It’s a lack of features in Apple’s code, and it’s very well-known among Apple
developers. Search Apple’s developer forums (both iOS MacOS) as well as
their public bug database (IIRC, you have to be a registered Apple developer to
search those). Apple’s not going to change it, though, as the code in
question* is ONLY intended to read profiles signed by Apple’s tools — it’s not
intended to be a generic PKCS#7 parser, even though the profiles are wrapped in
a file that closely resembles PKCS#7.
As Dr. Henson previously replied (below), the order of certificates is
insignificant for PKCS#7. Again, these profiles are not really PKCS#7, and
Apple is free to modify the format at any time.
TOM
* This is also why Apple tells everyone to use OpenSSL for processing the
PKCS#7 messages for in-app purchases, not only is the API not public, but it’s
not suitable for reading anything but a very limited subset of PKCS#7 for very
limited purposes. There’ve been rumblings on the Apple-CDSA list about that
changing for years now, and while I didn’t check the iOS 7.1 APIs, I suspect
that’s still not changed).
On Apr 22, 2014, at 1:50 AM, Satish Kamavaram via RT r...@openssl.org wrote:
Hi ,
Do you have any update on this?
Thanks
SatishKumaar
-Original Message-
From: Satish Kamavaram
Sent: Friday, April 18, 2014 12:29 PM
To: 'r...@openssl.org'
Cc: openssl-dev@openssl.org; Retheesh Ravi
Subject: RE: [openssl.org #3316] Wrong trust chain with new version of
openssl
We are not sure if it is a Apple iOS bug. Below is our observation.
- If we sign the profile using the 0.9.8 version, and download the profile
from an https location, the iOS profile installer shows the profile as
Verified
- If we sign the same profile using the 1.0.1 version and download the
profile from an https location, the iOS profile installer shows the profile
as Not verified
The only difference between these two versions of openSSL visibly is, the
order in which the certificate is listed in the profile. Is there a
difference in these two versions that causes the difference in this
certificate listing order? Is there a way we can make the order same to make
it work while still using the latest version 1.0.1 of openSSL?
Thanks
SatishKumaar
-Original Message-
From: Stephen Henson via RT [mailto:r...@openssl.org]
Sent: Wednesday, April 16, 2014 11:44 PM
To: Satish Kamavaram
Cc: openssl-dev@openssl.org
Subject: [openssl.org #3316] Wrong trust chain with new version of openssl
On Wed Apr 16 19:37:20 2014, satis...@mportal.com wrote:
Hi ,
When the iOS WiFi Profile is signed using new openSSL 1.0.1 version,
it specifies the certificate chain in reverse order causing the device
not to recognize the certificate chain and show Not Verified.
However, when we sign using version 0.9.8k, the chain is included in
the correct order and the device is showing the profile as a
Verified one , at the time of showing profile installation prompt.
Is there a possibility that we will get a fix in next version of
openssl ?
I'm not sure what you mean by correct order. The order of certificates in a
PKCS#7 structure should not be considered significant and there is additional
information (issuer name and serial number) which should enable a verifier to
locate the appropriate signing certificate.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
