0

When my app connects with an account on the server for the first time, the server generates and returns a PKCS12 file with a private key and self-signed certificate from the server.

The purpose of this primary key is to a) decrypt data sent to it by the server, and b) sign requests so the server can verify the identity of the client.

Is there a point in SecTrustEvaluate in this case? I'm not using the certificate to verify the identity of the server in any way, only for the decryption/signing of data. Currently I have:

SecTrustResultType trustResult;
status = SecTrustEvaluate(myTrust, &trustResult);
NSAssert(status == errSecSuccess, @"SecTrustEvaluate failed.");

This is failing with kSecTrustResultRecoverableTrustFailure - almost certainly due to the self-signed certificate.

If it is required (or highly suggested), can someone point me towards what I would need to do to resolve this?

Colin M
  • 13,010
  • 3
  • 38
  • 58

1 Answers1

0

SecTrustEvaluate(trust, &result); is checking if the system can trust the connection.
Your certificate has to be in the chain to be trusted. Already the first time you are using a secure connection. So in your case, I think you have to deliver a general certificate that can validate if your server is trustable.

Depending on what kind of connection you are using, you have different options of checking this. I am using a TCP connection via GCDAyncSocket and for this there is already a post that could bring you on the right way. Objective-C: eveluate server certificate signed by our own PKI (root CA) on TLS TCP connection

If you are using a https connection, you will also find lots of questions and answers here on stack.

Community
  • 1
  • 1
geo
  • 1,781
  • 1
  • 18
  • 30
  • But is there any value in verifying the trust of the certificate. I'm using this certificate for authentication with my API. I sign outgoing requests to my remote API (which happens over https), and the API verifies the signature with my public key. – Colin M May 12 '15 at 10:54