kSecTrustResultRecoverableTrustFailure 的原因是什么？

发布于 2024-12-08 23:25:25 字数 581 浏览 0 评论 0原文

我想通过一些额外的检查来验证我的 ssl 服务器证书。有时我会得到一个

kSecTrustResultRecoverableTrustFailure

而不是

kSecTrustResultProceed 或 kSecTrustResultUnspecified

则似乎会发生

如果证书是 md5 散列（IOS5），
服务器不提供根证书和中间证书
的情况>SecTrustSetAnchorCertificatesOnly（信任，YES）已设置并且锚点证书仅存在于内置锚点证书中
证书已过期
？

这取决于用于评估信任的 AppleX509TP 策略。

我的问题是我不想信任链是否失败，但我想信任是否使用 MD5。

有没有办法找出评估失败的原因？

作为替代方案，是否有一种方法可以从 SecCertificateRef 中提取 CSSM_ALGID_MD5？

原文

I'd like to validate my ssl server certificates with some extra checks. And sometimes I get a

kSecTrustResultRecoverableTrustFailure

instead of

kSecTrustResultProceed or kSecTrustResultUnspecified

It seems to happen if

the certificate is md5 hashed (IOS5)
the server does not present the root and intermediate certificates
the SecTrustSetAnchorCertificatesOnly(trust,YES)
is set and the anchor certificate is only in the built in anchor certificates
the certificate is expired
?

It depends on the AppleX509TP policy used to evaluate the trust.

My problem is I do not want to trust if the chain fails, but I want to trust if MD5 is used.

Is there a way to find out why the evaluation failed?

As an alternative is there a way to extract the CSSM_ALGID_MD5 from a SecCertificateRef?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

心凉 2024-12-15 23:25:26

这可能是服务器证书问题......

检查此处< /a>，我解决了我的 kSecTrustResultRecoverableTrustFailure 问题，将 subjectAltName = DNS:example.com 添加到 openssl 配置文件中，特别是在服务器密钥生成中...

如果您没有使用 openssl 来生成它，很抱歉，但我可以帮助你..无论如何，如果你想使用 openssl，这里是一个很好的教程，用于生成这些密钥并使用您自己的根证书颁发机构进行签名。

在本教程中，我刚刚将 openssl 服务器配置文件更改为：

    [ server ]
    basicConstraints = critical,CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    nsCertType = server
    subjectAltName = IP:10.0.1.5,DNS:office.totendev.com

希望有帮助！

编辑：

我的服务器评估代码：

#pragma mark - SERVER Auth Helper
//Validate server certificate with challenge
+ (BOOL)validateServerWithChallenge:(NSURLAuthenticationChallenge *)challenge {
//Get server trust management object a set anchor objects to validate it
SecTrustSetAnchorCertificates([challenge.protectionSpace serverTrust], (__bridge CFArrayRef)[self allowedCAcertificates]);
//Set to server trust management object to JUST ALLOW those anchor objects assigned to it (ABOVE), and disable apple CA trusts 
SecTrustSetAnchorCertificatesOnly([challenge.protectionSpace serverTrust], YES);
//Try to evalute it
SecTrustResultType evaluateResult = kSecTrustResultInvalid; //evaluate result
OSStatus sanityCheck = SecTrustEvaluate([challenge.protectionSpace serverTrust], &evaluateResult);
//Check for no evaluate error
if (sanityCheck == noErr) {
    //Check for result
    if ([[self class] validateTrustResult:evaluateResult]) { return YES ; }
}
//deny!
return NO ;
}
//Validate SecTrustResulType
+ (BOOL)validateTrustResult:(SecTrustResultType)result {
switch (result) {
    case kSecTrustResultProceed: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultProceed"); return YES ; }
        break;
    case kSecTrustResultConfirm: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultConfirm"); return YES ; }
        break;
    case kSecTrustResultUnspecified: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultUnspecified"); return YES ; }
        break;
    case kSecTrustResultDeny: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultDeny"); return YES ; }
        break;
    case kSecTrustResultFatalTrustFailure: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultFatalTrustFailure"); return NO ; }
        break;
    case kSecTrustResultInvalid: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultInvalid"); return NO ; }
        break;
    case kSecTrustResultOtherError: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultOtherError"); return NO ; }
        break;
    case kSecTrustResultRecoverableTrustFailure: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultRecoverableTrustFailure"); return NO ; }
        break;
    default: { TDLog(kLogLevelHandshake,nil,@"unkown certificate evaluate result type! denying..."); return NO ; }
        break;
}

}

希望现在它有帮助:)！

It may be a server certificate problem....

Check here, I solved my kSecTrustResultRecoverableTrustFailure problem, adding subjectAltName = DNS:example.com into openssl config file, specifically in server key generation...

If you are not using openssl to generate it, I'm sorry but I can help you.. Anyway if you want to use openssl, here is a good tutorial to generate those keys and sign then with your own root certificate authority.

From this tutorial, I just changed my openssl server config file to:

    [ server ]
    basicConstraints = critical,CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    nsCertType = server
    subjectAltName = IP:10.0.1.5,DNS:office.totendev.com

Hope it helps !

EDITED:

My Server evaluation code:

#pragma mark - SERVER Auth Helper
//Validate server certificate with challenge
+ (BOOL)validateServerWithChallenge:(NSURLAuthenticationChallenge *)challenge {
//Get server trust management object a set anchor objects to validate it
SecTrustSetAnchorCertificates([challenge.protectionSpace serverTrust], (__bridge CFArrayRef)[self allowedCAcertificates]);
//Set to server trust management object to JUST ALLOW those anchor objects assigned to it (ABOVE), and disable apple CA trusts 
SecTrustSetAnchorCertificatesOnly([challenge.protectionSpace serverTrust], YES);
//Try to evalute it
SecTrustResultType evaluateResult = kSecTrustResultInvalid; //evaluate result
OSStatus sanityCheck = SecTrustEvaluate([challenge.protectionSpace serverTrust], &evaluateResult);
//Check for no evaluate error
if (sanityCheck == noErr) {
    //Check for result
    if ([[self class] validateTrustResult:evaluateResult]) { return YES ; }
}
//deny!
return NO ;
}
//Validate SecTrustResulType
+ (BOOL)validateTrustResult:(SecTrustResultType)result {
switch (result) {
    case kSecTrustResultProceed: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultProceed"); return YES ; }
        break;
    case kSecTrustResultConfirm: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultConfirm"); return YES ; }
        break;
    case kSecTrustResultUnspecified: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultUnspecified"); return YES ; }
        break;
    case kSecTrustResultDeny: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultDeny"); return YES ; }
        break;
    case kSecTrustResultFatalTrustFailure: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultFatalTrustFailure"); return NO ; }
        break;
    case kSecTrustResultInvalid: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultInvalid"); return NO ; }
        break;
    case kSecTrustResultOtherError: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultOtherError"); return NO ; }
        break;
    case kSecTrustResultRecoverableTrustFailure: { TDLog(kLogLevelHandshake,nil,@"kSecTrustResultRecoverableTrustFailure"); return NO ; }
        break;
    default: { TDLog(kLogLevelHandshake,nil,@"unkown certificate evaluate result type! denying..."); return NO ; }
        break;
}

}

Hope now it helps :) !

回复收藏 0 原文

夜深人未静 2024-12-15 23:25:26

有没有办法找出评估失败的原因？

在调用 SecTrustEvaluate() 后调用 SecTrustCopyProperties()：

SecTrustRef trust = ...;
SecTrustResultType trustResult = kSecTrustResultOtherError;
OSStatus status = SecTrustEvaluate(trust, &trustResult);
if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    NSArray * trustProperties = (__bridge_transfer id)
        SecTrustCopyProperties(certTrust);
}

trustProperties 是一个字典数组，评估的证书链中的每个证书一个字典。每个字典都有一个条目title，其中包含证书的名称，如果证书未评估，它还包含一个包含错误的条目error。例如，如果问题是证书已过期，则 error 的值将为 CSSMERR_TP_CERT_EXPIRED。

Is there a way to find out why the evaluation failed?

Call SecTrustCopyProperties() after calling SecTrustEvaluate():

SecTrustRef trust = ...;
SecTrustResultType trustResult = kSecTrustResultOtherError;
OSStatus status = SecTrustEvaluate(trust, &trustResult);
if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    NSArray * trustProperties = (__bridge_transfer id)
        SecTrustCopyProperties(certTrust);
}

trustProperties is an array of dictionaries, one dictionary per cert in the cert chain evaluated. Every dictionary has an entry title, containing the name of the cert and if the cert didn't evaluate, it also contains an entry error containing the error. E.g. if the problem was that the cert has expired, the value of error will be CSSMERR_TP_CERT_EXPIRED.

回复收藏 0 原文

~没有更多了~