate a certificate chain using one of the Bernstein curves ED25519/ED448 with the Security framework?
Using X.509 version 3 and own private CA for testing.
Signature Algorithm: ED448; Public Key Algorithm: ED25519
The following setting/API is used: SecPolicyCreateBasicX509, SecTrustSetAnchorCertificatesOnly, SecTrustEvaluateWithError
There are some requirements only for RSA keys regarding the key size since iOS 13: https://support.apple.com/en-us/103769 "RSA key sizes smaller than 2048 bits are no longer trusted for TLS"
And here are some information about TLS: https://support.apple.com/en-gb/guide/security/sec100a75d12/web "minimum 2048-bit RSA key or 256-bit elliptic curve key"
Findings:
The OpenSSL (v3.1.4) certificate verification was successful.
The evaluation is working fine in the iOS Simulator (iOS 15) and Playground.
But on real devices (e.g. iPhone/iOS 17) it is failing with the following error: Error Domain=NSOSStatusErrorDomain Code=-67735 "“...” certificate is using a broken key size" UserInfo={NSLocalizedDescription=“...” certificate is using a broken key size, NSUnderlyingError=0x281115920 {Error Domain=NSOSStatusErrorDomain Code=-67735 "Certificate 0 “...” has errors: Certificate is using a broken key size, Unable to build chain to root (possible missing intermediate);" UserInfo={NSLocalizedDescription=Certificate 0 “...”}
Also SecCertificateCopyKey is returning NULL. According to the documentation it may not support the algorithm: https://developer.apple.com/documentation/security/2963103-seccertificatecopykey
Could you please elaborate the error, point to some documentation and explain why it behaves differently on a real device?
Thank you in advance!