SecTrustEvaluate() 是否在应用程序钥匙串中查找根证书?

发布于 2024-10-12 02:26:26 字数 218 浏览 9 评论 0原文

文档说:“如果验证叶证书所需的所有证书均未包含在信任管理对象中,则 SecTrustEvaluate 会在钥匙串搜索列表(请参阅 SecTrustSetKeychains)和系统锚证书存储中(请参阅 SecTrustSetAnchorCertificates)搜索证书”。

但是,由于 SecTrustSetKeychains() 在 iOS 上不可用,因此尚不清楚此函数是否也会在应用程序的钥匙串中查找。

The docs say: “If not all the certificates needed to verify the leaf certificate are included in the trust management object, then SecTrustEvaluate searches for certificates in the keychain search list (see SecTrustSetKeychains) and in the system’s store of anchor certificates (see SecTrustSetAnchorCertificates).”

However, since SecTrustSetKeychains() is not available on iOS, it’s not clear whether this function will also look in the application’s keychain.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

无所的.畏惧 2024-10-19 02:26:27

它现在写在文档中:

注意:虽然此函数会在用户的钥匙串(或 iOS 中的应用程序钥匙串)中搜索中间证书,但它不会在这些钥匙串中搜索锚(根)证书。要添加锚证书,您必须调用 SecTrustSetAnchorCertificates。

来源: SecTrustEvaluate 文档

It's written in the doc now:

Note: Although this function searches the user’s keychain (or the application keychain in iOS) for intermediate certificates, it does not search those keychains for anchor (root) certificates. To add an anchor certificate, you must call SecTrustSetAnchorCertificates.

Source: SecTrustEvaluate documentation

﹎☆浅夏丿初晴 2024-10-19 02:26:27

Apple Devforums 的 eskimo1 如此回答:

  1. SecTrustEvaluate() 是否在
    应用程序钥匙串?

默认情况下不是。然而,通过从钥匙串(或任何地方)获取证书并使用 SecTrustSetAnchorCertificates 将它们应用到 SecTrust 对象,可以很容易地做到这一点。

SecTrustEvaluation /将/在您的钥匙串中找到中间证书。

eskimo1 from Apple Devforums answered this so:

  1. Does SecTrustEvaluate() look for root certificates in the
    application keychain?

Not by default. However, it's easy to make it do this by getting the certificates out of your keychain (or from wherever) and applying them to the SecTrust object using SecTrustSetAnchorCertificates.

SecTrustEvaluation /will/ find intermediate certificates in your keychain.

瀞厅☆埖开 2024-10-19 02:26:26

自从您发布以来似乎已经有一段时间了,所以我不确定您是否仍然需要答案。如果您的用例是“我遇到了 connection:didReceiveAuthenticationChallenge:,并且我想确保正在评估准确证书,那么您可以使用 iOS 内置信任方法或通过 Foundation API 做更多工作:(请注意,此处并未专门调用 SecTrustEvaulate,但可以很容易地添加它)

#import <Security/Security.h>
#import <CommonCrypto/CommonDigest.h>

从那里,您可以迭代完整的证书数组,并将其与挑战服务器信任参考的 SHA1 之类的内容进行比较:

// way #1 - iOS built-in ================================================ //
SecTrustRef trust = challenge.protectionSpace.serverTrust;
CFIndex cnt = SecTrustGetCertificateCount(trust);

// way #2 - build it in yourself from a file ============================ //
OSErr err;
NSString *path = [[NSBundle mainBundle] pathForResource:@"my.cert" 
                                                 ofType:@"der"];
NSData *derData = [NSData dataWithContentsOfFile:path];

SecCertificateRef myCert = 
    SecCertificateCreateWithData(NULL, (CFDataRef)derData);

CFMutableArrayRef array = CFArrayCreateMutable(NULL, 1, NULL);
CFArrayInsertValueAtIndex(array, 0, myCert);

err = SecTrustSetAnchorCertificates(trust, array);
if (err != errSecSuccess) {
    // do something smarter here, obviously, logging would be a start
    abort();
}
CFArrayRef certs = NULL;
err = SecTrustCopyCustomAnchorCertificates(trust, &certs);
if (err != errSecSuccess) {
    // again, better choices needed
    abort();
}
CFIndex cnt = CFArrayGetCount(certs);

// loop and compare 'em
for (int i = 0; i < cnt; i++) {
    SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, i);

    CFDataRef cdata = SecCertificateCopyData(cert);
    NSData *data = [[NSData alloc] initWithData:(NSData *)cdata];

    unsigned char digest_result[CC_SHA1_DIGEST_LENGTH];

    CC_SHA1(data.bytes, data.length, digest_result);
    // compare each byte with your in-code SHA1 bytes
    if (allBytesMatch) {
        NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
        [challenge.sender useCredential:cred 
             forAuthenticationChallenge:challenge];
    }
}
// don't forget to release & CFRelease all the alloc'ed stuff from above

Seems like it's been a while since you posted so I'm not sure if you still need the answer. If your use case is "I'm getting hit with connection:didReceiveAuthenticationChallenge:, and I'd like to make sure that exact certificate is being evaluated, then you can either use iOS built-in trust methods or do a bit more work via the Foundation APIs: (note that SecTrustEvaulate is not being called specifically here, but it could be added in quite easily)

#import <Security/Security.h>
#import <CommonCrypto/CommonDigest.h>

From there, you can iterate the full array of certs, and compare it to something like a SHA1 of the challenge's server trust reference:

// way #1 - iOS built-in ================================================ //
SecTrustRef trust = challenge.protectionSpace.serverTrust;
CFIndex cnt = SecTrustGetCertificateCount(trust);

// way #2 - build it in yourself from a file ============================ //
OSErr err;
NSString *path = [[NSBundle mainBundle] pathForResource:@"my.cert" 
                                                 ofType:@"der"];
NSData *derData = [NSData dataWithContentsOfFile:path];

SecCertificateRef myCert = 
    SecCertificateCreateWithData(NULL, (CFDataRef)derData);

CFMutableArrayRef array = CFArrayCreateMutable(NULL, 1, NULL);
CFArrayInsertValueAtIndex(array, 0, myCert);

err = SecTrustSetAnchorCertificates(trust, array);
if (err != errSecSuccess) {
    // do something smarter here, obviously, logging would be a start
    abort();
}
CFArrayRef certs = NULL;
err = SecTrustCopyCustomAnchorCertificates(trust, &certs);
if (err != errSecSuccess) {
    // again, better choices needed
    abort();
}
CFIndex cnt = CFArrayGetCount(certs);

// loop and compare 'em
for (int i = 0; i < cnt; i++) {
    SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, i);

    CFDataRef cdata = SecCertificateCopyData(cert);
    NSData *data = [[NSData alloc] initWithData:(NSData *)cdata];

    unsigned char digest_result[CC_SHA1_DIGEST_LENGTH];

    CC_SHA1(data.bytes, data.length, digest_result);
    // compare each byte with your in-code SHA1 bytes
    if (allBytesMatch) {
        NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
        [challenge.sender useCredential:cred 
             forAuthenticationChallenge:challenge];
    }
}
// don't forget to release & CFRelease all the alloc'ed stuff from above
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文