SecTrustEvaluateAsyncWithError() and Certificate Transparency

For testing purposes we have code that calls SecTrustEvaluateAsyncWithError() with a trust object containing a hardcoded leaf certificate and the corresponding intermediate certificate required to form a valid chain. Because the leaf certificate has since expired we pass a date in the past via SecTrustSetVerifyDate() at wich the certificate was still valid, but trust evaluation fails:

Error Domain=NSOSStatusErrorDomain Code=-67825 "“<redacted>” certificate is not standards compliant" UserInfo={NSLocalizedDescription=“<redacted>” certificate is not standards compliant, NSUnderlyingError=0x600000c282a0 {Error Domain=NSOSStatusErrorDomain Code=-67825 "Certificate 0 “<redacted>” has errors: Certificate Transparency validation required for this use;" UserInfo={NSLocalizedDescription=Certificate 0 “<redacted>” has errors: Certificate Transparency validation required for this use;}}}

I know that App Transport Security enforces Certificate Transparency by default, but is there a way around that here?

For testing purposes

What are you trying to test here? What’s the actual goal of this test?

I’m asking because the best path forward here depends on your ultimate goal.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We have a custom implementation of HTTP Public Key Pinning on top of App Transport Security. The code in question tests this implementation (i.e. that given a valid trust object performing pin validation either lets our custom trust evaluation fail or succeed).

SecTrustEvaluateAsyncWithError() and Certificate Transparency
 
 
Q