我一直在尝试在不同的时刻同时使用 OCSP 和 CRL 检查 iOS 7.0 中的 X.509 证书吊销状态,并且评估返回 kSecTrustResultUnspecified (这意味着证书是可信的),而无需实际检查 OCSP 或 CRL 源,只要当我通过链中的所有证书时。我在下面放了我认为相关的任何代码,请帮忙!
谢谢!
PS:ocspOnly 和 crlOnly 是布尔值,指示是否要独占使用这些撤销检查方法;certs 是一个 NSArray,包含链中除锚证书之外的所有证书;锚证书之前已正确设置。
int evaluationMethod = kSecRevocationRequirePositiveResponse;
if (ocspOnly) {
evaluationMethod |= kSecRevocationOCSPMethod;
} else if (crlOnly) {
evaluationMethod |= kSecRevocationCRLMethod;
} else {
evaluationMethod |= kSecRevocationUseAnyAvailableMethod;
}
if ((status = SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, SecPolicyCreateRevocation(evaluationMethod), &trust)) != errSecSuccess) {
NSLog(@"Failed to create trust with certificate and policy: %ld", status);
return NO;
}
if ((status = SecTrustSetNetworkFetchAllowed(trust, YES)) != errSecSuccess) {
NSLog(@"Failed to activate network fetch: %ld", status);
}
status = SecTrustEvaluate(trust, &trustResult);
if (status != errSecSuccess) {
NSLog(@"Failed to evaluate trust: %ld", status);
return NO;
}
if (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified)
return YES;
return NO;
PS-2:这里的 iOS 开发者论坛中也有人问过这个问题。