SecTrustEvaluate() 是否在应用程序钥匙串中查找根证书？

发布于 2024-10-12 02:26:26 字数 218 浏览 5 评论 0原文

文档说：“如果验证叶证书所需的所有证书均未包含在信任管理对象中，则 SecTrustEvaluate 会在钥匙串搜索列表（请参阅 SecTrustSetKeychains）和系统锚证书存储中（请参阅 SecTrustSetAnchorCertificates）搜索证书”。

但是，由于 SecTrustSetKeychains() 在 iOS 上不可用，因此尚不清楚此函数是否也会在应用程序的钥匙串中查找。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

无所的.畏惧 2024-10-19 02:26:27

它现在写在文档中：

注意：虽然此函数会在用户的钥匙串（或 iOS 中的应用程序钥匙串）中搜索中间证书，但它不会在这些钥匙串中搜索锚（根）证书。要添加锚证书，您必须调用 SecTrustSetAnchorCertificates。

来源： SecTrustEvaluate 文档

回复收藏 0 原文

﹎☆浅夏丿初晴 2024-10-19 02:26:27

Apple Devforums 的 eskimo1 如此回答：

SecTrustEvaluate() 是否在
应用程序钥匙串？

默认情况下不是。然而，通过从钥匙串（或任何地方）获取证书并使用 SecTrustSetAnchorCertificates 将它们应用到 SecTrust 对象，可以很容易地做到这一点。

SecTrustEvaluation /将/在您的钥匙串中找到中间证书。

回复收藏 0 原文

瀞厅☆埖开 2024-10-19 02:26:26

自从您发布以来似乎已经有一段时间了，所以我不确定您是否仍然需要答案。如果您的用例是“我遇到了 connection:didReceiveAuthenticationChallenge:，并且我想确保正在评估准确证书，那么您可以使用 iOS 内置信任方法或通过 Foundation API 做更多工作：（请注意，此处并未专门调用 SecTrustEvaulate，但可以很容易地添加它）

#import <Security/Security.h>
#import <CommonCrypto/CommonDigest.h>

从那里，您可以迭代完整的证书数组，并将其与挑战服务器信任参考的 SHA1 之类的内容进行比较：

// way #1 - iOS built-in ================================================ //
SecTrustRef trust = challenge.protectionSpace.serverTrust;
CFIndex cnt = SecTrustGetCertificateCount(trust);

// way #2 - build it in yourself from a file ============================ //
OSErr err;
NSString *path = [[NSBundle mainBundle] pathForResource:@"my.cert" 
                                                 ofType:@"der"];
NSData *derData = [NSData dataWithContentsOfFile:path];

SecCertificateRef myCert = 
    SecCertificateCreateWithData(NULL, (CFDataRef)derData);

CFMutableArrayRef array = CFArrayCreateMutable(NULL, 1, NULL);
CFArrayInsertValueAtIndex(array, 0, myCert);

err = SecTrustSetAnchorCertificates(trust, array);
if (err != errSecSuccess) {
    // do something smarter here, obviously, logging would be a start
    abort();
}
CFArrayRef certs = NULL;
err = SecTrustCopyCustomAnchorCertificates(trust, &certs);
if (err != errSecSuccess) {
    // again, better choices needed
    abort();
}
CFIndex cnt = CFArrayGetCount(certs);

// loop and compare 'em
for (int i = 0; i < cnt; i++) {
    SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, i);

    CFDataRef cdata = SecCertificateCopyData(cert);
    NSData *data = [[NSData alloc] initWithData:(NSData *)cdata];

    unsigned char digest_result[CC_SHA1_DIGEST_LENGTH];

    CC_SHA1(data.bytes, data.length, digest_result);
    // compare each byte with your in-code SHA1 bytes
    if (allBytesMatch) {
        NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
        [challenge.sender useCredential:cred 
             forAuthenticationChallenge:challenge];
    }
}
// don't forget to release & CFRelease all the alloc'ed stuff from above

Seems like it's been a while since you posted so I'm not sure if you still need the answer. If your use case is "I'm getting hit with connection:didReceiveAuthenticationChallenge:, and I'd like to make sure that exact certificate is being evaluated, then you can either use iOS built-in trust methods or do a bit more work via the Foundation APIs: (note that SecTrustEvaulate is not being called specifically here, but it could be added in quite easily)

#import <Security/Security.h>
#import <CommonCrypto/CommonDigest.h>

From there, you can iterate the full array of certs, and compare it to something like a SHA1 of the challenge's server trust reference:

// way #1 - iOS built-in ================================================ //
SecTrustRef trust = challenge.protectionSpace.serverTrust;
CFIndex cnt = SecTrustGetCertificateCount(trust);

// way #2 - build it in yourself from a file ============================ //
OSErr err;
NSString *path = [[NSBundle mainBundle] pathForResource:@"my.cert" 
                                                 ofType:@"der"];
NSData *derData = [NSData dataWithContentsOfFile:path];

SecCertificateRef myCert = 
    SecCertificateCreateWithData(NULL, (CFDataRef)derData);

CFMutableArrayRef array = CFArrayCreateMutable(NULL, 1, NULL);
CFArrayInsertValueAtIndex(array, 0, myCert);

err = SecTrustSetAnchorCertificates(trust, array);
if (err != errSecSuccess) {
    // do something smarter here, obviously, logging would be a start
    abort();
}
CFArrayRef certs = NULL;
err = SecTrustCopyCustomAnchorCertificates(trust, &certs);
if (err != errSecSuccess) {
    // again, better choices needed
    abort();
}
CFIndex cnt = CFArrayGetCount(certs);

// loop and compare 'em
for (int i = 0; i < cnt; i++) {
    SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, i);

    CFDataRef cdata = SecCertificateCopyData(cert);
    NSData *data = [[NSData alloc] initWithData:(NSData *)cdata];

    unsigned char digest_result[CC_SHA1_DIGEST_LENGTH];

    CC_SHA1(data.bytes, data.length, digest_result);
    // compare each byte with your in-code SHA1 bytes
    if (allBytesMatch) {
        NSURLCredential *cred = [NSURLCredential credentialForTrust:trust];
        [challenge.sender useCredential:cred 
             forAuthenticationChallenge:challenge];
    }
}
// don't forget to release & CFRelease all the alloc'ed stuff from above

回复收藏 0 原文

~没有更多了~