22

我正在编写一个 phonegap 插件,它在应用程序钥匙串中安装 CA 根证书和用户证书。

这是用于安装证书的代码:

NSData *PKCS12Data = [[NSData alloc] initWithContentsOfFile:certpath];
CFDataRef inPKCS12Data = (CFDataRef)PKCS12Data;
CFStringRef password = (CFStringRef)certPassword;
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus securityError = SecPKCS12Import(inPKCS12Data, optionsDictionary, &items);
if (securityError == 0) {
    NSLog(@" *** Certificate install Success ***");
} else {
    NSLog(@" *** Certificate install Failure ***");
}

上面的代码工作正常(securityError 等于 0)。但是,我收到了这些错误:

unknown apsd[59] <Warning>: <APSCourier: 0xee1ba80>: Stream error occurred for <APSTCPStream: 0x126940>: TLS Error Code=-9844 "peer dropped connection before responding"
unknown securityd[638] <Error>: CFReadStream domain: 12 error: 8

这表明设备不接受安装的证书,所以我想知道证书没有针对设备上安装的 CA Root 证书进行验证。

我必须为应用程序安装 CA Root 证书吗?

有任何想法吗 ?

PS:我是 Objective-C 和 XCode 环境的新手。

编辑:

下面的代码用于在 keychain 中存储 CA 根证书:

NSString *rootCertPath = [[NSBundle mainBundle] pathForResource:@"rootca" ofType:@"cer"];
NSData *rootCertData = [NSData dataWithContentsOfFile:rootCertPath];

OSStatus err = noErr;
SecCertificateRef rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef) rootCertData);

CFTypeRef result;

NSDictionary* dict = [NSDictionary dictionaryWithObjectsAndKeys:
(id)kSecClassCertificate, kSecClass,
rootCert, kSecValueRef,
nil];

err = SecItemAdd((CFDictionaryRef)dict, &result);

if( err == noErr) {
    NSLog(@"Install root certificate success");
} else if( err == errSecDuplicateItem ) {
    NSLog(@"duplicate root certificate entry");
} else {
    NSLog(@"install root certificate failure");
}

编辑

似乎证书没有发送到服务器。我认为每次发出 https 请求时我都必须手动发送证书......我正在寻找一种方法来捕捉 phonegap 中的每个 https 调用。

4

3 回答 3

6

将证书导入钥匙串是不够的。新的根证书也已被用户或系统信任。

假设您仍然有SecCertificateRef变量certificate,请使用以下代码来提高信任级别:

NSDictionary *newTrustSettings = @{(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultTrustRoot]};
status = SecTrustSettingsSetTrustSettings(certificate, kSecTrustSettingsDomainUser, (__bridge CFTypeRef)(newTrustSettings));
if (status != errSecSuccess) {
    NSLog(@"Could not change the trust setting for a certificate. Error: %d", status);
    exit(0);
}

更改信任级别将在弹出窗口中询问用户是否接受更改。

于 2014-03-02T13:12:58.230 回答
1

斯威夫特 4.0

let rootCertPath = Bundle.main.path(forResource: "XXXXX", ofType: "der")
    let rootCertData = NSData(contentsOfFile: rootCertPath!)
    var err: OSStatus = noErr
    let rootCert = SecCertificateCreateWithData(kCFAllocatorDefault, rootCertData!)

    //var result: CFTypeRef1
    let dict = NSDictionary.init(objects: [kSecClassCertificate, rootCert!], forKeys: [kSecClass as! NSCopying, kSecValueRef as! NSCopying])

    err = SecItemAdd(dict, nil)

    if(err == noErr) {
        NSLog("Install root certificate success");
    } else if( err == errSecDuplicateItem ) {
        NSLog("duplicate root certificate entry");
    } else {
        NSLog("install root certificate failure");
    }
于 2018-09-06T10:21:07.883 回答
0

我一直在寻找,为系统钥匙串证书设置“始终信任”,

// Trust always, as root certificated.
    NSDictionary *newTrustSettings = @{(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultTrustRoot]};
    status = SecTrustSettingsSetTrustSettings(myCertificate, kSecTrustSettingsDomainAdmin, (__bridge CFTypeRef)(newTrustSettings));
于 2015-06-24T11:17:44.147 回答