Conversation
…d ensure safe removal Problem: In version 3.3.0, we enhanced the TLSIdentity API to support creating identities signed by an issuer. These identities include a certificate chain (leaf + root), all saved into the Keychain. However, when deleting the identity using the persistent label, only the leaf certificate was removed — the root or intermediate certs remained. The root cause is that the deletion logic in Cert::deleteCert(const std::string &persistentID) relies on checking whether a certificate is an issuer for other certs. Basically, this check skips deleting certificates with multiple children. However, it doesn’t account for self-signed root certs, which are their own issuers, resulting in the root cert not being deleted. Fixes * Updated the deletion logic to correctly handle and delete self-signed root certificates. * To prevent accidental deletion of unrelated certs, we now assign a shared label (kSharedCertLabel) to all non-leaf certificates saved via LiteCore. During deletion, we verify this label to ensure only certs saved by LiteCore are removed. * In addition, remove the obsolete codes in PublicKey+Apple.mm that supports macOS < 12.0 and iOS < 15.0 (in 3.3.0, we support macOS 12.0+ and iOS 15.0+).
|
Code Coverage Results:
|
jianminzhao
approved these changes
Jul 8, 2025
jianminzhao
added a commit
that referenced
this pull request
Jul 9, 2025
CBL-7156 : Fix iOS cert chain deletion to handle self-signed roots and ensure safe removal (#2303) CBL-7125: c4Log sometimes does not log anything (#2302) 9bf748f c4PeerDiscovery.hh no longer uses nonpublic headers (#2301) Included in EE: CBL-7147: MultipeerReplicator forces its own auth dictionary (#63)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
In version 3.3.0, we enhanced the TLSIdentity API to support creating identities signed by an issuer. These identities include a certificate chain (leaf + root), all saved into the Keychain. However, when deleting the identity using the persistent label, only the leaf certificate was removed — the root or intermediate certs remained.
The root cause is that the deletion logic in Cert::deleteCert(const std::string &persistentID) relies on checking whether a certificate is an issuer for other certs. Basically, this check skips deleting certificates with multiple children. However, it doesn’t account for self-signed root certs, which are their own issuers, resulting in the root cert not being deleted.
Fixes
Updated the deletion logic to correctly handle and delete self-signed root certificates.
To prevent accidental deletion of unrelated certs, we now assign a shared label (kSharedCertLabel) to all non-leaf certificates saved via LiteCore. During deletion, we verify this label to ensure only certs saved by LiteCore are removed.
In addition, remove the obsolete codes in PublicKey+Apple.mm that supports macOS < 12.0 and iOS < 15.0 (in 3.3.0, we support macOS 12.0+ and iOS 15.0+).
Note to Reviewers
The main change is in
void Cert::deleteCert(const std::string &persistentID)andCert::save(const std::string &persistentID, bool entireChain)function.I have tested the fix with TLSIdentityTests in CBL-iOS project.