iPhone TrustStore CA 证书

发布于 2024-07-11 00:51:36 字数 201 浏览 10 评论 0原文

你们中有人知道如何更改 Security.framework/TrustStore.sqlite3 的内容吗? 看起来 iPhone 使用它来存储受信任的 CA 证书。 我真的希望我的 iPod touch 信任我的自定义证书。 除此之外,你们谁知道一个应用程序(win32)来编辑sqlite3数据库文件(除了sqliteman,这个对我来说总是崩溃)。

Does any of you have a clue how to alter the contents of Security.framework/TrustStore.sqlite3. It seems as if the iPhone uses it to store trusted CA certificates. I really want my iPod touch to trust my custom certificate. Beside that, does anyone of you know an app (win32) to edit sqlite3 database files (except sqliteman, this one always crashes for me).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

々眼睛长脚气 2024-07-18 00:51:36

如果您将网络服务器配置为提供具有正确 mime 类型的数字证书,则 iPhone 上的 Safari 会将它们添加到信任存储中。

CA 证书的 mime-type 为“application/x-x509-ca-cert”(示例此处< /a>)

当 safari 下载此证书时,如果用户想要信任它,它将作为用户。

一旦信任,它就会出现在“设置”|“设置”中。 一般| 配置文件部分作为配置文件。

替代文本 http://o-regan.org/cacert.png

证书也会插入到TrustStore.sqlite3 数据库。 通过使用 iphone 备份提取器 进行备份并提取数据库来验证这一点。

我不确定现在这是否意味着它可以用于其他目的,例如作为 SSL 根。

希望这有帮助,如果时间允许,我可能会进行更多调查。

If you have a webserver configured to serve up digital certificates with the correct mime-type then Safari on the iPhone will add them to the trust store.

mime-type for a CA certificate is "application/x-x509-ca-cert" (example here)

When safari downloads this certificate it will as the user if they want to trust it.

Once trusted it appears in the Settings | General | Profiles section as a Configuration Profile.

alt text http://o-regan.org/cacert.png

The certificate is also inserted into the TrustStore.sqlite3 db. Verified that by doing a backup and extracting the DB with iphone backup extractor.

I'm not sure if that now means that it is trusted for other purposes, say as an SSL root.

Hope this helps, I might investigate more if time permits.

美羊羊 2024-07-18 00:51:36

我可以想象其他人会遇到这个问题,因此我想回答它是如何工作的(Apple 不希望看到这一点):

1st)iPhoneOS 信任存储在 /System/Library/Frameworks/Security 中的每个 CA 证书.framework/TrustStore.sqlite3

2nd)该数据库中的某些字段包含我不理解的数据,而其他字段(例如“SHA1”)的含义非常明显。

3rd) 您的 iPod/iPhone 上有两个不同的 TrustStore.sqlite3。 第二个位于 /private/var/Keychains/TrustStore.sqlite3。 它们之间的唯一区别是 Apple 只信任 Security.framework 中的内容。

4)后一个用于存储用户安装的证书(谢谢,koregan),而表布局是相同的。

5th) 使用 Mail 或 Safari 打开您的自签名证书并安装它。

6th) 使用您最喜欢的 SQLite 数据库管理器打开 /private/var/Keychains/TrustStore.sqlite3 并在 tsettings 中查找“SHA1”BLOB 包含您的 CA 证书的哈希值的行。

7th) 提取整行并将其插入 TrustStore.sqlite3 的 tsettings 表中。

8th) 确保将数据库复制回设备,然后重新启动。

9th) 现在它应该完全信任那些由您的自定义 CA 签名的证书。

I can imagine that someone else will encounter this problem, therefore I'd like to answer how it works (Apple won't like to see that):

1st) The iPhoneOS trusts every CA certificate stored in /System/Library/Frameworks/Security.framework/TrustStore.sqlite3

2nd) Some fields in that database contain data which I did not understand, while other's meanings like "SHA1" are quite obvious.

3rd) There are two different TrustStore.sqlite3s on your iPod/iPhone. The second one is located at /private/var/Keychains/TrustStore.sqlite3. The only difference between those is that Apple only trusts the contents of the one in Security.framework.

4th) The latter one is used to store user installed certificates (thanks, koregan), while the table layout is the same.

5th) Open your self-signed certificate using Mail or Safari and install it.

6th) Open /private/var/Keychains/TrustStore.sqlite3 using your favourite SQLite database manager and look for the row in tsettings whose "SHA1" BLOB contains the hash of your CA certificate.

7th) Extract the whole row and insert it into TrustStore.sqlite3's tsettings table.

8th) Make sure you copied the database back to the device, reboot it.

9th) By now it should totally trust those certificates which are signed by your custom CA.

澉约 2024-07-18 00:51:36

您可以使用 iPhone 配置实用程序来安装证书。

You can use iPhone Configuration Utility to install certificates.

许仙没带伞 2024-07-18 00:51:36

对于问题的第二部分,我使用了 Firefox 的 SQLite 扩展来创建和编辑 sqlite 数据库文件。

addons.mozilla.org

For the second part of your question, I've used the SQLite extension for Firefox to create and edit sqlite db files.

addons.mozilla.org

通知家属抬走 2024-07-18 00:51:36

在 iOS 13(模拟器或手机/平板电脑)中安装您自己的 CA 证书

  1. 将您的 CA 证书放在网站上,确保它具有 .crt 扩展名(如 MyCA.crt)。
  2. 转到模拟器中的 Safari
  3. 下载证书,在出现提示时选择“是”以安装“配置文件”
  4. 转到模拟器中的设置
    一般> 简介> [您的证书]并单击安装
  5. 转到模拟器中的设置
    一般> 信息> 可信证书
    找到您的证书并将开关切换至“开”。

您的 CA 现在已受到信任。 在旧版本的模拟器中,您可以将证书拖到模拟器上,但这似乎不再起作用。

请记住,Apple 限制证书的验证期限,因此不要将其有效期设置为 10 年,而应选择更短的时间。

如果您在第一步失败,那么这可能是因为您的网络服务器无法识别 .crt 扩展名。 像 Apache 这样的常见 Web 服务器应该可以正常工作。

  • @Apple:我希望模拟器中的开发人员选项中的设置只接受不安全的证书,但说实话,多年来第一次在 iOS 上安装自己的 CA 的过程比在 Android 10 上更容易(据我所知)!

To install your own CA certificate in iOS 13 (Simulator or Phone/Pad)

  1. Place your CA certificate on a website, make sure it has a .crt extension (like MyCA.crt).
  2. Go to Safari in the Simulator
  3. Download the certificate, choose Yes to Install the 'Profile' when prompted
  4. Go to settings in the Simulator
    General > Profile > [Your Certificate] and click install
  5. Go to settings in the Simulator
    General > Info > Trusted Certificates
    Find your certificate and toggle the switch to On.

Your CA is now trusted. In older versions of the simulator you could just drag your certificate on the simulator but that no longer seems to work.

Remember that Apple limits the validation duration of your certificates so don't make them valid for 10 years but choose a shorter time.

If you fail at the first step then this is probably because your webserver doesn't recognise the .crt extension. Common web servers like Apache should work fine.

  • @Apple: I would expect a setting in the developer options in the simulator to just accept insecure certificates but honestly for the first time in many years the process to install your own CA is easier (AFAIK) on iOS then Android 10!
海螺姑娘 2024-07-18 00:51:36

自 iOS 11 起,TrustStore 位于:/System/Library/Security/Certificates.bundle,而不是通常的位置:/System/Library/Frameworks/Security.framework

Since iOS 11 the TrustStore is located at: /System/Library/Security/Certificates.bundle instead of the usual location: /System/Library/Frameworks/Security.framework

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文