在 iPhone 应用程序中使用自签名 ssl 证书
对于这个冗长的问题,我提前表示歉意。我在使用自签名 SSL 证书时遇到问题,我想记录到目前为止我尝试过的所有内容。
我正在开发一个与 REST 服务通信的应用程序。测试服务器使用自签名 ssl 证书,我可以毫无问题地将其安装在我的计算机上。它是一个 .p12 文件,需要密码才能安装。如果没有安装此证书,对服务器的所有请求都会返回 403。.p12
在钥匙串中安装三个项目:“根证书颁发机构”、由“根证书颁发机构”颁发的“测试用户”证书以及私有证书。与“测试用户”证书关联的密钥。
我通过通过电子邮件向自己发送 .p12 文件,在我的 iPad 上安装了此证书。我点击附件,输入密码,现在可以在 Safari 中访问该网站。不幸的是,由于应用程序沙箱的存在,这不足以让我的应用程序与 REST 服务进行通信。
我使用 ASIHTTPRequest 进行应用程序中与 REST 服务的所有通信。每个请求都是 ASIHTTPRequest 的子类。我发现我必须做的第一件事是调用 [self setValidatesSecureCertificate:NO]; 这样它甚至会尝试与服务器建立 SSL 连接。如果这就是我所做的全部,我会从服务返回 403 错误代码。
现在我似乎无法弄清楚如何获取使用证书的请求。我尝试将这三个项目导出为单独的 .cer 文件,将它们包含在项目中,并使用以下代码将它们添加到请求中:
NSData *data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]];
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef)data);
...
[self setClientCertificates:[NSArray arrayWithObjects:(id)cert, ..., nil]];
虽然使用此方法执行代码没有问题,但我仍然收到 403 错误。
我什至尝试将 .p12 文件包含在我的应用程序中并使用相同的代码导入它。此操作失败,因为 SecCertificateCreateWithData 返回 nil。
我承认我真的不知道自己在这里做什么。这一切都有点超出我的理解,任何人能给我的任何帮助将不胜感激。
I apologize in advance for the long-winded question. I'm having trouble with a self-signed SSL cert and I want to document everything I've tried so far.
I'm working on an app that communicates with a REST service. The test server uses a self-signed ssl certificate that I can install on my computer without issue. It's a .p12 file that requires a password to install. Without this certificate installed, all requests to the server return a 403.
The .p12 installs three items in the Keychain, a "Root certificate authority", a "test user" certificate that's issued by the "Root certificate authority", and a private key that's associated with the "test user" cert.
I've installed this certificate on my iPad by emailing myself the .p12 file. I tapped on the attachment, input the password, and I can now access the site in Safari. Unfortunately, because of application sandboxing, this isn't enough to get my app to communicate with the REST service.
I'm using ASIHTTPRequest for all of the communication with the REST service from my app. Each request is a subclass of ASIHTTPRequest. The first thing I found I had to do was call [self setValidatesSecureCertificate:NO]; so that it would even attempt the SSL connection to the server. If that's all I do, I get 403 error codes back from the service.
Now I can't seem to figure out how to get the request to use the certificate. I've tried exporting the three items as separate .cer file, including them in the project and adding them to the request using the code below:
NSData *data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]];
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef)data);
...
[self setClientCertificates:[NSArray arrayWithObjects:(id)cert, ..., nil]];
While the code executes without issue using this approach, I still get the 403 error.
I've even tried including the .p12 file in my application and importing it using the same code. This fails because SecCertificateCreateWithData returns nil.
I admit I don't really know what I'm doing here. This is all a little over my head and any help anyone could give me would be greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,我明白了。我有点找错树了。
我发现的最重要的信息是 Apple 的文档证书、密钥和信任服务编程指南,特别是“iOS 任务”页面。其中详细介绍了如何从 .p12 文件中提取安全身份以及如何添加信任例外。
最后一个难题位于 ASIHTTPRequest 的有关 客户端证书支持 的文档中。通过使用直接从 p12 文件中提取的身份,我能够将其传递给请求并正确验证所有内容。
我希望这可以帮助任何其他必须实现类似功能的人。
OK, I figured it out. I was sort of barking up the wrong tree.
The most important information I found was in Apple's documentation for Certificate, Key, and Trust Services Programming Guide, in particular, the "Tasks for iOS" page. That detailed how to extract the security identity from the .p12 file and how to add a trust exception.
The last piece of the puzzle was in ASIHTTPRequest's documentation on Client Certificate Support. By using the identity I extracted directly from the p12 file, I was able to pass that on to the request and get everything authenticated properly.
I hope this helps anyone else that has to implement a similar feature.