SecPKCS12Import returns different results on iOS 11 than on iOS 10

Question

This function takes as an argument Base64 encoded PKCS#12 certificate string which is then decoded and passed to SecPKCS12Import function. After update to iOS 11 the SecPKCS12Import, yields different results. The securityError returns 0 on both OS versions.

let securityError: OSStatus = SecPKCS12Import(decodedData!, options, &items)

Returns list of 0 items. Whereas on iOS 10 I get 1 item in the array.

func certificateFromCertificate(certP12: String, psswd: String) -> SecCertificate {
    let decodedData = NSData(base64Encoded: certP12, options:NSData.Base64DecodingOptions(rawValue: 0))

    let keytmp : NSString = kSecImportExportPassphrase as NSString
    let options : NSDictionary = [keytmp : psswd]

    var certificateRef: SecCertificate? = nil

    var items : CFArray?

    let securityError: OSStatus = SecPKCS12Import(decodedData!, options, &items)

    let theArray: CFArray = items!
    if securityError == noErr && CFArrayGetCount(theArray) > 0 {
        let newArray = theArray as [AnyObject] as NSArray
        let dictionary = newArray.object(at: 0)
        let secIdentity = (dictionary as AnyObject)[kSecImportItemIdentity as String] as! SecIdentity
        let securityError = SecIdentityCopyCertificate(secIdentity , &certificateRef)
        if securityError != noErr {
            certificateRef = nil
        }
    }

    certificate = certificateRef

    return certificateRef!
}

The is a post on Apple Developer forum saying that SecPKCS12Import implemented automatic conversion from Base64. This would mean I should decode plain certificate prior passing it to the function. Can this be the issue?

I have submitted post to Apple Forum and also Technical Support incident.

Development environment:

Programming language: Swift 3

Debug device: Apple iPad mini Retina Wi-Fi 32GB ME280SL/A

Development device: iMAC mini Xcode version 9.0 9A235

Answer 1

Using Xcode Version 9.0.1 (9A1004) and Apple Swift version 4.0 (swiftlang-900.0.65.2 clang-900.0.37), I am able to get normal results from your function. Also works with Swift language set to 3.2.

In the post you referenced, @eskimo said (bolding mine):

Your options here are:

• File a compatibility bug against iOS 11 beta and hope that it gets fixed before GM
• Change your app to use SecPKCS12Import in the documented way, that is, undo the Base64 decoding

It appears that someone filed a bug, and the problem has been fixed (made to work as originally documented). There is no automatic decoding from Base64. You're right to provide the decoding.