0

我正在使用Apple 的示例代码来评估 X509 证书。我进行了一些修改以从我的捆绑包中获取证书(仅更改了文件名)。

当我运行它时,它总是与comment 5 status = SecTrustEvaluate(myTrust, &trustResult);. 我总是EXC_BAD_ACCESS在那里。

- (BOOL)validateCertificate
{
    NSString *thePath = [[NSBundle mainBundle] pathForResource:@"user_signed_cert" ofType:@"crt"];
    NSData *certData = [[NSData alloc]
                        initWithContentsOfFile:thePath];
    CFDataRef myCertData = (__bridge_retained CFDataRef)certData; //1
    SecCertificateRef myCert;
    myCert = SecCertificateCreateWithData(NULL, myCertData); //2
    SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); //3
    SecCertificateRef certArray[1] = { myCert };
    CFArrayRef myCerts = CFArrayCreate(
                                       NULL, (void *)certArray,
                                       1, NULL);
    SecTrustRef myTrust;
    OSStatus status = SecTrustCreateWithCertificates(
                                                     myCerts,
                                                     myPolicy,
                                                     &myTrust); //4
    SecTrustResultType trustResult;
    if (status == noErr) {
        status = SecTrustEvaluate(myTrust, &trustResult); //5 }

        NSLog(@"Status: %d", status);
        //6 if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    }

    if (myPolicy)
        CFRelease(myPolicy);
}

有谁知道这里出了什么问题?

提前致谢!

更新#1:我已将其更改为以下内容,但没有任何变化。上相同的 EXC_BAD_ACCESS SecTrustEvaluate()

NSMutableArray *temp = [[NSMutableArray alloc] init];
[temp addObject:certData];
OSStatus status = SecTrustCreateWithCertificates((__bridge CFArrayRef)temp, myPolicy, &myTrust);

之后似乎status是空的,SecTrustCreateWithCertificates()但不包含错误。

还有其他建议有什么问题吗?

更新 #2:我已经尝试了下面提到的解决方案并总是收到kSecTrustResultInvalid. 我只更改了 CA 证书创建以存储私钥,ca.key因为在签署请求 ( client.csr) 时,我收到以下错误消息:

Signature ok
subject=/CN=foo-by-ZeeCA
Getting CA Private Key
unable to load CA Private Key

此外,我不得不将签名请求命令更改为openssl x509 -CA ca.pem -in client.csr -CAkey ca.key -req -set_serial 1 -out client.pem. (补充-CAkey ca.key

然后我在下面的解决方案中使用了代码,并从包中添加了我的路径。此外,我还为状态添加了一个开关盒。

/*
 # CA
 openssl req -x509 -new -subj /CN=ZeeCA -keyout ca.key -nodes -set_serial 1 > ca.pem
 openssl x509 -outform DER -out ca.der -in ca.pem

 # create andsign client
 openssl req  -new -subj /CN=foo-by-ZeeCA -CAkey ca.key  -keyout client.key -nodes > client.csr
 openssl x509 -CA ca.pem -in client.csr -req -set_serial 1  -out client.pem

 # format for client identity import
 openssl pkcs12 -export -out client.12 -inkey client.key -in client.pem -CAfile ca.pem -password pass:1234

 # format for trust.
 openssl x509 -in client.pem -out client.der -outform der

 */

NSString *clientPath = [[NSBundle mainBundle] pathForResource:@"client" ofType:@"der"];

//NSString *thePath = @"XXXX/client.der";

NSData *certData = [[NSData alloc]
                    initWithContentsOfFile:clientPath];
CFDataRef myCertData = (__bridge_retained CFDataRef)certData; //1

assert(myCertData);

SecCertificateRef myCert;
myCert = SecCertificateCreateWithData(NULL, myCertData); //2

assert(myCert);

SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); //3

NSArray * certArray = [NSArray arrayWithObject:(__bridge id)(myCert)];

SecTrustRef myTrust;
OSStatus status = SecTrustCreateWithCertificates(
                                                 (__bridge CFArrayRef)certArray,
                                                 myPolicy,
                                                 &myTrust); //4

NSString *caPath = [[NSBundle mainBundle] pathForResource:@"ca" ofType:@"der"];
NSData *caData = [[NSData alloc]
                  initWithContentsOfFile:caPath];
CFDataRef myCaData = (__bridge_retained CFDataRef)caData; 
SecCertificateRef myCA = SecCertificateCreateWithData(NULL, myCaData); 
assert(myCA);

NSArray * myCAs = [NSArray arrayWithObject:(__bridge id)(myCA)];

SecTrustResultType xxx = SecTrustSetAnchorCertificates(myTrust, (__bridge CFArrayRef)(myCAs));
if (xxx != noErr) {
    NSLog(@"SecTrustSetAnchorCertificates failed: %d", xxx);
}


SecTrustResultType trustResult;
if (status == noErr) {
    status = SecTrustEvaluate(myTrust, &trustResult); //5 }        
    NSLog(@"Status: %d", status);
}

if (myPolicy)
    CFRelease(myPolicy);

if (status == noErr) {
    status = SecTrustEvaluate(myTrust, &trustResult); //5 }

    switch (status) {
        case kSecTrustResultProceed: // 1
            NSLog(@"Proceed");
            break;
        case kSecTrustResultConfirm: // 2
            NSLog(@"Confirm");
            break;
        case kSecTrustResultUnspecified: // 4
            NSLog(@"Unspecified");
            break;
        case kSecTrustResultRecoverableTrustFailure:  // 5
            NSLog(@"TrustFailure");
            break;
        case kSecTrustResultDeny: // 3
            NSLog(@"Deny");
            break;
        case kSecTrustResultFatalTrustFailure: // 6
            NSLog(@"FatalTrustFailure");
            break;
        case kSecTrustResultOtherError: // 7
            NSLog(@"OtherError");
            break;
        case kSecTrustResultInvalid: // 0
            NSLog(@"Invalid");
            break;
        default:
            NSLog(@"Default");
            break;
    }        
}
4

1 回答 1

0

我认为您的问题出在数组的数组中。我使用下面的代码 - 即在您所谓的 myCerts 中传递一个简单的 SecCertificateRef 平面数组。

        NSMutableArray *serverChain = [NSMutableArray array];
        for(int i = 0; i < SecTrustGetCertificateCount(secTrustRef); i++)
            [serverChain addObject:(__bridge id)(SecTrustGetCertificateAtIndex(secTrustRef,i))];

        SecTrustRef noHostTrustRef = NULL;
        OSErr status = SecTrustCreateWithCertificates((__bridge CFArrayRef) serverChain, SecPolicyCreateSSL(NO, nil), &noHostTrustRef);


        if (status != noErr) {
            NSLog(@"SecTrustCreateWithCertificates failed: %hd", status);
            [[challenge sender] cancelAuthenticationChallenge:challenge];
        }

        NSMutableArray *certRefs = [NSMutableArray arrayWithCapacity:[acceptableCAs count]];
        for(Certificate * cert in acceptableCAs)
            [certRefs addObject:(id)[cert secCertificateRef]];

        status = SecTrustSetAnchorCertificates(noHostTrustRef, (__bridge CFArrayRef)certRefs);
        if (status != noErr) {
            NSLog(@"SecTrustSetAnchorCertificates failed: %hd", status);
            [[challenge sender] cancelAuthenticationChallenge:challenge];
        }

        status = SecTrustEvaluate(noHostTrustRef, &result);
        if (status != noErr) {
            NSLog(@"SecTrustEvaluate failed: %hd", status);
            [[challenge sender] cancelAuthenticationChallenge:challenge];
        }
        CFRelease(noHostTrustRef);

如果我将您的代码放入一个简单的 cmd 行包装器中:

进口

int main(int argc, const char * argv[]) {

@autoreleasepool {

    //  openssl req -x509 -new -subj /CN=foo -out user_signed_cert.crt \
    //      -keyout /dev/null -outform DER -nodes -set_serial 1
    //
    NSString *thePath = @"XXXXX/user_signed_cert.crt";

    NSData *certData = [[NSData alloc]
                        initWithContentsOfFile:thePath];
    CFDataRef myCertData = (__bridge_retained CFDataRef)certData; //1

    assert(myCertData);

    SecCertificateRef myCert;
    myCert = SecCertificateCreateWithData(NULL, myCertData); //2
    SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); //3
    SecCertificateRef certArray[1] = { myCert };
    CFArrayRef myCerts = CFArrayCreate(
                                       NULL, (void *)certArray,
                                       1, NULL);
    SecTrustRef myTrust;
    OSStatus status = SecTrustCreateWithCertificates(
                                                     myCerts,
                                                     myPolicy,
                                                     &myTrust); //4
    SecTrustResultType trustResult;
    if (status == noErr) {
        status = SecTrustEvaluate(myTrust, &trustResult); //5 }

        NSLog(@"Status: %d", status);
        //6 if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    }

    if (myPolicy)
        CFRelease(myPolicy);

}
return 0;

并带有明确的证书:

@autoreleasepool {

    /*

     # CA
     openssl req -x509 -new -subj /CN=ZeeCA -keyout /dev/stdout -nodes -set_serial 1 > ca.pem
     openssl x509 -outform DER -out ca.der -in ca.pem

     # create andsign client
     openssl req  -new -subj /CN=foo-by-ZeeCA   -keyout client.key -nodes > client.csr
     openssl x509 -CA ca.pem -in client.csr -req -set_serial 1  -out client.pem

     # format for client identity import
     openssl pkcs12 -export -out client.12 -inkey client.key -in client.pem -CAfile ca.pem -password pass:1234

     # format for trust.
     openssl x509 -in client.pem -out client.der -outform der

     */
    NSString *thePath = @"XXXX/client.der";

    NSData *certData = [[NSData alloc]
                        initWithContentsOfFile:thePath];
    CFDataRef myCertData = (__bridge_retained CFDataRef)certData; //1

    assert(myCertData);

    SecCertificateRef myCert;
    myCert = SecCertificateCreateWithData(NULL, myCertData); //2

    assert(myCert);

    SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); //3

    NSArray * certArray = [NSArray arrayWithObject:(__bridge id)(myCert)];

    SecTrustRef myTrust;
    OSStatus status = SecTrustCreateWithCertificates(
                                                     (__bridge CFArrayRef)certArray,
                                                     myPolicy,
                                                     &myTrust); //4


    NSData *caData = [[NSData alloc]
                       initWithContentsOfFile:@"XXXXX/ca.der"];
    CFDataRef myCaData = (__bridge_retained CFDataRef)caData; 
    SecCertificateRef myCA = SecCertificateCreateWithData(NULL, myCaData); 
    assert(myCA);

    NSArray * myCAs = [NSArray arrayWithObject:(__bridge id)(myCA)];

    SecTrustResultType xxx = SecTrustSetAnchorCertificates(myTrust, (__bridge CFArrayRef)(myCAs));
    if (xxx != noErr) {
        NSLog(@"SecTrustSetAnchorCertificates failed: %d", xxx);
    }


    SecTrustResultType trustResult;
    if (status == noErr) {
        status = SecTrustEvaluate(myTrust, &trustResult); //5 }

        NSLog(@"Status: %d", status);
        //6 if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    }

    if (myPolicy)
        CFRelease(myPolicy);

}

两者似乎都对我有用?

于 2012-07-23T10:02:04.173 回答