The docs say: “If not all the certificates needed to verify the leaf certificate are included in the trust management object, then SecTrustEvaluate searches for certificates in the keychain search list (see SecTrustSetKeychains) and in the system’s store of anchor certificates (see SecTrustSetAnchorCertificates).”
However, since SecTrustSetKeychains() is not available on iOS, it’s not clear whether this function will also look in the application’s keychain.
eskimo1 from Apple Devforums answered this so:
Not by default. However, it's easy to make it do this by getting the certificates out of your keychain (or from wherever) and applying them to the SecTrust object using SecTrustSetAnchorCertificates.
SecTrustEvaluation /will/ find intermediate certificates in your keychain.
Seems like it's been a while since you posted so I'm not sure if you still need the answer. If your use case is "I'm getting hit with
connection:didReceiveAuthenticationChallenge:
, and I'd like to make sure that exact certificate is being evaluated, then you can either use iOS built-in trust methods or do a bit more work via the Foundation APIs: (note that SecTrustEvaulate is not being called specifically here, but it could be added in quite easily)From there, you can iterate the full array of certs, and compare it to something like a SHA1 of the challenge's server trust reference:
It's written in the doc now:
Source: SecTrustEvaluate documentation