Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Well, I have good news and bad news. I have a friend who is a security expert on Mac/iOS, and he is doing a lot of work in this area. He actually had to so something quite similar. The info I got from his is as follows. But the bad news is no command line way to do it - you will most likely have to spin a Mac app to do it, using the techniques below.</p> <p>-- technique ---</p> <p>The certificate inside that XML file ... is read into a NSData object; though usually there are 3 certificates; at least in Apple-generated profiles. Dunno if that's the case.</p> <p>If there are 3 certificates it's usually enough to check that one of them (usually the last one) is called "Apple Root CA" and has the SHA1 value of hex "611E5B662C593A08FF58D14AE22452D198DF6C60" - I use the SHA1 function in openssl.h for that.</p> <p>If there's only one certificate that's probably the leaf certificate. To check if that's OK, it's more complicated, since you usually need a complete "trust chain" for verification.</p> <p>In any case, you have to link against Security.framework, call SecCertificateCreateWithData() with the NSData (suitably cast) to get a SecCertificateRef.</p> <p>A relative shortcut then might be to call SecCertificateCopyValues() to get the "Authority Key Identifier ( 2.5.29.35 )" field (the dictionary key for that seems to be kSecOIDAuthorityKeyIdentifier) and check if this field's value is hex "E7342A2E22DE39606BB494CE7783612F31A07C35" which seems to be true for all Apple-issued certificates. The return from SecCertificateCopyValues() is a nested dictionary-of-dictionaries, so have to drill down to find this.</p> <p>The full and complete answer would be to pass the certificate ref to SecTrustSettingsCopyTrustSettings() with, successively, kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainSystem, checking if the certificate is either explicitly trusted or not. Unless the intermediate certificate is installed on the machine that will probably fail if it's a leaf certificate.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload