3

On iOS, I know that we can evaluate a trust with SecTrustEvaluate(). To create a trust, we either import it from a *.p12 file or create it using an array of certificates and a set of policies.

I also know that in order to ensure that a server, that is not trusted by default, is trusted, we can use SecTrustSetAnchorCertificates() to augment the list of root CAs SecTrustEvaluate() uses to verify the server's certificate.

Now, how can I ensure that these anchor certificates are available on a subsequent launch? I can store certificates, keys and identities in the application keychain, but not a certificate chain. Even if I store all the certificates in the chain, how will I know what certificates are to be used as anchor certificates?

One solution that comes to mind is to just get all the certificates from the keychain and set them as anchor certificates. Another method could be to all the certificate chains on the disk as *.p12 files and load them once on every application run.

4

1 回答 1

2

Apple Devforums 的 eskimo1 回答了这个问题:

首先,您不需要将证书存储在钥匙串中。如果您愿意,您可以将它们存储在其他地方(并使用 SecCertificateCreateWithData 创建 SecCertificateRef)。

其次,您的问题涉及 .p12 文件,但我不确定这与事情有什么关系。一般来说,您只使用 .p12 文件来分发机密信息,而证书不是机密的。

最后,您可以通过仅存储对该链中每个证书的持久引用(或通过存储每个证书的实际数据)来存储证书链。

于 2012-04-03T22:17:15.957 回答